If you want to learn SQL Injection step by step, reading this article will help you to understand the concept with a set of practical examples, so that you won't find it difficult.
SQL injection is a common vulnerability of a web application. If this vulnerability is not taken care of by the web developer, then it can lead to complete disclosure of all data of the system and more!
Important Note
Please note that all the information provided in this post is solely meant for educational purposes only.
Let's see how we can use SQL Injection to an application, but before that, we need to create that application from scratch.
What we will be creating
We will be building a registration and login page for a web application with PHP.
Required Technical Skills
Basic knowledge of the following technologies is necessary.
Required tools/software
It is required given PHP is a server-side scripting technology. So, in order to run PHP scripts, we need a local web server. That is very easy to use and is completely free of cost. I will be using XAMPP as our local web server.
Text Editor / IDE (Integrated Development Environment)
Overall Project Structure
--------- .phpintel
------------ css
------------ js
------------ dashboard.php
------------ login.php
------------ logout.php
------------ register.php
Discussion on project structure
.phpintel
This file is generated automatically if we use PHPIntel plugin for sublime text.
All other files having .php extensions are self-explanatory. For example, register.php contains HTML markup along-with PHP scripts required for registration, etc.
CSS
This folder contains all the necessary CSS (cascading style sheet) files required for this project.
JS
It contains all the JavaScript files used in this project.
All other files having .php extensions are self-explanatory.
Creating a database and Users table
Open the browser and type "http://localhost/phpmyadmin" in the URL bar. Then, create a database as "hacking_db" and create a table as "users".
The structure of the users table is as below.
- id ( type=int(11), primary-key, auto-increment),
- username ( type= varchar(100) ),
- password ( type= varchar(256) )
Explanation of register.php
In register.php, the user is asked to enter his or her username, password, and confirm password. Then, we simply check that the username, password, and confirm password fields are left empty. If any of the fields are left empty, then the user is prompted to fill out that specific detail.
User also needs to make sure that password and confirm password fields have same values. If each field is filled out properly and the form is submitted, "User registered successfully!" message is displayed to the user.
In login.php, user is asked to enter his or her username and password. Then, these credentials are checked with the pre-existing credentials in the MySQL database. If a match is found, then the username is stored in the session and the user is redirected to the dashboard page. If no match is found, the user is asked to register.
Explanation of dashboard.php
In dashboard.php, it is checked to see if the user is already logged in or not. It is done by checking if the session is not empty. But, if it is found that the user is not logged in, then the user is redirected back to the login page.
Now, the remaining functionality left is the logout functionality. The code for logout is as following.
- session_start();
- session_unset();
- session_destroy();
- header('location: login.php');
Explanation
To implement the logout functionality, we need to start the session just like we already did in the registration and dashboard pages. Next, we need to destroy the session variable used to store the session data and finally, we destroy the entire session by calling destroy function. Last but not least, we redirect the user back to the login page.
Bypassing the Login Page
We have completed the creation of the application. Now, let's see how to exploit this application by bypassing the login page and gaining access to the dashboard page.
If we type, "admin' or '1'='1';#" (without the double quotes) as username and any text in the password field, we can bypass the login screen easily.
Explanation Of How login bypass Works
In username field what we wrote goes straight to the database engine in the following format.
select * from users where username='admin' or '1'='1';# and password='1234' LIMIT 1;
Here, we wrote an expression that is always true (i.e, 1=1) and then 'or' operator is used to writing that expression where either username is admin or 1=1. As always, 1=1 is true so it does not matter to the database engine if admin is not the username.
After the condition, the statement is terminated using the semicolon (;) and rest of the statement that checks for password matching is ignored as the hash symbol (#) is used.
Conclusion
If you like this post on learning SQL injection step by step part 1, please comment about what you think and share it with others.