1) Learn by reading everything you can conceive about SQL (for example, easy going and abundant tutorial can be found here). Reference manuals for MySQL, Microsoft SQL, PostgreSQL, Oracle, etc., should become a part of your standard literature look-up. All those different DBMSes share the same core, which is SQL, and differ in "flavors" (different auxiliary function names, different system database and table names,...).
While injecting something with SQL you'll need to visualize what you are trying to accomplish with the used SQL injection payload, and in case that you are failing, you'll need to fast redirect yourself into different mindset. The speed of that "redirection" is directly proportional to the amount of knowledge you posses about the SQL language itself! Different injection points will require you to think of different ways how to make a proper SQL statement out of the original one and the "dirty" one you are trying to inject. If you fail at this basic requirement(s) you'll always fail.
Dumb injecting of uncomprehendable payloads find on the outskirts of the "Internetz" will in the long run force you to leave the subject mostly because of psychological trauma summed by thought: "I don't f.cking get it why this doesn't work" (like in every aspect of average human's life)
And stick to your mind: ||| SQL injection is 100% SQL |||. The rest is injection.
2) Learn by setting up a vulnerable testing web environment yourself (e.g. LAMP (Linux/Apache/MySQL/PHP)), preferably in a virtual environment (for example, TurnKey Linux Virtual Appliances are a great starting point). Thing is that YOU(!) have to delibaretely set up a vulnerable environment so you could best understand what and why is going on inside it in the attacking phase (and have a great LEGAL platform for sharpening your skills). If you are not going to understand the SQL injection from target's point of view, you for sure won't move long away from the point blank.
How to make it vulnerable? You can start by making a one simple PHP script (e.g. vuln.php) with the following content (based on a snippet found here):
<?php
// connect to the database server:
$con = mysql_connect('localhost','username','password')
or die('Could not connect to the DBMS server! (check address, username and p
assword)');
// select a database:
mysql_select_db('information_schema')
or die('Could not select a database.');
if (!isset($_REQUEST["maxlen"])) {
$url="http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
die('GET parameter "maxlen" is not set (e.g. '.$url.'?maxlen=1).');
}
// build query (usage of unfiltered value for GET parameter maxlen):
$sql = "SELECT * FROM character_sets WHERE maxlen = " . $_GET["maxlen"];
// execute query:
$result = mysql_query($sql)
or die('An error occured: ' . mysql_error());
// get result count:
$count = mysql_num_rows($result);
print "Showing $count rows:<hr/>";
// fetch results:
while ($row = mysql_fetch_assoc($result)) {
$row_name = $row['CHARACTER_SET_NAME'];
$row_desc = $row['DESCRIPTION'];
print "Name: $row_name, Description: $row_desc<br/>\n";
}
?>
This small example can be used for all major SQL injection techniques (blind/boolean, union/inband, error-based, time-based). How to exploit it? Proceed to the step 3).
3) Learn by mimicking (with comprehension) what other "attackers" do. Start by inserting quote character (') after the potentially vulnerable parameter value (e.g. maxlen=1'). If you've got something like "...You have an error in your SQL syntax..." in you response there is a very good chance that the targeted web application is vulnerable to this kind of attack (at the other hand it doesn't prove anything - it's just good way to "feel" the targeted web application). Try using simple payloads like: AND 1=1--%20, OR 1=1--%20, ORDER BY 100--%20, etc. (Tip: suffix --%20 is the most (DBMS independent) generic way for commenting out the rest of the injectable query as MySQL does require a space sign (%20) after the --). Most of all, read the following papers (multiple times if needed):
- SQL injection (Hakipedia) (lots of mixed data, but you'll get the feeling of the subject itself)
- Methods of quick exploitation of blind SQL Injection (Dmitry Evteev)
- Advanced SQL Injection (OWASP)
- Time-Based Blind SQL Injection with Heavy Queries (Microsoft)
During reading of those papers mimick everything you find there in your simulated target environment and try to understand why it works and/or why it doesn't work. Believe me, those four papers represent the shortest (read: best) way I can think of for recommendation to a newcomer. If you read those and follow the steps represented in this post I can guarantee that you can become a noticeable SQL attacker (preferably for GOOD causes - e.g. finding a vulnerability and reporting it back without snooping through private data).
4) Learn by researching defensive mechanisms. This is an extra tip. If you really want to become a "uber-SQueLler" you'll need to learn how to defend and how to circumvent those kind of measures. By learning this you'll know when you've hit the wall and how high is it. When you reach this step you won't need any guidance of this kind whatsoever ;)
p.s. Don't give up easily. At first it will be hard, but after you get the grip you'll just start injecting everything by heart.
5 comments:
I need to learn SQL :)
Nice one because we usually don't know where to start for sql injection..
WOW...Can''t thank you more..This sure is bookmarked..Am a n00b but not bad in MySQLi...I started already..After I saw some online challs I don't think I will reach the level enough to solve it but I will try nontheless
I am not a programmer but I have this SQL subject this session and have to prepare for it. What all topics should be covered in it?
And has anyone studied from this course www.wiziq.com/course/125-comprehensive-introduction-to-sql of SQL tutorial online?? or tell me any other guidance...
would really appreciate help
Post a Comment