0

So I'm trying to practice SQL injection on a webpage I'm locally hosting. I am new to SQL, especially SQL injection. I've done some research into injecting new entries into a table but when I attempt to execute, it doesn't seem to work.

Firstly, my webpage is a login. I have the username and password (obviously) and can log in without any SQL injection attached. But when I add the injection code to the username box, it doesn't work. Example:

    username: admin'; insert into hall values (3,'https://google.com','Google'); --
    password: 123321

In my hall table, I have 3 entries: id, link, destination. ID is an integer, link and destination are varchars.

What do I need to do to successfully inject and add this entry to the database? Do I need to enter the correct username and password, only enter the username, or something else?

Dylan
  • 21
  • 1
  • 6
  • 5
    If your PHP code is (wisely) using prepared statements, then your injection attack rightfully should be failing. Just use statements and forget about this. Your time would be better spent creating new features in your app. – Tim Biegeleisen Feb 04 '18 at 06:57
  • I'm aware that prepared statements exist, but I'm doing this to better understand the process of SQL injection. I've already secured my actual version of the site. – Dylan Feb 04 '18 at 07:16
  • Then there's nothing further to understand – Strawberry Feb 04 '18 at 08:59
  • It is impossible to know from the question whether you are using prepared statements or inline SQL. We cannot see whether the code you are attempting to inject can actually work. Therefore, your question cannot be answered (at least not by anyone other than **you**). – NightOwl888 Feb 18 '18 at 10:35

1 Answers1

5

No, you don't need to enter the correct username and password. Here are the steps:

First, ensure that you use an inline query in your PHP. Something like this:

sql = "SELECT * FROM accounts WHERE username = '$username' AND password = '$password'";

Second, ensure the $username and $password variables are getting their values directly from the username and password textboxes.

Now you can test an SQL injection attack by entering any value in the username textbox and something like this in the password textbox:

x';delete from accounts where '0'='0

This will delete all records from your accounts table. You can enter any other SQL instead if you like to test more.

EDIT Just to address some opinions that understanding how SQL injection works is not necessary as long as you use parameterized queries.

This is a real issue that I've seen in other topics. Knowing how things work is absolutely essential for any "good" programmer. It is not enough to know how you should do things, you cannot be a "good" programmer if you don't know why you're doing them that way and how they work. So yes, knowing how SQL injection, XSS, CSRF, etc attacks work is a must for any experienced programmer.

It is really sad to see all those experienced programmers telling the novice ones that they don't really need to understand. Why? Do they want to be the only ones who know? Do they think that others aren't smart enough? I don't know, but this is not the spirit of StackOverflow, to say the least, thus I think that such statements should be flagged and removed.

Also, parameterized queries don't prevent all kinds of SQL injection, because not everything can be parameterized (example, columns & table names, arrays of values, etc), but by knowing how SQL injection works, you'll know what to do in those situations. Take this query as an example:

SELECT * FROM students WHERE status IN(,,,,)

If the array has a known number of values, then you can send them as parameters, but if you really must have an unknown number of values, then you need to know how to protect your query. And you cannot protect your query unless you understand what you're up against. In this case you can create the parameters in a loop, but you must know how to do it correctly.

Here is a question on SO with good answers on the subject.

Racil Hilan
  • 24,690
  • 13
  • 50
  • 55
  • [It is possible (and not so hard) to use parameterized queries with the `in` operator](https://stackoverflow.com/questions/327274/mysql-prepared-statements-with-a-variable-size-variable-list), you just can't use a single parameter. – Zohar Peled Feb 11 '18 at 11:33
  • Actually, I was going to [link to this SO post](https://stackoverflow.com/questions/337704/parameterize-an-sql-in-clause) first, that talks about c# and sql server, but then I saw a link in the question's comment for MySql and php, so I've linked to that. I don't work with php or MySql, so I didn't read the answers thoroughly. Now that I did it seems you are correct. This new link shows some answers with proper parameters. – Zohar Peled Feb 11 '18 at 16:23
  • @ZoharPeled Thank you for your comments and links. Creating parameters for values of the `IN()` statement can be done with a simple loop. But to do it right, you need to understand what you're doing, which is what I was trying to say. Some of the answers in both your links don't help with SQL injection (like the accepted answer for C#), so you really need to understand how SQL injection works in order to select the correct solution. I've updated that part of my answer to be clearer, thanks to your comments. – Racil Hilan Feb 11 '18 at 16:33