SQL Injection: Enumerating columns


(Valentine) #1

SQLI: “refers to an injection attack wherein an attacker can execute malicious SQL statements (also commonly referred to as a malicious payload) that control a web application’s database server (also commonly referred to as a Relational Database Management System – RDBMS).”

A simple google search pops out this definition of SQLI (Sql injection). In this tutorial we won’t need any fancy tool, but a browser, the website, and internet (of course). SQL injection is a whole lot simpler and doesn’t require tools like SQLmap or w3af. Although, you can use these tools if you prefer to use them instead of my method, but for this tutorial(s) I’m gonna try my best to both explain and show different methods. As usual, I take no responsibility if this information is used for malicious purposes.

With that outta the way, SQL Injection (my method) is just basic code that will try to spit out information. The first step is finding a website. Once you have chosen your website the next step is to find where the database is located. This takes just some common sense, is there any login page? Or is there some form of contact? Or is there emails associated with it? This can be taken by basic observation. Before we do anything else, take a look around the website, taking note of every little detail. Take note of the URL when you go to a new page on the website, does the URL contain any “weird looking” letters or words? For example does the URL contain (something).asp? Take note of the contact page if there is any. Does the emails contain the website after the “@”? These and many more details are crucial to figuring out where the database lies.

Now as the title says for this article, we aren’t gonna inject code but instead figuring out basic information about the server. Now that we know a little bit about the website, it’s time to figure out how many columns contain in the server. After the website depending on the type of server, type:

(website)/page.php?id=1 order by 5/*

OR

(website)/page.asp?id=1 order by 5/*

The latter is if the website contains any (something).asp in its URL.

If a valid page isn’t shown then change the “5” to another number. Another method is:

(website)/page.php?id=-1 order by 5/*

OR

(website/page.asp?id=-1 order by 5/*

Another method to gain a valid page is using this method:

(website)/page.php?id=null order by 5/*

OR

(website)/page.asp?id=null order by 5/*

Again, change the number until you gain a valid page.

I prefer using the other two methods since there’s a higher chance of success if I type in a negative number or null after “id=”. Of course it takes sometimes persistence to figure out how many columns there are but if you are dedicated to these methods, you will succeed. The problem that I have with SQLmap and other tools is that one tool doesn’t cover all the methods. SQLmap I personally don’t use anymore since it only injects true/false, also known as blind SQL injection. A generic definition of blind injection can be found here:

http://www.cgisecurity.com/questions/blindsql.shtml

I am not saying dismiss SQLmap, but don’t rely on it to be successful all the time.

Well then, that’s it for this tutorial. This tutorial was very short but I hope I covered everything as the title says. I’m planning in the near future to write more articles on my methods for SQL injection, unless someone else does it before me.


(oaktree) #2

Don’t you have to escape the spaces when you try to inject a query into a URL? I’d think so. A valid URL has no whitespace characters, only %20 and its relatives.


(Valentine) #3

Hmmm… never thought about that.


(oaktree) #4

:scream: :cold_sweat:


#5

@Valentine I don’t know where this information come from, however, I use this tool for a professional purpose and I can affirm that this statement is not right. Indeed, the batterie of tests, which includes a lot of exploits e.g. GTK, buffer overflow, when clauses, …, depends on, mainly, of the risk level selected and implements 6 different SQl injection techniques :

  • boolean-based blind
  • time-based blind
  • error-based
  • UNION query-based
  • stacked queries
  • out-of-band

Moreover, it affords the possibility to specify the payload used, execute a remote shell on the targeted database, gather information about the current user, …

SQLmap is one of the most complete tool concerning SQL Injections ! Nonetheless, it is important to keep in mind that the downsides, involved by its usage, can be catastrophic and irreversible.

Hope it helps to clarify this point.

Best,
Nitrax


#6

Hm, a suggestion for other articles but perhaps you could explain how a SQL injection works! I’m not too read up on SQL myself but I’m sure it would help your article if you explained what the code did and how it worked! Good job anyways. I see your articles improving the more you make 'em. Keep it up!


(Valentine) #7

Thank you for the suggestions and clarification… some statements are false I know but some statements were my opinion but thank you for pointing out some mistakes in the text.