In band Sql Injection Walk through (part 1)
(I wrote a walk-through in 2018 in a different style, thought of posting here. with a hope to get constructive response)
In Band Sql Injection:
In-band SQL Injection is the most common and easy-to-exploit of SQL Injection attacks. In-band SQL Injection occurs when an attacker is able to use the same communication channel to both launch the attack and gather results.
Vulnerable Server used: Sql to Shell from Pentesterlab
download link: https://www.vulnhub.com/entry/pentester-lab-from-sql-injection-to-shell,80/
Here’s the Scenario:
Abdul (Imaginary character) is asked to find Sql Injection in the target website. As, Sql Injection is a very critical vulnerability that can allow any bad guy to directly interact with the back-end database and can easily execute crafted queries. He can even dump the whole database, if the site is vulnerable to sql Injection.
Abdul Starts with exploring the website when he observed the url with a parameter “id” taking user’s input.
He decided to play along the parameter to see if its dynamic or not. For that he added → ‘ in front of the query
and he got an Sql syntax error which shows his modified query got executed directly in the database as this sql syntax error is generated in the database when the query it executes is not right. This error also shows the back-end database is “mysql”.
He now tries to include UNION statement. As we know UNION combines the two sql queries and displays their results together. But its worth noting that, UNION statement is based on two IMPORTANT rules.
1) No of columns of both the queries has to be same.
Ex: select column1,column2 from Table1 UNION select column1,column2 from Table2;
2) Data-type of each column MUST match (Note: This point does not apply on “mysql” database )
While trying UNION statement, He finds an error stating that, the two queries does not match the number of columns. Hmm, Interesting.
In order to find the exact number of columns in the first query, he keeps trying until, the error is removed. He notes that the error got removed when 4 columns were entered.
That shows, the first query had four columns.
Now in order to see which column of the second query gets echoed back, he inserts an invalid value (-1 in this case) in the first query’s id parameter so the system can only execute the second query. It shows only second column gets echoed back.
This shows, he can modify the query at second column to get a response. So, he follows the cheat-sheet from this link
He Extracts the critical information like database , version , data directory etc as shown below
using -> database() to get the current database name.
using -> user() to get the current user
using -> @@datadir to to get data directory
using → @@version to get the version of database
Now, he tries to extract key information from the backend database, using default database called information_schema.
information_schema is the database where the information about all the other databases is kept, for example names of a database or a table, the data type of columns, access privileges, etc.
Overview on MySql ‘s Information schema
The second query would be like:
select 1,concat(column_name,table_name),3,4 from information_schema.columns; will give us the column names and table names from information_scehama.column
(In progress)