SQL Injection Tutorial for Beginners

October 4, 2013 by Bryan Wilde

sqlinjectiontutorialAlthough there are thousands of potential exploits designed
to take advantage of improperly designed websites, SQL injection is by far one o
f the most effective, easiest, and far-reaching attacks. SQL injection attacks a
re reported on a daily basis as more and more websites rely on data-driven desig
ns to create dynamic content for readers. These dynamic designs use MySQL or ano
ther database system which probably relies on SQL; thus making them vulnerable t
o attack.
Since a SQL Injection attack works directly with databases, you should have a ba
sic understanding of SQL before getting started. SQL Database for Beginners is
an excellent resource for those unfamiliar with Structured Query Language.
In this article, you will learn how to perform a SQL injection attack on a websi
te. Please note that this article is for instructional purposes only. If you suc
cessfully breach a website that does not belong to you, you are in violation of
federal law and could face incarceration and hefty fines. That said, it is usefu
l to understand how SQL injection works so that you can prevent it from occurrin
g on your own website.
What is a SQL Injection?
SQL injection is a code injection technique that exploits a security vulnerabili
ty within the database layer of an application. This vulnerability can be found
when user input is incorrectly filtered for string literal escape characters emb
edded in SQL statements.
Although SQL injection is most commonly used to attack websites, it can also be
used to attack any SQL database. Last year, a security company reported that the
average web application is attacked at least four times per month by SQL inject
ion techniques. Online retailers receive more attacks than any other industry wi
th an online presence.
Picking a Target
The first
ite. This
More and
t finding

step to performing a SQL injection attack is to find a vulnerable webs

will probably be the most time-consuming process in the entire attack.
more websites are protecting themselves from SQL injection meaning tha
a vulnerable target could take quite some time.

One of the easiest ways to find vulnerable sites is known as Google Dorking. In
this context, a dork is a specific search query that finds websites meeting the
parameters of the advanced query you input. Some examples of dorks you can use t
o find sites vulnerable to a SQL injection attack include:
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=

inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num= andinurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
Of course, there are many others as well. The key component of these specialized
search queries is that they all focus on websites that rely on PHP scripts to g
enerate dynamic content from a SQL database somewhere on the backend of the serv
er. You can learn more about advanced Google search techniques in Unleash Google
Search.
Remember that a SQL injection attack can work on any SQL database, but PHP-based
websites are usually your best targets because they can be set up by just about
anyone (i.e. WordPress) and often contain lots of valuable information about cu
stomers within the database you are attempting to hack.
However, just because Google pops up with a result using these dorks does not me
an it is vulnerable to attack. The next step is to test each site until you find
one that is vulnerable.
Navigate to one of the websites you found. For this example, assume that one of
the search results is http://www.udemy.com/index.php?catid=1. To find out if thi

s site is vulnerable to SQL injection, simply add an apostrophe at the end of th

e URL like this:
http://www.udemy.com/index.php?catid=1
Press enter and see what the website does. If the page returns a SQL error, the
website is vulnerable to SQL injection. If the page loads normally, it is not a
candidate for SQL injection and you should move on to the next URL in your list.
The errors you receive do not matter. As a general, if the website returns any S
QL errors, it should be vulnerable to SQL injection techniques.
At this point, understanding SQL is even more important as you will begin manipu
lating the database directly from the vulnerable page. Practical SQL Skills is
a solid resource for beginner and intermediate users.
Starting the Attack
After locating a vulnerable site, you need to figure out how many columns are in
the SQL database and how many of those columns are able to accept queries from
you. Append an order by statement to the URL like this:
http://www.udemy.com/index.php?catid=1 order by 1
Continue to increase the number after order by until you get an error. The number
of columns in the SQL database is the highest number before you receive an error
. You also need to find out what columns are accepting queries.
You can do this by appending an Union Select statement to the URL. A union select
statement in this URL would look like this:
http://www.udemy.com/index.php?catid=-1 union select 1,2,3,4,5,6
There are a couple of things to note in this example. Before the number one (aft
er catid), you need to add a hyphen (-). Also, the number of columns you discove
red in the previous step is the number of digits you put after the union select
statement. For instance, if you discovered that the database had 12 columns, you
would append:
catid=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12
The results of this query will be the column numbers that are actually accepting
queries from you. You can choose any one of these columns to inject your SQL st
atements.
Exploiting the Database
At this point, you know what columns to direct your SQL queries at and you can b
egin exploiting the database. You will be relying on union select statements to
perform most of the functions from this point forward.
The tutorial ends here. You have learned how to select a vulnerable website and
detect which columns are responsive to your queries. The only thing left to do i
s append SQL commands to the URL. Some of the common functions you can perform a
t this point include getting a list of the databases available, getting the curr
ent user, getting the tables, and ultimately, the columns within these tables. T
he columns are where all of the personal information is stored.
If you are unfamiliar with using SQL commands to finish the exploit, you should
study various commands before attempting a SQL injection attack. You can also c
heck out Website Hacking in Practice for additional tips and tricks.

Using this information, you can search for vulnerabilities within your own websi
tes and perform penetration testing for others. Remember that what you do with t
his information is solely your responsibility. Hacking is a lot of fun
but it do
esn t mean you have to break the law to have a good time.
Filed Under: For Students, Technology