Welcome my fellow noob. Today we are going to talk about SQL Injection basics. Before going further, make sure you have already read the previous articles in this series:
- SQL Injection Explained From Scratch
- Login Bypass With SQL Injection
- Types and Classes of SQL Injection
Ready? Lets go!
Have you seen this kind of URLs?
You have seen them right? Lets break down this URL
- http:// is the schema just like https:// and http://
- example.com is the domain name. They are unique for every website.
- gallery.php is a webpage.
- id is a parameter. Parameters are used to give input to the web application (or website).
- 2 is the value of the parameter which is the actual data being transfered to the back end.
Well this URL is an example of a GET request but many websites use POST method in which parameters and their values are not included in the URL. For an SQL injector, it is very important to be able to see POST data and that’s why we use plug-ins like Hack Bar.
What’s up with all these parameters?
Let’s take a look at this URL:
What is the significance of ?id=2 here? To me, it looks like its fetching images from the database. Every image has an id associated to it and currently its showing the image whose id is 2. And we can predict that the back end is something like this:
$query="select image from album where id='$value'"
Lets move on, shall we?
Methodology for SQL Injection
- Find an injection point: Yep, find an injection point. SQL injection is possible in everything that is submitted by the user to the server like GET/POST data, cookies and browser variables.
- Check if vulnerable: You have to check if the parameter is vulnerable to SQL injection. Check if the injection is integer type or string type.
- Attack: Craft your queries after analyzing the application’s behavior.
We will learn about this stuff later in the series.
Types of injection
By the type of injection I mean what kind of variable is being used by the web application to grab data from the database. Is it an integer? or a string?
Let me give you an example:
https://example.com/gallery.php?id=12 Integer https://example.com/data.php?list=teachers String https://example.com/product.php?pid=5s23d String
Ummm I don’t know what to say else in this article but t. In the next one, we will read how to gain information about the query’s structured and use it to proceed in attack phase.
Keep Learning! Keep Injecting!
Also Read: Writing a SQL injection scanner in 7 lines of code – Python