Chapter 4 SQL Injection
“For the want of a nail the shoe was lost, For the want of a shoe the horse was lost, For the want of a horse the rider was lost, For the want of a rider the battle was lost, For the want of a battle the kingdom was lost, And all for the want of a horseshoe-nail.” - Benjamin Franklin
In the previous lab we looked at the vsftpd ftp backdoor vulnerability that was maliciously injected into an open source implementation of a ftp server by hackers. What operating system or services on machines don’t have any vulnerabilities? Then how do you get access to machine? The Answer: through the web apps.
In this lab we will look at SQL Injection which is a vulnerability that occurs when software developers incorrectly process parameters that are used in SQL queries. SQL is a language that is used to query tables in a database. For example, the following query returns the first and last name for the user whose Social Security Number is 555-5555-5555.
SELECT firstname, lastname from Users where SSN = ‘555-5555-5555’;
To allow for more generic queries a programmer might replace the hard- coded SSN value of 555-5555-5555 with a variable$ id.
SELECT firstname, lastname from Users where SSN = ‘$id’;
This would allow the program to return the first name and last name for any value of$ id
Vulnerability:Since the program is simply inserting the command string into the SQL query, a hacker can edit the query by injecting her own. For example if the hacker sets the value of = `UNION SELECT username, password from users where ‘’ = ’ injecting this for value for id will result in following query:
SELECT firstname, lastname from Users where SSN = ‘’ UNION SELECT username, password from users where ‘’ = ‘’;
The query SELECT firstname, lastname from Users where SSN = ‘’ will not return anything since there are no entries in the table with blank SSNs. This result will then be unioned with the result of the second query which returns the username and password for all entries of the users since all enteries match the requirement ‘’ = ‘’.
4.2 Your first manual SQL injection attack
Goal:Use SQL injection to obtain the username and password for user of DVWA (Dam Vunerable Web App) running on the metasploitable server.
Step 1: Start up your metasploitable virtual machine and get its IP address using ifconfig command. Type this IPaddress into the browser.
Step 2: Login to DVWA using username: admin and password: password.
Step 3: Click on the DVWA Security tab
Step 4: Set the security level to low.
Step 5: Click on the SQL Injection tab.
Step 6: Execute a sample SQL injection attack. (need to say more here)
4.3 Using SQLMap
Step 1: Navigate to the SQL injection section tab in DVWA Linux
GOAL: We want to capture the URL that is associated with the SQL injection.
Step 2: Open Developer Console by Clicking Ctrl-Shift-I. Click on the network tab. (This will allow us to capture the request. We could also use a proxy for this)
Step 3: Enter the value 1 in UserID box and click submit. Enter a sample request.
Step 4: Select the GET request that was associated with the submission.
Step 5: You will also need the cookies that are associated with the request when submitting the form.
Step 6: To start SQLmap got to Applications→Database Assessment→SQL Map
Step 7: Start SQLmap.
Step 8: Point SQL map at the URL discovered from your earlier capture.
Select yes to the options below. From our earlier test we know that ID parameter was vulnerable. So we will stop our search here. Take a look at some of the payloads: Pretty creative right.