How to protect against SQLi attack [GET METHOD]

As we have said with the google dorks inurl:.php?id=1 , which let google understand that we want to search ONLY websites and pages that have ONLY an ID parameter in their URL... Well that's what we're going to do today. We will learn how not to eat MYSQL ERROR on the page when we put the quote "'" next to the parameter. E.G id = 1' .

So I'll leave the many explanations and let's get into the roast.

 

100

 

Here we tell it to get the ID we have defined and user_id and then we make a query with users where id=$user_id.

 

101

102

 

First of all we look at our code. We have built a table by writing HTML WITHIN PHP, and with the $rows we have defined above foreach and $sql_run, we show him to understand that we want the tables to show EVERY user from the database. (you will see below in the screenshot).

Right below these $rows, we give another row and the most important one for this topic. We tell it when the EDIT "button" that will be on the table is pressed, to redirect us ( href ) to the edit.php page (that we have made) but not only there, but also in the parameter. That is, for example, we want to edit them of the user MATA who mata in the base as an ID has the number 64. So you will write in the url edit.php?id= (And the number of the user's id in the base) $row['id']. Obviously, if you don't know how it reads the ID from the database, it reads it because we did a query before “SELECT * FROM users”. I mean? select all (*) from the table users. And right after that we ran it $sql_run = mysqli_query($conn, $sql) (sql was the variable we had defined for the query ( $sql = “SELECT * FROM users ).

103

 

Here we have the tables I mentioned before. And with user ID number 64. (the more users there are in the base, the more the list will increase). So we press edit to see what happens to the url.

104

As we can see, the URL shows the number 64 in the ID parameter. This is because before the href we put $row['id'] as I explained to you above.

So let's put a QUOTE in the parameter to see how and WHY the website reacts with ERROR.

105

106

Those you have gone to do attack you have surely noticed such an error. This error is called ERROR-BASED SQL INJECTION. Error based is called when the quote (') "breaks" the Syntax. That is why it says "You have an error in your SQL Syntax".

Shall we take advantage of this? It will be very easy because the careless Developer forgot to put the filters in his code so I as a malicious person will be able to exploit him...

107

So let's go and write

sqlmap -u "http://.com/edit.php?id=1" --dbs

–dbs is to find the databases.

It throws us cookies and we press Y to use them.

108

 

How pleasant for us huh? Here it tells us that the ID parameter MAY be vulnerable and the Database MAY be MySQL.

Do we want to skip the other payload tests for other dbmses? And press Yes. Because we don't need anything else.

109

What did we say before? Error-based. Let's go further, I explained them before.

110

The ID parameter is fragile. Do you want to check other parameters? (No need so NO)

111

What harm found him……. If you remember from the previous guide the database was called ergasiasxol. Let's get into it by writing

sqlmap -u "http://.com/edit.php?id=64" -D ergasiasxol --tables

-D ergasiasxol to enter this database, and –tables to show us the tables.

 

112

 

We see that the users table exists. So let's go into it and look at the columns.

sqlmap -u "http://.com/edit.php?id=64" -D ergasiasxol -T users --columns

 

113

 

Here we see the columns. We only need the username and password. Let's DUMP them to see.

sqlmap -u "http://.com/edit.php?id=64" -D ergasiasxol -T users -C username,password --dump

 

114

 

We reached our goal. Of course, the it is in md5 encryption I have explained here how do we do that, so we just get the hash and break it (if it doesn't exist in tool I recommend crunch to make a list).

######################################

PROTECTION

######################################

So let's now see how we can protect ourselves from this attack. We need to go back into our code and find where the variable we set for $_GET['id'' is? .

115

The user_id is the variable we have defined for the GET. The filtered_userid variable exists to be added later to id=$filtered_userid in the query. Also in the variable filtered_userid we write the following

filter_var($user_id, FILTER_SANITIZE_NUMBER_INT);

filter_var is a php function which is used to filter the variable. In our case we want to filter the variable $user_id which is from GET -> id=$row['id'] -> id=64 (in this case).

FILTER_SANITIZE_NUMBER_INT prevents characters like QUOTE.

So let's go now to see if our page reacts to an error.

116

Absolutely no reaction. So let's attack again

117

CRITICAL. It doesn't let us find a footing. Let's try with risk and level and with v 6

118

 

119

 

Critical again. So we're covered.

Article author: Attednev Vrof

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.
SQLi, GET METHOD, iguru

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).