SQL Injection (Basics)
SQL Basics using sqlmap tool
Scenario: A poorly secured website is storing user data. Your task is to exploit a basic SQL injection vulnerability to retrieve sensitive information.
Challenge 1:
Scenario:
You encounter a login form with username and password fields. You suspect SQL injection. You try the username ' or '1'='1. The login is successful, bypassing authentication.
Question:
What basic SQL injection payload bypassed the login?
Challenge 2:
Scenario:
After logging in, you find a page that displays user details based on a user ID provided in the URL: example.com/user.php?id=1. You suspect you can inject SQL into the ID parameter.
Question:
What classic SQL injection payload would you use to cause an error that might reveal database information by attempting to break the SQL query?
Challenge 3:
Scenario:
The error reveals the database is MySQL. You want to determine the current database name. You try injecting ' UNION SELECT database() -- -.
Question:
What function retrieves the name of the current database?
Challenge 4:
Scenario:
You've identified the database name. Now you want to list all tables in the database. You inject: ' UNION SELECT table_name FROM information_schema.tables WHERE table_schema = DATABASE() -- -.
Question:
What schema contains information about tables and columns in the database?
Challenge 5:
Scenario:
You've found a table named "users". Now you want to see the column names in that table. You inject: ' UNION SELECT column_name FROM information_schema.columns WHERE table_name = 'users' -- -.
Question:
You are looking for a column name of the database?
Challenge 6:
Scenario:
You find columns like "username" and "password". You want to retrieve the data from the "users" table. You inject: ' UNION SELECT username, password FROM users -- -.
Question:
What type of SQL injection you are performing?
SQLmap Primer
You're tasked with using SQLmap to exploit a website you suspect is vulnerable to SQL injection.
Challenge 1:
Scenario:
You have a URL that you believe is vulnerable. You want to use SQLmap to test it. You run the basic command: sqlmap -u "example.com/vuln.php?id=1" --dbs.
Question:
What SQLmap option is used to enumerate databases?
Challenge 2:
Scenario:
SQLmap identifies that the id parameter is vulnerable to SQL injection. You want to list the tables in the database. You run: sqlmap -u "example.com/vuln.php?id=1" -D "database_name" --tables.
Question:
What SQLmap option is used to enumerate tables within a specified database?
Challenge 3:
Scenario:
You've identified a table called "users". Now you want to list the columns in the "users" table. You run: sqlmap -u "example.com/vuln.php?id=1" -D "database_name" -T "users" --columns.
Question:
What SQLmap option is used to enumerate columns within a specified table?
Challenge 4:
Scenario:
You see columns named "username" and "password". You want to dump the contents of these columns. You run: sqlmap -u "example.com/vuln.php?id=1" -D "database_name" -T "users" -C "username,password" --dump.
Question:
What SQLmap option is used to extract data from the database?
Challenge 5:
Scenario:
You want to determine the backend database management system being used by the web application. You use the option --technique=B
Question:
What do you need to add to find the technique?
Challenge 6:
Scenario:
After identifying that the database server is MySQL you would like to run some commands on the database server itself.
Question:
What SQLmap option do you use to execute operating system commands?
SQL Injection - Complete guide
Craw.in, a rising cybersecurity firm, has launched a new login portal. However, security researchers suspect it may be vulnerable to SQL injection. Your task is to exploit the application and retrieve sensitive data by crafting malicious SQL queries.
Challenge 1: Bypassing Authentication
Scenario:
You are testing Craw.in’s login page. It requires a username and password, but you don’t have valid credentials. You suspect that the backend SQL query is:
sql
SELECT * FROM users WHERE username = '$user' AND password = '$pass';
By injecting SQL into the login fields, you can bypass authentication.
Question:
What payload would you use in the username field to bypass authentication?
Challenge 2: Extracting User Data
Scenario:
After bypassing authentication, you access the dashboard. You find a search feature that interacts with a SQL database. It executes queries like:
sql
SELECT * FROM users WHERE name LIKE '%$input%';
You try entering ' OR '1'='1' -- and notice that all user details appear.
Question:
What SQL clause can be used to retrieve all user data?
Challenge 3: Finding the Number of Columns
Scenario:
Now, you want to retrieve sensitive information from another table. To use UNION SELECT, you first need to find the correct number of columns in the query.
Question:
What SQL payload helps determine the number of columns in the database table?
Challenge 4: Extracting Table Names
Scenario:
You suspect that Craw.in stores user credentials in a table. You decide to extract the table names using information_schema.tables.
Question:
What SQL injection payload retrieves table names from the database?
Challenge 5: Extracting Column Names
Scenario:
Now that you have found the table name (e.g., users), you need to extract the column names containing sensitive data.
Question:
What SQL injection payload retrieves column names from the users table?
Challenge 6: Dumping User Credentials
Scenario:
After retrieving column names, you identify username and password. Now, you execute an attack to extract user credentials.
Question:
What SQL payload retrieves usernames and passwords from the users table?
Challenge 7: Dropping the Database
Scenario:
In a real attack, a malicious hacker might try to delete the database. Craw.in has a serious vulnerability in its SQL query handling.
Question:
What SQL command would delete all records in the users table?