# SQL Injections (SQLi) * A SQL query search can be easily manipulated and assume that a SQL query search is a reliable command. This means that SQL searches are capable of passing, unnoticed, by access control mechanisms. * Using methods of diverting standard authentication and by checking the authorization credentials, you can gain access to important information stored in a database. ## The Simplest Example A parameter passed for a name of a user: ``` SELECT * FROM users WHERE name="$name"; ``` In this case, the attacker just needs to introduce a true logical expression like ```1=1```: ``` SELECT * FROM users WHERE 1=1; ``` So that the **WHERE** clause is always executed, which means that it will return the values that match to all users. Nowadays it is estimated that less than 5% of the websites have this vulnerability. These types of flaws facilitate the occurrence of other attacks, such as XSS or buffer overflows. ## Blind SQL Injection It's estimated that over 20% of the websites have this flow. In traditional SQLi it is possible to reveal the information by the attacker writing a payload. In the blind SQLi, the attacker needs to ask the server if something is TRUE or FALSE. For example, you can ask for a user. If the user exists, it will load the website, so it's true. Every time you see an URL, the **question mark** followed by some type of letter or word means that a value is being sent from a page to another. In the example ``` http://www.website.com/info.php?id=10 ``` the page *info.php* is receiving the data and will have some code like: ``` $id=$_post['id']; ``` and an associated SQL query: ``` QueryHere = "select * from information where code='$id'" ``` ### Common ways of Exploitation #### Checking for vulnerability We can start to verifying whether the target is vulnerable by attaching a simple quote symbol ```'``` in the end of the URL: ``` http://www.website.com/info.php?id=10' ``` If the website returns the following error: You have an error in your SQL syntax... It means that this website is vulnerable to SQL. #### Find the structure of the database To find the number of columns and tables in a database we can use [Python's SQLmap](http://sqlmap.org/). This application streamlines the SQL injection process by automating the detection and exploitation of SQL injection flaws of a database. There are several automated mechanisms to find the database name, table names, and number of columns. * ORDER BY: it tries to order all columns form x to infinity. The iteration stops when the response shows that the input column x does not exist, reveling the value of x. * UNION: it gathers several data located in different table columns. The automated process tries to gather all information contained in columns/table x,y,z obtained by ORDER BY. The payload is similar to: ``` ?id=5'%22union%22all%22select%221,2,3 ``` * Normally the databases are defined with names such as: user, admin, member, password, passwd, pwd, user_name. The injector uses a trial and error technique to try to identify the name: ``` ?id=5'%22union%22all%22select%221,2,3%22from%22admin ``` So, for example, to find the database name, we run the *sqlmap* script with target *-u* and enumeration options *--dbs* (enumerate DBMS databases): ``` $ ./sqlmap.py -u --dbs (...) [12:59:20] [INFO] testing if URI parameter '#1*' is dynamic [12:59:22] [INFO] confirming that URI parameter '#1*' is dynamic [12:59:23] [WARNING] URI parameter '#1*' does not appear dynamic [12:59:25] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable [12:59:25] [INFO] testing for SQL injection on URI parameter '#1*' [12:59:25] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [12:59:27] [WARNING] reflective value(s) found and filtering out [12:59:51] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' [13:00:05] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' [13:00:16] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause' (...) ``` From this we can verify what databases we have available, for example. From this we can find out how many tables exist, and their respective names. The sqlmap command is ```--tables ```.