Hello everybody and welcome back to another tutorial in Web penetration testing.
If you find anything helpful in this post or funny, will you please leave a like because you will feel great helping other people find it?
Right now we will start off by covering some of the basics of SQL and the basics of SQL injection.
So, first of all, for those of you who don’t know, with the SQL injection we basically make an interaction with the database itself.
Now, the database is mostly used to store information. For example, usernames and passwords can be stored in a database and once you type them in a form the server queries the database and compares the password you typed in with the password stored in the database and if they match it will allow you to log in.
So an example would be, for any login form that you encounter, whether it is on Instagram, Twitter or any social media account, what it will do is once you type in your password, first of all it will probably hash your password and compare the hash password with the hash password stored in the database and if they match you will be able to log in.
So the problem here happens if the person who created that website didn’t filter the user input well enough and didn’t forbid some of the characters used to query the database.
Now, it can potentially allow the user to send SQL queries and gather a bunch of the information that he shouldn’t really gather.
It can also allow the user to delete the entire database if he wanted to.
Now, before we begin let me just open Leafpad right here and explain a little bit more what SQL is and how you query the database.
First of all, the database is just a bunch of tables that are connected with the same system and that are also connected between each other.
Now, what I mean by tables is basically, a table is a list that contains information for the same type of elements, for example, table of users.
So facebook.com, for example, probably has a database with a bunch of tables of users and those tables are basically consisted of rows and columns.
So for example, you could have the row of users and below a row of passwords for the users then below a row of some of the other information for users such as mobile phone, email or basically any other information you want. It doesn’t have to be anything linked with the user itself.
It could be, for example, you visit an online shop and it sells flowers, for example, and you could have a table of different types of flowers right there and different types of information for those flowers.
Once you search the online shop, it queries for that database.
Now, how do we query a database? How do we actually interact with the database itself?
Now, there is the SQL language. It is not that hard to learn, but in the SQL injection it might seem a little tricky to get used to it. But once you learn some of the basic commands it is not that hard to continue learning it.
Now, some of the top commands could be CREATE, SELECT, UPDATE, INSERT, DELETE, and DROP.
Now, these commands are used to query the database and they basically do as they say.
‘Create’ will create database.
‘Select’ will select a specific table in that database or specific column or row.
‘Update’ will basically update the database.
‘Insert’ will insert a new element to the database or to the table itself.
‘Delete’ will delete a certain part of the database. For example, you want to delete a user. He decided to, for example, close the account and you want to delete it from the database. You will do it with the delete command.
‘Drop’ basically deletes the entire database itself. It can be very dangerous if the site is vulnerable to the SQL injection. So for example, let’s say that Facebook was vulnerable to the SQL injection and you just type ‘drop’ and the name of the database, you would basically delete the entire database of users and passwords.
That would become a really big problem, but luckily Facebook is not vulnerable to SQL injection and most of the bigger websites aren’t vulnerable to SQL injection either. But some of the less known websites could be.
So, one more thing. The commands ‘delete’ and ‘drop’ are not really used that much by the attacker since loss of information is not a preferred method of the attack itself since the attacker in most cases wants to gather information and not delete them.
Now, put yourself in the shoes of the attacker. What is valuable to the attacker is the passwords and usernames that he could gather for that account rather than deleting every account.
If he deleted every account he would just create a big problem. But if he gathered all usernames and passwords, he could basically log in as anybody to that website.
That could present a huge problem if that website was for example, PayPal.
He could send bunch of money to himself and he would probably get caught after some time, but that isn’t the point right here.
Now, the command out of all of these that you will use always is the ‘select’ command.
So this command is used to query the database. So for example, if you found a website that is vulnerable to SQL injection, you want to select the table with the passwords. You will do that with this command.
Now, the basic SQL query will look something like this.
So, SELECT elements FROM table WHERE condition.
So this is the basic query for the SQL database. We SELECT some elements FROM some table, WHERE, and then a certain condition.
The example for this command would be something like this.
SELECT name, description, price FROM products WHERE price<599.
Now, this is the basic query database for a website that would possibly be some kind of an online shop.
So we select the name of the product that we are searching for, the description of that name, and the price of that name from all of the products where price is less than 599. And then once the user selects that somewhere the server prints out back all of the responses that are below 599 and that have a name, description and price with them.
So it doesn’t have to be a single thing that we specify. We can specify two things.
So, for example, you could just type SELECT columnA FROM tableX WHERE columnE = ‘employee’ AND columnF = 100;.
Now, as you can see you can also use these logical conditions which basically allows us to set two things right here.
So we SELECT columnA FROM tableX WHERE columnE= ‘employee’ AND columnF =100;.
So this is how the basic SQL query looks like. Now, you might find it a little bit tricky, but you should be able to understand it.
If you don’t however, just search on the internet some of the SQL basics and you will get used to it real fast. It is one of the easier languages, but its syntax can be a little bit weird as we can see right here.
This ‘SELECT’ ‘FROM’ and ‘WHERE’ is typed in capital letters. You don’t have to if you don’t want to. I just wanted to type it in capital so I can show you the different parts of it.
So this columnA is the part of the database, this tableX is part of the database, the columnE is also part of the database that’s why I typed it in the lower letters and the ‘SELECT’, ‘FROM’ and ‘WHERE’ and ‘AND’ are basically conditions that we use to query the database.
Now, those are some of the basics of SQL. Let us continue in the next lecture with the exploitation and the attack of the SQL injection on our OWASP virtual machine.
So, this was about it for this lecture. As I said, if you want to learn more about SQL you can easily research more on the Internet.
I will see you in the next video or blog post where we will be attacking our first target.
So, I hope I see you there and take care.