SQLI: "refers to an injection attack wherein an attacker can execute malicious SQL statements (also commonly referred to as a malicious payload) that control a web application’s database server (also commonly referred to as a Relational Database Management System – RDBMS)."
A simple google search pops out this definition of SQLI (Sql injection). In this tutorial we won’t need any fancy tool, but a browser, the website, and internet (of course). SQL injection is a whole lot simpler and doesn’t require tools like SQLmap or w3af. Although, you can use these tools if you prefer to use them instead of my method, but for this tutorial(s) I’m gonna try my best to both explain and show different methods. As usual, I take no responsibility if this information is used for malicious purposes.
With that outta the way, SQL Injection (my method) is just basic code that will try to spit out information. The first step is finding a website. Once you have chosen your website the next step is to find where the database is located. This takes just some common sense, is there any login page? Or is there some form of contact? Or is there emails associated with it? This can be taken by basic observation. Before we do anything else, take a look around the website, taking note of every little detail. Take note of the URL when you go to a new page on the website, does the URL contain any “weird looking” letters or words? For example does the URL contain (something).asp? Take note of the contact page if there is any. Does the emails contain the website after the “@”? These and many more details are crucial to figuring out where the database lies.
Now as the title says for this article, we aren’t gonna inject code but instead figuring out basic information about the server. Now that we know a little bit about the website, it’s time to figure out how many columns contain in the server. After the website depending on the type of server, type:
(website)/page.php?id=1 order by 5/*
OR
(website)/page.asp?id=1 order by 5/*
The latter is if the website contains any (something).asp in its URL.
If a valid page isn’t shown then change the “5” to another number. Another method is:
(website)/page.php?id=-1 order by 5/*
OR
(website/page.asp?id=-1 order by 5/*
Another method to gain a valid page is using this method:
(website)/page.php?id=null order by 5/*
OR
(website)/page.asp?id=null order by 5/*
Again, change the number until you gain a valid page.
I prefer using the other two methods since there’s a higher chance of success if I type in a negative number or null after “id=”. Of course it takes sometimes persistence to figure out how many columns there are but if you are dedicated to these methods, you will succeed. The problem that I have with SQLmap and other tools is that one tool doesn’t cover all the methods. SQLmap I personally don’t use anymore since it only injects true/false, also known as blind SQL injection. A generic definition of blind injection can be found here:
http://www.cgisecurity.com/questions/blindsql.shtml
I am not saying dismiss SQLmap, but don’t rely on it to be successful all the time.
Well then, that’s it for this tutorial. This tutorial was very short but I hope I covered everything as the title says. I’m planning in the near future to write more articles on my methods for SQL injection, unless someone else does it before me.
