SQL injection is a code injection technique that
exploits a security vulnerability occurring in the
database layer of an application. The
vulnerability is present when user input is
either incorrectly filtered for string literal
escape characters embedded in SQL
statements or user input is not strongly typed
and thereby unexpectedly executed. It is an
instance of a more general class of
vulnerabilities that can occur whenever one
programming or scripting language is
embedded inside another.

What is MySQL

“SQL” stands for “Structured Query Language,”
which simply allows users to send queries to
the server database. There are different types
of SQL such as MySQL, which is Microsoft’s
version of the language and also has some
different commands as well as syntax.


//http://shadownet.com.ng/sn

Finding SQL Injections

Before jumping into this topic I want to explain
to you about comments in MySQL. There are
three variations to a comment in this language:
—
/*
#
As you should already know a comment just
blocks out a section so it will not be executed
through the query. Typically, anytime you see a page from a website that takes in a parameter
such as:
?id=
?category_id=
?user_id=
(not saying injections are narrowed down to
only id parameters but they are quite common) you may want to test the page for a
vulnerability. The simplest way I know of to
check for a vulnerability is to add:
” and 1=1–
to the end of the URL and see if the contents of the page change, even the slightest bit, if they don’t then add
” and 1=0–
(it doesn’t have to be 1=1 or 1=0 just something that returns true for the first
statement and false for the second) and see if it changes after the second. If the contents
change after the second query then you have a vulnerability.

Gathering Information

To make your job or life a little easier you
should look around the site some to gather
information on what you are trying to retrieve.
For instance, if the site has a user registration
look at the source code for the page and take
note of the field names they use (most
developers are lazy and use the same names
for simplicity); you can also look around the site for more vulnerabilities. Alright so once you have found some good information to look
forward to, its time to find out how many
columns are being selected from the database
from the original query. This is an important
step because if number of columns you “select” and the number from the original are not identical, the injection does not work! To find out the number of column you simply add
“order by x” on the end of your vulnerable URL replacing “x” with a increasing number until you get an error
http://www.site.com/vulnerable.php?id=4 order by 9–
the number of columns being selected is the value of x before the error.

The Injection

I suppose this is where some people get confused. In MySQL in order to combine two
query statements you can use the keyword
“union”, you can also include the keyword “all” which will display all results (default property of union is to remove duplicate results from display). After your “union all” you also need to include the keyword “select” since we are going to want to select database information and display it on the screen so far you should be looking at something similar to:
http://www.site.com/vulnerable.php?id=4
union all select
Continuing the injection like the previous
example will work fine, but it will also display all the original results as well as our new results, typically to bypass this I, as well as most of the other people exploiting SQL injections, replace the id value, in the case of our example it would be 4, with one of the following:
-1 null
or any result that would not be in the database, this way the original select query will not result anything but our new injected select query will display. In SQL each column being selected must be separated by a comma(,) so if your vulnerable site is selecting 4 columns with the original statement (which was found earlier when we were gathering information using the “order by”) you would just concatenate those on your injection; I like to set each column to a different numeric value that way i can keep track of which columns are actually being displayed on the screen. So far, if everything has been going good, you should have an injection URL looking something like:
http://www.site.com/vulnerable.php?id=-1 union all select 1,2,3,4–
If not then go back and keep reading it until
you figure it out. The last part of our injection
setup is the telling the query which table to
“select” the information from; we do this with
the keyword “from table”…pretty self
explanatory right? So for example, we have a
vulnerable site that has 4 columns being
selected and we want to look at the “users”
table we can have a set up such as:
http://www.site.com/vulnerable.php?id=-1
union all select 1,2,3,4 from users–
Easy enough so far, now is where it gets a little more difficult, but not too much.

Tables and Columns

Depending on the version of MySQL the
administrators are running on the server,
finding table and column names can be very
easy or somewhat irritating. There is an easy
way to figure out what version is running on
the server, can you guess? If you did not guess version(), why the hell not, its like one of the easiest and self explanatory things ever!
Anyways, replace one of the columns in your
injection that displays on the screen with the
function call version() and this will tell you
which typically its either 4.x.x or 5.x.x. If they
are running some form of version 4 then you’re basically on your own when it comes to figuring out table and column names (I’ll post some examples of common names later); though if version 5 is implemented then your life is easy. As of version 5.1 of MySQL the developers began to automatically include a master database on the server called
INFORMATION_SCHEMA. Within information_schema there are tables that give
information about all the tables, columns,
users, etc on the entire SOL server (to find
more about the structure of information_schema and the table/column
names visit MySQL :: MySQL 5.0 Reference
Manual :: 19 INFORMATION_SCHEMA Tables).
Once you figure out a table name and some
column names within that table you want to
look at just place them into our injection setup
from before; suppose we have a site that has a
“users” table and columns “user” and “pass”
and the second and third columns are displayed onto the screen, we could view these by an injection such as:
http://www.site.com/vulnerable.php?id=-1
union all select 1,user, pass, 4 from users–

This example will display both the user and
pass onto the screen in the given positions,
though what happens if only one column is
selected or displayed? In MySQL there is function called concat() which simply
concatenates fields together so to simplify our
previous example we could have:

http://www.site.com/vulnerable.php?id=-1
union all select 1, concat(user,0x3a, pass), 3, 4 from users–

“0x3A” is just a colon( in hexadecimal, simply
to separate the two fields for my own viewing.

Narrowing down the Selection

Typically when performing a SQL injection there are multiple results you want to look at or possibly just one individual. There are a couple of ways to narrow down your selection first way is to use the “where” keyword is just takes a logical parameter such as “where id=1” which would look in the id column in the table and find which row is equal to 1. The next way to use the “limit” keyword; this way is a little more useful since you do not need to know an additional column name to increment through the selections limit takes two parameters, where to start the selection and how many to select. So in order to select only the very first “user” from the table “users” using the “limit” keyword you could have:

http://www.site.com/vulnerable.php?id=-1 union all select user from users limit 0,1–

to look at the rest of the users individually you
just increment the 0 up until you get an error.
In order to look at all the results in a single swipe you can use the function group_concat()
which works very similarly to concat() except it displays all the results for the given column(s) separated by a comma(,) (the comma is just the default, you can change it by using the “separator” keyword and indicate a symbol to use).

can't mysql_real_escape_string() prevent user from customizing (lol) ur query?? in case of a string