SQL for Hackers: Learn How Useful SQL : As an attacker, it is critical to gain an understanding on how this query is constructed and what exact parts of the query you are in control of. The query is broken out into three distinct parts.
- SELECT * FROM shoes WHERE shoeName=’ This chunk of code is prewritten by a human programmer and waiting in the application for the user’s input.
- The Term variable (Zoomers) is appended onto the first chunk of code. The user is in complete control of this variable.
- ‘This single quote is then appended by the program directly after the user’s input to complete the SQL statement so that it is valid syntax to be executed by the SQL interpreter.
SQL for Hackers: Learn How Useful SQL
A hacker can craft malicious input instead of a shoe name in the search box to exploit this SQL injection vulnerability while still balancing the quotes so the statement doesn’t throw an error.
The classic example of this exploit is to enter the following input into the search box.
Zoomers’ OR 1=1 #
This would build the following SQL statement sent to the interpreter for execution.
SELECT * FROM shoes WHERE shoeName=’Zoomers’ OR 1=1 #’
The #(pound sign) after the 1=1 clause is an inline comment and the interpreter will ignore everything that follow it.
Inline comments may also use /*comment here*/ or – (double dash) instead of a pound sign depending on the database that you are working with. For DVWA using MySQL, the pound sign is the correct inline comment indicator. The resulting SQL statement of this code injection is:
SELECT * FROM shoes WHERE shoeName=’Zoomers’ OR 1=1
Take a look at the quotes; they are balanced beautifully! The injected single quote after Zoomers balance the first single quote that was prebuilt by the application. The single quote that is appended to the end of the user’s input by the application has been ignored because of the inline comment. Not only will the Zoomers shoes be retrieved, but also every other shoe because 1=1 is always true.
You can also inject a string input and use the hanging quote against itself by searching for this:
Zoomers’ OR ‘a’=’a
We know exactly where the single quotes will be added, so the resulting SQL statement for this injection will also always be true.
SELECT * FROM shoes WHERE shoeName= ‘Zoomers’ OR ‘a’=’a’