Anatomy of SQL Injection Attack

This article covers SQL injection, one of the most complex and powerful attacks. SQL injections has a steep learning curve, and to carry out an attack, you will need to have knowledge of web applications, database, and SQL-and possess a lot of patience,

As a penetration tester, you undoubtedly will have to test for these types of attacks or defend against them, and as such you should acquaint yourself with the basics of the category of attack.

The potential attacks that can be performed to leverage the flaws in poorly designed websites are beyond count. The seemingly endless combination of technologies and environment lend themselves to plenty of different attacks.

In this section we will examine a basic attack against a website to see how this works in practice. Note that this is only one form of SQL injection and against no specific database technology (unless otherwise noted). In the wild, these attacks may take many different forms.

Acquiring a Target for Attack

Before you can attack a target, you must have a target. To find a target you can use various techniques, but let’s use some good-old Google hacking.

If you recall, Google hacking is the use of advanced search query commands to uncover better results. Through a little trail and effort, you can find a website that is vulnerable to an attack. There are numerous search queries you can use, but some of the ones that can yield results include the following:

Inurl:index.php?id=

Inurl:trainers.php?id=

Inurl:buy.php?category=

Inurl:article.php?ID=

Inurl:pageid=

Inurl:game.php?id=

Inurl:page.php?file=

Inurl:newsDetails.php?id=

Inurl:gallery.php?id=

Inurl:article.php?id=

Inurl:show.php?id=

Inurl:staff_id=

Inurl:newitem.php?num=

Andinurl:index.php?id=

Inurl:trainers.php?id=

Inurl:buy.php?category=

Inurl:article.php?ID=

Inurl:pageid=

Inurl:games.php?id=

Inurl:page.php?file=

Inurl:gallery.php?id=

Inurl:article.php?id=

Inurl:show.php?id=

Inurl:staff_id=

Inurl:newsitem.php?num=

Note:- It is possible to execute successful SQL injections against a numbers of different technologies, but in the search terms here we are using PHP as an example. With some variation, ASP.NET, ASP, and JSP pages can also be targeted for an attacker.

There are plenty of ways to search Google using various search terms to uncover a potentially vulnerable target. I encourage you to experiment with different combination to see if you can obtain better or more actionable results.

Once you have identified you target, your next step is to look for vulnerabilities. One easy way to determine if a site is vulnerable to SQL injection is to add a single quote to the end of the URL like so:

http://www.somesite.com/default.php?=1

Type this URL and press Enter, and then observe the results. If an error is returned, the web application or site located at the URL is vulnerable to SQL injection, though you don’t know to what degree.

Note:- The error that appear at this point can be any of a large number of potential errors, but that is not important. What is important at this stage is that an error is returned because it gives you an indication of potential vulnerabilities that may be present. The error message typically reads “You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax.” As a general rule, if the website returns any SQL errors, it may be vulnerable to SQL injection techniques.

 

Add a Comment