Prior to attacking database with SQL injection database must be located. Number of tools available to help us locate rogue or unknown databases on the network or on the internet. For the network we will look at two of them called SQLPing 3.0 and SQLRecon they both work in Windows environment. For internet we can use Google hacking to discover targets.

Locating database

Local Network

SQLPing3.0
This tool can perform both active and passive scans on local network to find unknown SQL servers. You can install this tool from the following location sqlping3.0

sqlping3.0

SQLRecon
This is anather tool that can also perform both active and passive scans and can be downloaded from SQLRecon

sqlrecon

SQLPing can also be used for password cracking on target database

Using any of this tools will give us information about databases on local network that we can do SQL attack against.

Google hacking

You can get some additional information on Google hacking
Below some of the queries that can get positive results.
Type the following in the google search:

inurl:newsitem.php?num=
inurl:show.php?id=
inurl:staff_id=
inurl:index.php?id=
inurl:pageid=
inurl:article.php?id=
inurl:games.php?id=

SQL Injection attack

Ones target is identified we now can start looking for vulnerability. One of the way is to add single quote to the end of the URL

http://www.testsite.com/default.php?id=1'

Alternatively you can use one of available scanners that can scan your web application for this vulnerability.

Tool Website
Arachni http://www.arachni-scanner.com/
X5S http://xss.codeplex.com/
Grendel-Scan https://sourceforge.net/projects/grendel/
SQLMap https://github.com/sqlmapproject/sqlmap
Skipfish https://code.google.com/archive/p/skipfish/
Grabber http://rgaucher.info/beta/grabber/

Starting attack

First step would be to learn the structure of the database. Lets append a simple order like so.

http://testsite/default.php?id=1 order by 1 

If this returns anything other then and error then increment this number until error returned. Now we can determine the number of columns in the database by looking when error was encountered as last entry that did not returned error would indicate the number of columns in the database. Now we can make queries against database.
Just an example

http://testsite.com/default.php?id=-1 union select 1,2,3,4,5,6,7,8,9

This statement assumes that we discovered that there were nine columns. Now lest target one of the columns to get version information.

http://testsite.com/default.php?id=-1 union select 1,2,@@version,4,5,6

Example of SQL Injection attack using forms

In this example we will look into performing SQL injection attack against form commonly encountered on the web. In our example form is being used for recovering lost password. Form works by taking email for account with lost password and sending new password to this email.
First we have to do some guessing and try to determine how application and database are interacting. In most cases we can assume its using SQL statement like this

SELECT data FROM table WHERE emailinput = '$email_input';

Now we have to determine how application will react when provided with invalid input. Ones we figure that out we can formulate malicious strings. Lets insert email address with quote on the end and see how application reacts

labuser@labdomain.com'

At this point one of the following will happen:

  • The form data will be sanitized and quote removed
  • The form accepts data meaning no protection is in place

Please note at this point in case where no protection is in please your SQL statement when executed changes this this

SELECT data FROM table WHERE Emailinput = 'lab@lab.com'';

Note that quote now appears at the end of the statement. At this point we need to look for error returned. If nothing is returned we may be out of luck meaning application is well designed and sanitizes data as it should. The presence of an error may indicate the flow is there. At this point we can try executing our sql injection code

UPDATE table SET email = 'myspoof@spoof.org' WHERE email = 'lab@lab.com';

At this point application runs this code like this

SELECT data FROM table WHERE Emailinput = 'Y';
UPDATE table SET email = 'myspoof@spoof.org' WHERE email = 'lab@lab.com';

At this point as an attacker you can reset password for example and receive email with information on resetting it.

Blind Injection

If the target does not return any messages you can try blind injection. This attack is much more time consuming and requires indirectly obtaining information and verifying it with in our example true false statement.

:; IF EXISTS(SELECT * FROM users) WAITFOR delay '0 :0 :5'-

This code will check weather database users exists. In this case if database does exist it will pause for 5 sec and then return We are unable to process your request. If it goes not exist the error message will be returned right away.

Please note information in this article should only be used for penetration testing with permission of the tested application owner