# SQL Injection

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MezzsaE_pDusM1uTCD7%2F-MezzyzWt33hs795sId5%2Fimage.png?alt=media\&token=7178003f-fb13-4b9c-8c43-070be5b85943)

## Introduction

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MezzsaE_pDusM1uTCD7%2F-Mf--9pqiVnDQ32iVA4p%2Fimage.png?alt=media\&token=1f7967b6-c777-404f-a2ed-36bc0f41e10f)

## Basics of SQL Language

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MezzsaE_pDusM1uTCD7%2F-Mf--Xz9Ido_cLoCecDo%2Fimage.png?alt=media\&token=3b9cc4c3-c8b8-4189-ae2f-6defa28c074b)

## What is SQLi

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MezzsaE_pDusM1uTCD7%2F-Mf-0LuE9hpqHaXRG801%2Fimage.png?alt=media\&token=56eaa716-746e-475a-97c9-3dd3cecc9e73)

## How to detect SQLi

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MezzsaE_pDusM1uTCD7%2F-Mf-16VYS-HSowgqtF35%2Fimage.png?alt=media\&token=c24e2e16-fe6b-41f2-ad4c-3466729af5cb)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MezzsaE_pDusM1uTCD7%2F-Mf-1MsLEPhk5-1VHJnV%2Fimage.png?alt=media\&token=e2ae9de3-27f7-4256-bf54-1e6060b39dca)

## Error Based SQLi

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MezzsaE_pDusM1uTCD7%2F-Mf-27xIy8LUdUeM-_0G%2Fimage.png?alt=media\&token=e1c244c5-24fe-40ec-884a-ff55e1d963d2)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MezzsaE_pDusM1uTCD7%2F-Mf-2TMkWh26lKhn-Ev6%2Fimage.png?alt=media\&token=9d6040b3-5f02-4df8-88e1-63f05ca9d543)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MezzsaE_pDusM1uTCD7%2F-Mf-2bs76qH9O0fgcqv2%2Fimage.png?alt=media\&token=6ffc41a9-6146-479c-858e-f5a1ddac8d66)

## Boolean Based SQLi

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MezzsaE_pDusM1uTCD7%2F-Mf-3WWuDB0mZDneuO3L%2Fimage.png?alt=media\&token=cdffe913-9e30-4b5d-bfd3-6b818f462d92)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MezzsaE_pDusM1uTCD7%2F-Mf-45UaIRJiUi01tuEB%2Fimage.png?alt=media\&token=c0fa36f6-65a7-4665-90bf-98e6062a34b7)

## UNION Based SQLi

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MezzsaE_pDusM1uTCD7%2F-Mf-4XDI2qDk7IyLZO02%2Fimage.png?alt=media\&token=b9aa86a7-a54d-45f5-a703-bb1c08401d95)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MezzsaE_pDusM1uTCD7%2F-Mf-4nPbEEr7pC0eXhlr%2Fimage.png?alt=media\&token=fa1c3316-c2f3-4f3b-be80-a4e94589f28f)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MezzsaE_pDusM1uTCD7%2F-Mf-5DX67MCdHfgeZXbJ%2Fimage.png?alt=media\&token=e03351f0-35cb-4bf5-b622-ef431274c8dc)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MezzsaE_pDusM1uTCD7%2F-Mf-5ZMC0jBPufRuMc4F%2Fimage.png?alt=media\&token=bd3db95c-6c94-4b90-9343-243a8eb055be)

After testing different number of columns, we can find the right number of columns in the database with this search query

```
' UNION SELECT NULL,NULL,NULL,NULL,NULL -- //
```

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MezzsaE_pDusM1uTCD7%2F-Mf-6IT6lZXVwR6hnr6n%2Fimage.png?alt=media\&token=b76f1625-5c93-4394-9eeb-bc7157f171d6)

We can also see that all of the columns can take a string input with this query

```
' UNION SELECT 'a','a','a','a','a' -- //
```

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MezzsaE_pDusM1uTCD7%2F-Mf-6eITXLRWXF6W4tJe%2Fimage.png?alt=media\&token=d70aaee9-3992-4078-a83a-80563bae1d2b)

We can see the name of the database with this query

```
' UNION SELECT 'a',database(),'a','a','a' -- //
```

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MezzsaE_pDusM1uTCD7%2F-Mf-6vTZC84V_JKYwFhi%2Fimage.png?alt=media\&token=8880271d-9dc2-42fb-b7bf-2f3af7f22d4f)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MezzsaE_pDusM1uTCD7%2F-Mf-6zsha--1vec_-HhN%2Fimage.png?alt=media\&token=00b32503-a49b-451a-99f9-dee22e305254)

## Automating Exploitation

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MezzsaE_pDusM1uTCD7%2F-Mf-7QIBzLrJOhtVIbL1%2Fimage.png?alt=media\&token=8d945a3f-2ecb-42e7-90bf-023a6e7b33e6)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MezzsaE_pDusM1uTCD7%2F-Mf-7TgdECRCpcQhiKfy%2Fimage.png?alt=media\&token=1dac7a94-e454-4eca-8274-a652d2089c79)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MezzsaE_pDusM1uTCD7%2F-Mf-7g-LHdj_4lIx5kXv%2Fimage.png?alt=media\&token=0f2e9ee1-58b5-4297-80d4-925fe9cdbcac)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MezzsaE_pDusM1uTCD7%2F-Mf-7sNTAcCmWyHLEoBF%2Fimage.png?alt=media\&token=59ba17a7-640c-454d-8afe-9cd3cfc87946)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MezzsaE_pDusM1uTCD7%2F-Mf-9DrfQZ6LO2qpTxtX%2Fimage.png?alt=media\&token=6f415924-2292-4a8e-a84e-155186b38f42)