What is SQL injection?
An SQL injection attack essentially uses SQL syntax agains itself in order to grab information from a database that we aren’t supposed to be able to see. Instead of sending a username or password, we can send an SQL query in a website form. The server will run this query and return the results it found.
Why are SQL injection attacks possible?
On most modern websites SQL injection attacks are not possible. This is because current coding practices call for input validation on the server side. If a client fills out a form any data in that form should not be read as code by the server when it is received. If these coding practices aren't followed then the website may be vulnerable to an SQL injection attack.
Visualizing an SQL injection attack
We need to think of what the query might be on the server end when we send a request via form data input. We can imagine when we input data into a form the server queries the SQL database with something like this
The question marks would represent the names of rows, columns, and items in the database which we do not really need to know. These things are on the server and we cannot change them. The last section circled in red would be where the user input would go, which is something we do have control over. By inputting some data such as 'or 1=1-- into the form data the server will interpret the request like this
As we can see the the form data is reading the extra ' as a control structure instead of a string so it is closing the input string. The rest of the input sitting outside of a string and will be read as part of the SQL query. The example above could potentially cause the server to dump all possible results in the database since 1=1 will always be a true statement.
Using BurpSuite to facilitate the SQL attack
We can use burpSuite to automate this type of attack. To begin set your browsers proxy to be filtered by burp with FoxyProxy
Open BurpSuite and go to the proxy tab, then the intercept tab and turn intercept off
Next try logging into your vulnerable website then check BurpSuite for the intercepted request by going to the HTTP history tab within the proxy tab. Right click on the POST request you see and select ‘send to intruder’
Click on the intruder tab and we should see the HTTP request. From here BurpSuite can manipulate the request and resend. Since we only want to change the username field click the clear button
Then highlight the username field and click the add button. This is the only position we want to inset the SQL payload
Next click on the payloads tab. You can manually add the different SQL strings, or you can load a list. For this example I loaded a list located in /usr/share/wordlists/wfuzz/injection/SQL.txt on Kali Linux. This list contains 125 different SQL commands it will attempt to query.
Now you can click start attack in the top right.
Once the attack is done we can look through responses received for each payload. Bad responses will usually be the same length so we can ignore those
Since we are looking for a dump of information from the database, a longer response more likely indicates what we want. To view a specific response you can right click and select request in browser > in current session
You will get a window with a URL link you can copy and paste into your browser
Success! This request queried the database to dump all usernames and passwords it stored
