Discover SQL Injection on a Web Server
A SQL Injection attack occurs when an application processes user-supplied data to create an SQL statement without first validating its entry and then submitting the statement to a database server for execution.
When successfully exploited, a SQL Injection attack can give an attacker access to the contents of the database, run system commands remotely, and in some cases, take control of the server that hosts the database.
It depends on where the error is in the code, how easy it is to exploit the error, and what access the application has to the database.
Theoretically, an SQL Injection attack could be performed on any type of application, but it is most commonly associated with web applications because they are more vulnerable.
Replace the value of each parameter with one only rate and an SQL keyword such as WHERE. Try each parameter separately. When testing parameters, leave all other parameters with their valid data unchanged.
Today we will learn another scan tool that is a kind of SQL Injection vulnerability scanner like SQLMAP which is the most popular tool to date.
ViSQL is the SQL Injection Vulnerability Scanner, which not only scans the destination URL, but also the entire server by crawling and reverse IP domains.
You can easily scan the SQL vulnerability for the URL itself on all sites on the same server.
Installing viSQL on Kali Linux
To install viSQL, enter " git clone https://github.com/blackvkng/viSQL.git At your terminal.
The above command automatically creates a folder named "viSQL" in the same directory as you run the command. To display all files, type ” cd viSQL && ls At your terminal.
The second installation method is to download the file installer.py with the help of wget and run installer.py with the help of python command.
Mandate: wget https://raw.githubusercontent.com/blackvkng/viSQL/master/installer.py
Mandate: sudo python2 installer.py
After that, to run viSQL, just type “python viSQL.py -h ”Which shows the help menu of the viSQL tool.
To scan a website using viSQL, type “python viSQL.py -t www.example.com "
Now let viSQL do its job. ViSQL will do it first Reverse IP Lookup to list the domains located on this target IP and then crawl each site to find a vulnerable SQL parameter. If viSQL finds any potential SQL Injection in the target, then it will display the vulnerable link in our terminal.
Here you can see that viSQL started the crawl process on our destination site and found many sites that may be vulnerable to SQL Injection attacks.
After the scan is complete, viSQL starts the SQLi scanning process which lists all the vulnerable SQL URLs as you can see below.
Now hold this link and then start doing SQL injection manually through the browser or automatically, using SQLMAP or HAVIJ.
* SQLMAP is for Linux users and HAVIJ is for Windows users.
Secure web applications in SQL Injection
You need to follow some security rules to prevent SQL Injection attacks.
Restrict database users 'rights because successful SQL attacks are based on database users' credentials.
Although restrictive permissions may not prevent SQL attacks, you can make the attacks more difficult to implement.
Do not grant user access to all processes stored on the system if your users need to access only a few.