Chapter 3 SQL Injection

“For the want of a nail the shoe was lost, For the want of a shoe
the horse was lost, For the want of a horse the rider was lost, For
the want of a rider the battle was lost, For the want of a battle the
kingdom was lost, And all for the want of a horseshoe-nail.”
- Benjamin Franklin

3.1 Background

In the previous lab we looked at the vsftpd ftp backdoor vulnerability that was maliciously injected into an open source implementation of a ftp server by hackers. What operating system or services on machines don’t have any vulnerabilities? Then how do you get access to machine? The Answer: through the web apps.

In this lab we will look at SQL Injection which is a vulnerability that occurs when software developers incorrectly process parameters that are used in SQL queries. SQL is a language that is used to query tables in a database. For example, the following query returns the first and last name for the user whose Social Security Number is 555-5555-5555.

SELECT firstname, lastname from Users where SSN =555-5555-5555’;

To allow for more generic queries a programmer might replace the hard- coded SSN value of 555-5555-5555 with a variable$ id.

SELECT firstname, lastname from Users where SSN = ‘$id’;

This would allow the program to return the first name and last name for any value of$ id

Vulnerability:Since the program is simply inserting the command string
into the SQL query, a hacker can edit the query by injecting her own. For
example if the hacker sets the value of = `UNION SELECT username,
password from users where ‘’ = ’ injecting this for value for id will result
in following query:
SELECT firstname, lastname from Users where SSN = ‘’ UNION
SELECT username, password from users where ‘’ = ‘’;

The query SELECT firstname, lastname from Users where SSN = ‘’ will not return anything since there are no entries in the table with blank SSNs. This result will then be unioned with the result of the second query which returns the username and password for all entries of the users since all enteries match the requirement ‘’ = ‘’.

3.2 Your first manual SQL injection attack

Goal:Use SQL injection to obtain the username and password for user of
DVWA (Dam Vunerable Web App) running on the metasploitable server.

3.2.1 Background

The Dam Vunerable Web App (DVWA) is a web application that was built to showcase common web vunerablity. Before we can exploit the vulnerable we need to place the web app in a vunerable state. The DVWA is running on the metasploitable machine. So we to connect the machine and place the app in the vunerable state before we begin, the SQL injection attack.

Step 1: Start up your metasploitable virtual machine and get its IP address using ifconfig command. Type this IPaddress into the browser.

Step 2: Login to DVWA using username: admin and password: password.

Step 3: Click on the DVWA Security tab

Step 4: Set the security level to low.

The figure above shows the security level set to low

FIGURE 3.1: The figure above shows the security level set to low

Step 5: Click on the SQL Injection tab.

Step 6: Execute a sample SQL injection attack. (need to say more here)

3.3 Using SQLMap

3.4 Background.

Now that we have place DVWA in a vunerable state. We can now use a project called SQL map to perform SQL injection on the web app. This is a tool that is commonly used by attackers.

Step 1: Navigate to the SQL injection section tab in DVWA Linux

GOAL: We want to capture the URL that is associated with the SQL

Step 2: Open Developer Console by Clicking Ctrl-Shift-I. Click on the network tab. (This will allow us to capture the request. We could also use a proxy for this)

Step 3: Enter the value 1 in UserID box and click submit. Enter a sample request.

Step 4: Select the GET request that was associated with the submission and retrieve the url.

Step 5: You will also need the cookies that are associated with the request when submitting the form. The cookie can be found in the get request, within the cookie tab, or by inserting the command “document.cookie” in the web console.

Step 6: To start SQLmap got to Applications→Database Assessment→SQL Map

Step 7: Start SQLmap.

Step 8: Point SQL map at the URL discovered, with the cookie, from your earlier capture as shown below

Select yes to the options below.
From our earlier test we know that ID parameter was vulnerable. So we
will stop our search here.
Take a look at some of the payloads: Pretty creative right.