In this Tutorial we will discuss some basics of SQL queries and concentrate on queries and basics which will help us while different Phases of Injection. This will be like a crash course of SQL as per the requirements of SQL Injection.
The Hierarchy
First of all there are users which can have access to multiple databases, then a database can have multiple tables then a table can have multiple Columns and columns have data in each row.
This is an example database.
Here is an example of the most basic type of Select query.
select * from table1
Output will be:
Where * stands for all the columns and "table1" is the table name.
so for example we do not want all the columns but only some selected colulms in output then the query will be.
select column1,column2 from table1
Output will be:
so let us try some basic conditions now to limit the output.
Select * from students where id=1
Output will be:
lets try some other conditions with string type columns.
Select * from students where f_name='camaline'
Output will be:
When ever we are facing a SQL injection. Something query this is running inside the application. So once we assume what the query is we can easily start injecting into it. Following are some common possiblities of queries you can face:
[#] If Query is taking any numerical input
select * from table_name where id=1
select * from table_name where id='1'
select * from table_name where id="1"
select * from table_name where id=(1)
select * from table_name where id=('1')
select * from table_name where id=("1")
All the above queries will give same output.
[#] If Query is taking any string input
select * from table_name where id='1'
select * from table_name where id="1"
select * from table_name where id=('1')
select * from table_name where id=("1")
All the above queries will give same output.
For Example when we see any url like "http://fakesite.com/report.php?id=23" we can easily assume what query may be working inside. And that is the first step of SQL injection.
So if we assume for the above url our Assumption Queries will be the following:
select * from table_name where id=23
select * from table_name where id='23'
select * from table_name where id="23"
select * from table_name where id=(23)
select * from table_name where id=('23')
select * from table_name where id=("23")
Well for this Tutorial this is enought. In the next tutorial i will show you how can you find out the correct query out of these assumption queries using some simple tests, and get confirmed. Once we will be confirmed, we will start injecting and understand the whole backend process at the same time.
Till then happy Inj3ct!ng
The Hierarchy
First of all there are users which can have access to multiple databases, then a database can have multiple tables then a table can have multiple Columns and columns have data in each row.
This is an example database.
Here is an example of the most basic type of Select query.
select * from table1
Output will be:
Where * stands for all the columns and "table1" is the table name.
so for example we do not want all the columns but only some selected colulms in output then the query will be.
select column1,column2 from table1
Output will be:
so let us try some basic conditions now to limit the output.
Select * from students where id=1
Output will be:
lets try some other conditions with string type columns.
Select * from students where f_name='camaline'
Output will be:
When ever we are facing a SQL injection. Something query this is running inside the application. So once we assume what the query is we can easily start injecting into it. Following are some common possiblities of queries you can face:
[#] If Query is taking any numerical input
select * from table_name where id=1
select * from table_name where id='1'
select * from table_name where id="1"
select * from table_name where id=(1)
select * from table_name where id=('1')
select * from table_name where id=("1")
All the above queries will give same output.
[#] If Query is taking any string input
select * from table_name where id='1'
select * from table_name where id="1"
select * from table_name where id=('1')
select * from table_name where id=("1")
All the above queries will give same output.
For Example when we see any url like "http://fakesite.com/report.php?id=23" we can easily assume what query may be working inside. And that is the first step of SQL injection.
So if we assume for the above url our Assumption Queries will be the following:
select * from table_name where id=23
select * from table_name where id='23'
select * from table_name where id="23"
select * from table_name where id=(23)
select * from table_name where id=('23')
select * from table_name where id=("23")
Well for this Tutorial this is enought. In the next tutorial i will show you how can you find out the correct query out of these assumption queries using some simple tests, and get confirmed. Once we will be confirmed, we will start injecting and understand the whole backend process at the same time.
Till then happy Inj3ct!ng
