Php Sql Injection Cheat Sheet



Interactive cross-site scripting (XSS) cheat sheet for 2021, brought to you by PortSwigger. Actively maintained, and regularly updated with new vectors. It’s not a guide on SQL Injection but more of a brain dump which I used during the labs and exam.- The easiest way to use it would be put all the strings in a text file and run using Burp Suite’s Intruder function(or tab, what ever you call it) to pass the values one by one.

An SQL Injection Attack is presumably the simplest crime to prevent while being one of the smallest defended against modes of attack.

The focus of the attack is that an SQL call is connected to the back end of a form entries in the web or application front end, with the purpose of destroying the fundamental SQL Script and then operating the SQL script that was included in the form fields. This SQL injection most usually occurs when the user has dynamically generated SQL within any front-end application. The following is the short SQL injection cheat sheet.

SQL Injection Example

The given is the basic SQL injection example which is explaining the idea of this attack.

Suppose, in a PHP form there are two text fields’ username and password, accompanying a login button. The backend PHP code will be like this:

Pentestmonkey sql injection cheat sheet

<?php
$UName=$_POST['UName'];
$upassword=$_POST['upassword'];
$Query='SELECT * FROM userdetails WHERE username='.$uname.' AND upassword='.$password';';
?>

The above-written PHP code comprises a vulnerability. If a user inserts ‘ or ‘a’=’a ‘or’ then the variable $upassword will possess the value ‘ or ‘a’=’a ‘or’

In the above example, the command a=a is forever true. So the command is performed without testing the genuine password.

How to prevent SQL injection attacks?

Once the command enters the database, it is too delayed to defend from the SQL Injection attack. The unique method to absolutely defend any database application from an SQL Injection attack is to do so inside the application zone. Any other shield really won’t be as powerful.

Some people think that just by replacing a character within the SQL code will completely shield the database, and it might to a remarkable degree. But depending on how the SQL is written and how the dynamic SQL string is created, it apparently won’t. This section is explaining how to protect against SQL injection.

In PHP there are various methods with the help of which one can prevent an SQL injection attack.

Method 1

Injection

Now, to prevent SQL Injection attack the following method is displaying how to create a secure function. This method is one of the best SQL injection prevention techniques.

<?php
function SQLTest($my_string)
{
return str_replace(array('','','',''),array('','&quot;'','&quot;',$str));
}
?>

By using the above code, str_replace() function will supersede all characters in the string. Now, one can utilize the function as follows:

<?php
$Name=SQLTest($_POST['Name']);
$password=SQLTest($_POST['password']);
?>

Method 2

Another method for bypassing SQL injections is utilizing PHP Prepared Statements. A prepared statement is a trait in PHP which allows users to accomplish comparable SQL queries swiftly and regularly. Blind SQL injection is one of the most dangerous attacks.

By using prepared statements, SQL query is transmitted to the database with several undefined conditions called parameters expressed by ‘?’. The database then selects it and reserves the output without performing.

Eventually, the application connects values to the parameters before subsequently completing the statement. This allows the execution of the command repeatedly with a distinct set of conditions.

The following example is displaying how to use prepared statements to prevent SQL injection in PHP.

<?php
$statement=$connection->prepare(INSERT INTO EMP(ename,job,email)VALUES(?,?,?)');
$statement>bind_param('sss',$ename,$job,$email);
//setting parameters
$ename='Jeff';
$job='Analyst';
$email='jeff@abc.com';
$statement>execute();
$ename='Steven';
$job='Clerk';
$email='steven@abc.com';
$statement>execute();
?>

In the above example, the insert statement includes conditions (?,?,?). It means that user can replace integer, double, string or blob value. Now, the above code also contains bind_param.

This function primarily binds (connects) several parameters to the query and sends parameters to the database. ‘sss’ is a case that essentially notes the kind of data.

The value may be an integer, double, string, BLOB. By showing the database what sort of data to demand, the user primarily minimizes the chance of SQL injection.

Pentestmonkey Sql Injection Cheat Sheet

To bypass SQL injections, user input should be validated for a limited assemblage of practices for syntax, model, and length. While granting executive powers of any database to special users, one should always strive to provide the limited powers to bypass any impending attacks to fine-tuned data.

If a user is granted powers for a particular application, one should always make sure that the user does not obtain the application needlessly. Eliminating unused stored procedures may also aid in the interference of SQL injects. One should always be cautious when handling stored procedures as they are readily misused.

How to test SQL Injection in PHP?

Testing SQL Injection vulnerability can be accomplished very smoothly. Seldom it is sufficient to just enter ‘ or “ sign in the tested domains. If it delivers any unforeseen or unusual message then one can consider that SQL Injection is probable for that domain.

For example, if the webform or application displays an error message like ‘Internal Server Error‘ as an output then the SQL injection attack is possible in that portion of the system. Other issues, that can suggest potential SQL injection attacks include Blank page displayed, no error or completion information, and complete information for the wicked code.

The following code is displaying the more reliable method to form a query for paging.

<?php
settype($offset, 'integer');
$myquery = 'SELECT eid, ename FROM employee ORDER BY eid LIMIT 30 OFFSET $offset;';
$myquery = sprintf('SELECT eid, ename FROM employee ORDER BY eid LIMIT 30 OFFSET %d;',$offset);
?>

If the web page has a login page, it is likely that the web application utilizes a dynamic SQL. The dynamic SQL query is anticipated to render at least one row as the output. SQL Injection can be acknowledged as one of the most dangerous offenses, as it changes the database and can execute grave loss to the data and the entire system.

For sure it can have more severe outcomes than other cyber attacks, as some are also executed on the client-side. For correspondence, with this attack, one can have entrance to the complete database.

It should be noticed, that to examine against this attack, one should have pretty immeasurable knowledge of SQL programming language and one should know how databases queries are running.

Also while administering a SQL injection attack one should be more vigilant and attentive, as any mistake can be transmitted as SQL vulnerabilities. By following the above steps one can prevent SQL injection in PHP.

Discovering an SQL injection attack

A log file is a remarkably important piece of data that is given by a server. The computer systems, servers or any software application provide log information. Many people don’t know that a log file is crucial for finding various issues. A log file is a file which is responsible for recording all the events and actions that happen during the runtime of a machine or application

So why are log files so valuable? Log files give a particular analysis of the application or performance of a server. It also gives crucial data about when, how, and by whom” a server is being manipulated or used by someone. Such information can be crucial to monitor, study, and observe the administration, troubleshoot, and debug applications. Log files also allow forensic investigators to find, study, and investigate a number of events that may have begun the suspicious activity.

Example

Let’s take as an example a web server. Most generally, Apache HTTP Server will give two principal log files – access.log and the error.log. The access.log file is the file that records all the entries and requests for files. If a guest asks www.abc.com/main.php, the resulting record will be inserted in the log file.

88.558.126.37 – – [28/Jan/2020:08:54:09 +098] “GET /main.php HTTP/1.1” 202 205 “-” “Mozilla/5.0 (Windows NT 6.0

The above log reports that a guest with an IP address of 88.558.126.37 requested the main.php file on January 26th, 2020 and the request was successful. This data might not be too exciting, but what if the log file specified that a guest with IP 88.56.128.188 demanded dump_database.php file on January 26th, 2020 and the request was successful? In the deficiency of that log file, one might have never understood that someone found and operated a script that empties the database.

Investigation

Let’s imagine that a website got hacked. Let’s also consider that the site is a simple WordPress website running on an Ubuntu Server.

Proof to look for an investigation

To begin an examination, it is always necessary to recognize what proof to look for. In any successful cyberattack, evidence of an attack contains direct access to the database or the important files. It also contains access to the administration section with or without authentication, remote code execution, SQL injection.

Now in this example, the server access.log is accessible.

root@myserver:/var/logf/apache# access.log

The access.log gives a huge file that includes numerous events and reported requests. Reviewing every particular line would be impossible. It is always better to separate data that would most reasonably be of no concern. Instead of decreeing out some data, we separated access.log for WordPress-specific features.

The above command excludes and filters the access.log. After this, it displays only entries with strings including wp-admin. The wp-admin is the default management folder of WordPress, wp-login, which is a member of the login file of WordPress (wp-login.php), and ultimately, POST, which will display HTTP requests forwarded to the server utilizing the POST method.

The above result displays that the IP 88.52.46.59 entered the WordPress control successfully. Now, let’s check what else this IP address did. For this purpose, use the grep command to separate the access.log with that IP.

This gives the following records:

The above data is displaying a timeline of the hacker’s activities that drove to the damage of the website. Still, there is an absent part of the problem. How did the hacker bypass the login authentication? The prevailing access.log did not include any evidence on what might have occurred. The Apache HTTP Server log revolution log like: /var/log/apache2/ directory gives four extra log files.

First, we want to separate the logs to understand if any steps were practiced by the IP 88.52.46.59. One of the logs was attacked with records including a bunch of SQL commands that show a SQL injection assault.

Conclusion

The number of data records in the access.log and the model show that the hacker used an SQL injection exploitation tool to use an SQL injection vulnerability. The logs of the assault that may seem like nonsense, however, they are SQL queries usually intended to obtain information via an SQL injection vulnerability. The exploitation tool attempts different SQL injection methods to obtain the database name, table name, and columns as a component of the inventory method.

About the Author

ByteScout Team of WritersByteScout has a team of professional writers proficient in different technical topics. We select the best writers to cover interesting and trending topics for our readers. We love developers and we hope our articles help you learn about programming and programmers.

Description of the vulnerability

PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context.

The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function.

In order to successfully exploit a PHP Object Injection vulnerability two conditions must be met:

  • The application must have a class which implements a PHP magic method (such as __wakeup or __destruct) that can be used to carry out malicious attacks, or to start a “POP chain”.
  • All of the classes used during the attack must be declared when the vulnerable unserialize() is being called, otherwise object autoloading must be supported for such classes.

Example:

Known Vulnerable Software

SoftwareVersionReference
WordPress3.6.1https://nvd.nist.gov/vuln/detail/CVE-2013-4338
Magento1.9.0.1https://magento.com/security/patches/supee-10415
Joomla3.0.3https://packetstormsecurity.com/files/121442/Joomla-3.0.3-PHP-Object-Injection.html
IP Board3.3.4https://www.exploit-db.com/exploits/22398/
Dotclear2.6.1https://www.cvedetails.com/cve/CVE-2014-1613/
OpenCart1.5.6.4http://karmainsecurity.com/KIS-2014-08
CubeCart5.2.0http://karmainsecurity.com/KIS-2013-02
Drupal7.34https://websec.wordpress.com/2015/01/09/drupal-7-34-admin-php-object-injection/
vBulletin5.1.0https://blog.sucuri.net/2014/03/security-exploit-patched-on-vbulletin-php-object-injection.html
Tuelap7.6-4http://karmainsecurity.com/KIS-2014-13
Moodle2.5.0http://disse.cting.org/2013/09/16/2013-09-16-moodle-2-5-0-1-badges-external-object-injection
WHMCS5.2.12http://security-geeks.blogspot.com/2013/11/whmcs-5112-php-object-injectoin.html

PHP Magic Methods

__construct()__set()__toString()
__destruct()__isset()__invoke()
__call()__unset()__set_state()
__callStatic()__sleep()__clone()
__get()__wakeup()__debugInfo()

Examples of PHP Object Injection

Exploit with the __destruct method

Vulnerable code:

Payload:

Exploit with the __wakeup in the unserialize function

Vulnerable code:

Payload:

Authentication bypass - Type juggling

Vulnerable code:

Payload:

Authentication bypass - Object reference

Vulnerable code:

Php Mysql Sql Injection Cheat Sheet

Payload:

Authentication bypass - Object reference

Sql Injection Cheat Sheet Owasp

Vulnerable code:

Payload:

Others exploits

Reverse Shell

Finding and using gadgets (PHPGGC)

PHPGGC is a library of unserialize() payloads along with a tool to generate them, from command line or programmatically. When encountering an unserialize on a website you don’t have the code of, or simply when trying to build an exploit, this tool allows you to generate the payload without having to go through the tedious steps of finding gadgets and combining them.

Example:

Thanks to

This article is composed of information found on the folowing links (+ plus some minor additions). I use this article to quick observe or demonstrate situations and as a personal reference to all the infromation needed in exploiting the PHP Object Injection Vulnerability.