How to Create a Script for SQL Injection Testing

1. Introduction and Objectives


In this article, we will briefly explain what a attack of this nature entails, and then we will demonstrate how to create a small script that automates certain SQL injection tests.

To achieve this, you will need to have a basic understanding of databases and web programming. We will be using Kali Linux as the attacking machine.


2. What does a SQL injection (SQLi) attack consist of?


A SQL injection attack essentially involves injecting malicious SQL code through a form with unsanitized input fields. Insufficient data sanitization leads to a vulnerability, and if this form connects to a database, it signifies a SQL injection security flaw.

In this manner, an attacker can inject malicious SQL code into the victim’s database, executing commands within it. Through this, they can gain sensitive information, destroy data, obtain a command shell, and much more.

Here’s a summarized image for reference:


SQL injection
SQL injection

3. How to create a script for SQL injection (SQLi)


We are going to create a text file with SQLi-related statements, which can be obtained from various cheat sheets available on the internet. These statements will be processed for reading (using the “cat” command) line by line (iterated through a “for” loop) by a subsequent “.sh” script, which will perform the injection testing.

As seen in the following image, we have created the text file “testingSQL.txt,” which contains different key patterns for exploiting SQLi vulnerabilities.



Once the previous file is created, under the same directory, we proceed to create the script that will execute the SQLi testing against the victim website’s form. We name it “script.sh.”

This script essentially reads each line of the content from the “testingSQL.txt” file and passes each line as an argument to the “name” parameter of the web file “example1.php.”



Once we have both files ready, we are prepared to launch the attack from the command line. To do this, we simply need to give execution permissions to “script.sh” using the command “chmod +x script.sh” and then execute it as follows:



After launching the attack, we can verify that we have indeed succeeded, and we have obtained a table with the users from the database after the first injection.



If we inject the code from the first line of the text file into the website, we can observe that we effectively obtain the table that we received through the command line in HTML.



So, we can say that “script.sh” works properly. Now, we would just need to add the statements we want to test to the “testingSQL.txt” file. It’s always advisable to have a “cheat sheet” with all the common statements used in this type of attacks ready.


4. SQLi Execution


What we are going to explain next is the reason behind the success of the SQLi attack, with the invocation of the URL that can be seen in the following image. Through this URL, we have managed to access the victim server’s database by exploiting the “id” parameter of the vulnerable page “example7.php”.


For a better explanation, I will present the source code of the vulnerable PHP page below.



As we can see, in the source code, it checks whether the input parameter is an “integer”.

However, the programmer made a small mistake in parameter sanitization, as the regular expression contains a modifier that allows multiple lines (/m). This is exploited to bypass the filter and inject malicious code into the database.

If we refer to the ASCII table, we can confirm that by using the “line feed” with the hexadecimal code “%0A,” we can inject our code “or 1=1.”



Thanks to this small oversight, all we need to do is place an “integer” (2) after the “id=” parameter to make the input appear as an “integer,” and on the same line, perform a line feed (%0a) and add the injection (or 1=1). This way, we have injected the “or 1=1” statement again and obtained the expected data from the database.


5. Conclusions


In this article, we have seen a basic overview of how to create a custom script to automate various automated penetration tests, specifically performing SQL injection attacks on web forms.

In this way, we have witnessed how an SQL injection is executed in a database, exploiting the vulnerability arising from poor sanitization of input parameters in the web form.

Through this method, an attacker can carry out a more discreet exploitation than using automated tools like “sqlmap” or “sqlninja,” which are easily detectable and can be blocked in enterprise environments.

We would like to express gratitude to Sarah Hill and Stephen Cooper from Comparitech for their effort and dedication in creating a comprehensive Sqlmap cheat sheet that covers how to perform these types of penetration tests.

If you are interested in acquiring introductory knowledge of ethical hacking, you can enroll in our basic ethical hacking course. Alternatively, if you prefer to gain more advanced knowledge in offensive cybersecurity, you can consider our advanced course.

Spain

No puedes copiar el contenido