Web Application Penetration Testing of Websites via Manual SQL Injection
Manual SQL injection uses no tool or automated scripts . As the term says Manual SQL injection we will not be using any tools. In this tutorial you don’t need Kali Linux or any other setup for web Application Penetration Testing. You can easily carry this out from Windows machine on any normal browser !
Find A Vulnerable Website
GOOGLE Dorks
Using GOOGLE Dorks
inurl:buy.php?category=
Here try to understand the structure of the commands . The inurl instructs google to look at the URLs in it’s search index and provide us with the ones which have a specific line in them. Inside the inverted commas is the specific URL which we would expect to see in a vulnerable website. All the vulnerable sites will surely have a .php in their URL, since it is an indicator that this website uses SQL database here. After the question mark you will have a ?something= clause. What lies after the = will be the exploiting code that is known to cause malfunctioning of databases and carrying out of a Sql Injection attack.
Now please set an expectation here that from the list of vulnerable websites received here, only a few are going to be Vulnerable and your task Now will be to refine further this list to vulnerable websites .
Testing sites for Manual SQL Injection vulnerabilities
#This Tutorial is only for Educational Purposes and Penetration testing without the consent of Website owner is illegal .
products.php?prodID=
www.site.com/products.php?prodID=25
www.site.com/products.php?prodID='
But the job here is not done . You have just found that the website is Vulnerable but yet need to know what rows and columns are Exploitable .
Finding number of columns/rows
This is the first step . To find the Number of rows and columns you will need to use trial and error method, and keep executing statements incrementing the number of columns till we get an error message.
www.site.com/products.php?prodID=25+order+by+1
Effectively, we added order by 1 to the end of the original url. If there is atleast one column in the table, then the page will continue to work all right. If not, then an error will be displayed. You can keep increasing the number of columns till you get an error. Lets assume you get an error for
www.site.com/products.php?prodID=25+order+by+6
This means that the page had 5 columns, and the database couldn’t handle the query when you asked for the 6th one. So now we know two things
The site is vulnerable to SQL injection
It has 5 columns
Now you need to know which of the columns is vulnerable !!
Finding Vulnerable columns
Assume we are working on our hypothetical site www.site.com which has 5 columns. We now need to find out which of those columns are vulnerable. Vulnerable columns allow us to submit commands and queries to the SQL database through the URL. We now need to find which of the columns is vulnerable. To do this, enter the following into the url
www.site.com/products.php?prodID=25+union+select+1,2,3,4,5
In some cases you might need to put a – behind the 25. The page will now load properly, except for a number showing up somewhere. This is the vulnerable column. Note it down.
Let’s say the page refreshes and displays a 2 on the page, thus 2 being the vulnerable column for us to inject into.
Now we know which column is vulnerable. Next part is obtaining the SQL version, since the remaining tutorial will vary depending on which version of SQL is being used.
The point of this article was for you to know what is the logic behind the tools that target the websites for SQL injection . Now that we have estimated the number of Rows and the Vulnerable Columns , need is to get the fruitful data from the Database . We will accomplish such cumbersome tasks using a Tool such as SQL MAP .
In the Next Post we will see How to use a Simple tool such as SQL Map to Get the information from the Database .
Leave a Reply