TL;DR
This guide shows you how to find SQL injection vulnerabilities in web applications without looking at the code (blackbox testing). We’ll use common techniques and tools.
What is SQL Injection?
SQL injection happens when attackers can insert malicious SQL code into a website’s database queries. This can let them steal data, change information, or even take control of the server.
Tools You’ll Need
- Web Browser: Chrome, Firefox, etc.
- Burp Suite Community Edition: A free web proxy tool (optional but recommended). Download here
- SQLMap: An automated SQL injection and database takeover tool. Download here
Step-by-Step Blackbox Testing
- Identify Input Fields: Look for all places where the website takes input from you. This includes:
- Login forms
- Search boxes
- Contact forms
- URL parameters (e.g.,
example.com/page?id=1)
- Single Quote Test: This is the simplest test. Try adding a single quote (‘) to each input field.
- If you get an error message that includes SQL syntax errors, it’s a strong sign of potential vulnerability.
- Example: If entering
'into a search box returns an error like “Syntax error near ‘ at line …”, it’s likely vulnerable.
- Basic SQL Injection Payloads: Try these common payloads in input fields:
' OR 1=1 --(Always a good starting point)' AND 1=1 --' UNION SELECT version(), user(), database() --(To get database information – may need adjustments for different databases.)
- Using Burp Suite: If you’re using Burp Suite:
- Intercept Requests: Configure your browser to use Burp Suite as a proxy. Intercept the requests sent when you submit forms or visit pages with URL parameters.
- Repeater Tab: Send intercepted requests to the Repeater tab and modify the input fields there. This lets you test payloads easily without repeatedly submitting the form.
- Error-Based Injection: Look for error messages that reveal information about the database structure.
- Pay attention to table names, column names, and data types in the errors.
- Boolean-Based Blind SQL Injection: If you don’t get direct error messages, try boolean-based injection.
- Test payloads like
' AND 1=1 --and' AND 2=2 --. Observe the difference in the website’s response. - If
1=1returns a different result than2=2, it suggests you can manipulate the query logic.
- Test payloads like
- Time-Based Blind SQL Injection: If boolean-based injection doesn’t work, try time-based injection.
- Use payloads like
' AND SLEEP(5) --(adjust the sleep duration as needed). - If the website takes longer to respond when the
SLEEP()function is executed, it confirms a vulnerability.
- Use payloads like
- Using SQLMap: For automated testing:
- Run SQLMap with the target URL and input parameter.
sqlmap -u "http://example.com/page?id=1" --dbs - SQLMap will automatically try various payloads to identify vulnerabilities and extract data.
- Run SQLMap with the target URL and input parameter.
- URL Parameter Testing: Pay close attention to URL parameters.
- Try adding payloads directly to the URL, like
http://example.com/page?id=1' OR '1'='1
- Try adding payloads directly to the URL, like
Important Considerations
- Database Type: Different databases (MySQL, PostgreSQL, SQL Server, etc.) require different payloads. SQLMap can usually detect the database type automatically.
- Web Application Firewall (WAF): WAFs can block common injection attempts. You may need to use more sophisticated techniques or encoding to bypass them.
- Ethical Hacking: Only test websites you have permission to test! Unauthorized testing is illegal and unethical.