Exploiting and Mitigating SQL Injections
Learn how to exploit and mitigate SQL injections.
Exploitation
One of the aims of every cybercriminal is to get access to databases to steal users’ credentials, alter the data, or even sabotage an organization’s ability to function by deleting everything. This is where finding SQL injections becomes important. The data gained from an injection or even the injection vector could be used to perform other attacks or go straight for privilege escalation if possible.
Let’s look at some ways in which SQL injections can be exploited.
The GET
method
We first check that the data sent in the request is referenced in the URL. If yes, this means that the data that’s sent is visible in the URL. For example, let’s take a web application that has a login page. We enter the username and password, and when we click the “Login” button, the URL updates as such:
example.com/login.php?username=admin&password=admin
In order to bypass the login and gain unauthorized access, an attacker could perform a simple SQL injection like so:
example.com/login.php?username='OR1=1--&password=admin
Entering the URL above will simply input an empty string for the username
field and dismiss the password
field altogether, and the OR1=1
part will ask the database server to return true no matter what.
The POST
method
This is the case where the data is sent in the body of the request sent by the user. Therefore, as opposed to the GET
method, the sent data is not visible in the URL of the website or the webpage. An attacker, therefore, can use the input fields given by the web application. Simply entering ' OR 1=1
should work. Sometimes, we may need something extra to comment out the other field, so an #
or --
should suffice.
SQLMap
We’ve already seen SQLMap in action in the previous lesson. Let’s now see how to use it beyond searching for vulnerabilities:
-
sqlmap http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart --tables
: This will return all the tables in theacuart
database. -
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T artists --columns
: This will return the structure of the table being queried. In this case, we want to check how data is structured in theartists
table. -
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T artists -C aname --dump
: This will return a list of the names of all the artists in theartists
table.
Let’s use the terminal below to try out the commands above and check the output:
Get hands-on with 1200+ tech skills courses.