SQL Injection

Objective: To perform SQL injection on a live website to bypass authentication, access,

modify, and delete data within a database

Tools required: Browser

Prerequisites: None

Steps to be followed:

1. Performing SQL injection using vulnweb.com

Step 1: Performing SQL injection using vulnweb.com

1.1 Open the vulnerable site to perform the attack: http://vulnweb.com/

1.2 Click on the Acuart link: http://testphp.vulnweb.com/

1.3 Click on Your Profile link. For both Username and Password fields, enter the following value
and click the login button.

‘ or 1=1 --
1.4 If the SQL injection is successful, you should be able to see the profile page for the User.

1.5 Use the Artists link to open the profile of the first artist (r4w8173). Alternatively, click the
following link: http://testphp.vulnweb.com/artists.php?artist=1
1.6 Add an apostrophe (‘) symbol at the end of the URL, which will try to break the query:
http://testphp.vulnweb.com/artists.php?artist=-1’

Note: If you see an error message, it means that the running site is vulnerable to SQL injection.

The URL you provided is an example of a URL parameter manipulation often used in web
application testing, particularly for SQL injection. Let's break it down:

Base URL: http://testphp.vulnweb.com/artists.php

Query Parameter: ?artist=-1'

Here's what each part might represent:

Base URL (http://testphp.vulnweb.com/artists.php): This is the main web address pointing

to a PHP file named "artists.php" on the "testphp.vulnweb.com" domain. This is a
common format for URLs that point to specific pages or scripts on a website.

**Query Parameter (?artist=-1'):** In web development, parameters can be passed in the

URL to influence the behavior of the script or page. In this case, the parameter is named
"artist," and its value is set to "-1'". The value "-1'" is interesting because it includes a
single quote ('`). Single quotes in user input can sometimes be used to manipulate SQL
queries.
 For example, the value "-1'" might cause the SQL query in the backend to be constructed
like this:

SELECT * FROM artists WHERE artist_id = -1';

This can lead to SQL injection if the web application is not properly handling user input,
and an attacker might attempt to exploit this vulnerability by injecting malicious SQL code.

1.7 Use the following query to fetch the name of the database:
http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,database(),3

Note: This displays the name of the database acuart.

The -1 is used to close the existing query.

union select 1,database(),3 is an attempt to inject additional SQL statements.
‘1’: A placeholder value.
‘database()’: A function that might retrieve the name of the current database.
‘3’: Another placeholder value.
1.8 Next, fetch the current username as well as a version of the database system.

http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,version(),current_user()