SQL-Injection

https://gitlab.com/jobertabma/vulnerable-code/-/tree/master/sql-injection?ref_type=heads

Step 1: Understand the Vulnerability

To exploit the SQL injection vulnerability in the given index.php code, you can manipulate the id parameter in the URL to inject malicious SQL code. Here’s a step-by-step explanation of how to exploit the code and the automation script provided:

Explanation of index.php Vulnerability

1. Unsanitized User Input: The id parameter from the URL is directly concatenated into the SQL query without any sanitization.

   phpCopy code$query = $db->query('select * from secrets where id = ' . $_GET['id']);

2. SQL Injection: Because the user input is not sanitized, an attacker can inject SQL code by manipulating the id parameter.

Step 2: Create and Run the Bash Script

1. Create the Bash Script: Create a file named sql-injection.sh and add the provided Bash script to it.

#!/bin/bash

echo $1 > _tmp/strip

php -S 127.0.0.1:8080 -t sql-injection &

open 'http://127.0.0.1:8080/?id=-1%20UNION%20SELECT%20NULL,%20%27Hello%20world%27'

wait

Explanation of the Script:

• echo $1 > _tmp/strip: This line writes the first argument passed to the script into the _tmp/strip file. This may be part of your application's logic.

• php -S 127.0.0.1:8080 -t sql-injection &: This starts a PHP built-in web server serving files from the sql-injection directory. The & at the end runs the server in the background.

• open 'http://127.0.0.1:8080/?id=-1%20UNION%20SELECT%20NULL,%20%27Hello%20world%27':

• This line opens the default web browser and navigates to the URL http://127.0.0.1:8080/?id=-1%20UNION%20SELECT%20NULL,%20'Hello world'. The %20 represents a space in URL encoding, and %27 represents a single quote (').

• The URL contains the SQL injection payload -1 UNION SELECT NULL, 'Hello world'.

• wait: This waits for all background processes to complete before the script finishes.

2.Make the Script Executable: Change the script's permissions to make it executable.

chmod +x sql-injection.sh

3.Run the Script: Execute the script with a parameter if necessary (test).

./sql-injection.sh test

Expected Outcomes:

• The browser navigates to http://127.0.0.1:8080/?id=-1 UNION SELECT NULL, 'Hello world'.

• The SQL query executed by the server becomes:

  sqlCopy codeselect * from secrets where id = -1 UNION SELECT NULL, 'Hello world'

• This query combines the original select * from secrets where id = -1 with the injected UNION SELECT NULL, 'Hello world', effectively bypassing the original condition and returning the string 'Hello world'.