In this post, I would like to share some knowledge about SQL Injection which can be useful during Penetration Testing activity. Before we went deeper into it, I will try to explain what is SQL Injection for those who are not familiar with it.


SQL injection is an attack that makes the injection possible to execute some malicious Statements related to an SQL database. An attacker will be able to control a database server that sits behind a web application by trying to bypass the security measures that the web developer coded into the web application.


There are three types of SQL Injection that we should know beforehand such as

  • Error-based Injection
  • Union Select Injection
  • Blind Injection

Error-Based Injection syntax


The syntax that normally uses the SQL database would be something as follows:

admin'--

As shown on the syntax above shows an example of an Error-based which it takes advantages like ( ) and we can see anything stored in the database by running the syntax ( )

SELECT * FROM members WHERE username = 'admin'--' AND password = 'password'

The syntax is usually used on the SQL database command is that the database will read the username “admin” that will give the attacker access as the admin user. As a result, the SQL queries are ignored especially the password query


As a result, you will get some error as follow

Microsoft SQL Native Client error '80040e14'
Unclosed quotation mark after the character string ''.
/target.asp, line 9

Union Select Injection method


Another method that we can look into would be the Union Select method such as

' UNION SELECT 1, 'admin', 'database name', 1--

The syntax above can be understood from the SQL database command as follows:

SELECT any_column_name(s) FROM any_table 
UNION
SELECT any_column_name(s) FROM any_table2 

Blind Injection Method


I can assume that most people know what is Blind Injection which can abuse the application or web to bypass the authentication


An example of the injection that is used over here would be something such as:

' or 1=1 -- 

The explanation of the syntax above would be reading the first data of the SQL database. The reason for that purpose is that 1=1 can be considered true when using the OR function.

SELECT column_name, column_name_2 FROM table_name WHERE ID = 34 and 1=1 SELECT name, description, price FROM Store_table WHERE ID = 34 and 1=1

DEMO for the SQL Injection


For this demo, I had to share some of the injection examples which been used on the machine such as the Faculty Machine


Whenever I see a login page, I will normally use SQL Injection on the username and password


For the activity above, we can modify some payload that will be giving us access to the website


Therefore, let’s change the payload of the SQL Injection for it to work

Another demo of the Injection


For those who need some automation of SQL enumeration, we use the sqlmap


From the sqlmap result, we could see a few databases by looking at the screenshot above. Most of the time, you will manage to obtain some database that is available, especially some basic database names.