You’re probably already familiar with the word hacker, but what does it really mean? well, according to Wikipedia:
A hacker is someone who seeks and exploits weaknesses in a computer system or computer network. Hackers may be motivated by a multitude of reasons, such as profit, protest, challenge or enjoyment.
Basically, hacking is all about exploiting weaknesses of someone else, but unlike the real world where exploiting someone else requires revealing yourself, here you have the chance to stay totally anonymous if you know what you’re doing.
SQL injection is a common website exploit method in which the hacker, with no special tools, can gain access to your information and data and even manipulate it the way he wants to. The hacker can read write update any of your unsecured data without the need to use any kind of password or a login screen. This example aims to explain this common attack so websites owners can be prepared and see if they are vulnerable to that kind of attacks. Once you know your website is vulnerable, you’re half way done solving the problem.
What Do We Need?
In order to perform an SQL attack (error based), you first need to find a website which is vulnerable to that kind of attacks:
- The website has to allow execution of queries from the URL
- The website has to show an error for an incorrect query
We will use a simple google search query to retrieve all websites which have a specific set of vulnerable words in their URL. For that, we need to know which words in the URL make a website potentially vulnerable to an SQL injection attack. This site lists many Dorks (a dork is a google search query for vulnerable SQL injection attacks).
Examples of Google search queries to retrieve vulnerable websites:
As you can see, the matching pattern for those URLs is the “inurl:” prefix, and as I described earlier, this helps us to find search results with a specific set of words inside their URL.
Finding a Vulnerable Website
A simple google search gives us a long list of matching websites, we only need one vulnerable website so we pick one randomly. Let’s say we choose this one http://www.mysite.com/product-item.php?id=7. Now we have to check if that website is vulnerable or not. This is pretty simple. All you have to do is to insert an asterisk ‘ at the end of the URL instead of the id number. If you see some kind of error which tells something about SQL then you’re in the right direction, you can continue with this website, otherwise, just choose another one from the search results and repeat this step.
URL to check:
Sample SQL error:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in/web/sites/_w/_a/_r/mysite.com/public/www/admin/dataManager.php on line 901
Finding the Vulnerable Columns
At this point, we have a vulnerable website, we still need to find out which columns we can get access to. To do that, we need to find the number of columns in the SQL table. In order to find the number of columns, we append “order by 1” to the original URL. Normally if the table has, at least, one column, the page will render without any errors. A trick to finding the number of columns will be to increment the “order by x” until we get an SQL error. The last value of X where we didn’t get an error would be the number of columns in this table.
Let’s assume the numbers of columns is 6, i.e X=6. We want to find which of the six columns is vulnerable. To do so, we use a union select query as follow
Somewhere on the page, you’ll see the numbers of the vulnerable columns, those columns are our gateway into the website database. Let’s assume we get the number “2” on the page, it means that we can inject an attack code into the second column.
To get the database version, we can run the following
To get the database name, we can run the following
note: if the database is not MYSQL, you’ll need to change the “@@version” and “database() commands to match the DB type the website is working on.
Let’s say after the previous step, we now know the database name and version. i.e 5.0.5, mydb. We want to try and fetch the tables from database mydb
This command will show the first table information in DB ‘mydb’. Information_schema table contains all the information about all the tables inside the database so querying this table will tell us everything we need to know about all the other tables. You should note that this only applies to databases with version >= 5. In order to get the information for other tables, just change the limit parameters as follows – 1,1 to get the information for the second table. limit 2,1 for the third etc.
Next we want to query for all the columns of the first table inside the database, we can use this command
Obviously after getting all the columns, we can isolate the interesting ones like passwords, credit cards, emails etc, and use a dump to fetch their content.
How to Prevent SQL Injections
- SQL injections can be prevented if you adopt a set of input validation rules and apply them to all the user inputs. All input fields should be authenticated against length / size / characters rules to prevent unwanted injected code.
- Make sure your application doesn’t use an administrator account to access the database. Also, make sure all the database users have the least privileges they can have in order to execute queries.
- Use parameterized queries or ORM, they are safe and won’t let injecting code into your fields.
- Avoid building SQL queries using String Builder or any other appending method.
- Configure generic error page for the application and don’t display error information to the user.
- Check your website yourself at least for the basic SQL injection attacks, it doesn’t require any special tools or software.