Introducing SQL Injection 337
inurl:article.php?ID=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
It is possible to execute successful SQL injections against a number of
different technologies, but in the search terms here we are using PHP as an
example. With some variation, ASP.NET, ASP, and JSP pages can also be
targeted for an attack.There are plenty of ways to search Google using various search terms to uncover a
potentially vulnerable target. I encourage you to experiment with different combinations to
see if you can obtain better or more actionable results.
Once you’ve identified your target, your next step is to look for vulnerabilities. One easy
way to determine if a site is vulnerable to SQL injection is to add an apostrophe to the end
of the URL like so:
http://www.somesite.com/default.php?id=1'
Type this URL and press Enter, and then observe the results. If an error is returned, the
web application or site located at the URL is vulnerable to SQL injection, though you don’t
know to what degree.
The errors that appear at this point can be any of a large number of poten-
tial errors, but that is not important. What is important at this stage is that
an error is returned because it gives you an indication of potential vulner-
abilities that may be present. The error message typically reads “You have
an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax.” As a general rule, if the website
returns any SQL errors, it should be vulnerable to SQL injection techniques.Initiating an Attack
One of the first steps you can take to uncover information about a vulnerable site is to learn
the structure of the database. To do this you can append a simple order by statement to the
URL like so:
http://www.somesite.com/default.php?id=1 order by 1