SQL Injection Attacks

Using Injection attacks

SQL Injection (SQLi) is a type of an injection attack that makes it possible to execute
malicious SQL statements. These statements control a database server behind a web
application. Attackers can use SQL Injection vulnerabilities to bypass application security
measures.
They can go around authentication and authorization of a web page or web application
and retrieve the content of the entire SQL database. They can also use SQL Injection to
add, modify, and delete records in the database.
An SQL Injection vulnerability may affect any website or web application that uses an SQL
database such as MySQL, Oracle, SQL Server, or others. Criminals may use it to gain
unauthorized access to your sensitive data: customer information, personal data, trade
secrets, intellectual property, and more. SQL Injection attacks are one of the oldest, most
prevalent, and most dangerous web application vulnerabilities.

Simple SQL Injection Example

The first example is very simple. It shows, how an attacker can use an SQL Injection
vulnerability to go around application security and authenticate as the administrator.

The following script is pseudocode executed on a web server. It is a simple example of

authenticating with a username and a password. The example database has a table
named users with the following columns: username and password.

These input fields are vulnerable to SQL Injection. An attacker could use SQL commands
in the input in a way that would alter the SQL statement executed by the database
server. For example, they could use a trick involving a single quote and set
the passwd field to:
password' OR 1=1

As a result, the database server runs the following SQL query:

SELECT id FROM users WHERE username='username' AND password='password' OR 1=1'

Because of the OR 1=1 statement, the WHERE clause returns the first id from
the users table no matter what the username and password are. The first user id in a
database is very often the administrator. In this way, the attacker not only bypasses
authentication but also gains administrator privileges. They can also comment out the
rest of the SQL statement to control the execution of the SQL query further:

Check SQL injections Payload from https://justpaste.it/cm5sr

In this Lesson we will do a SQL Injection Attack using popular hacking tool Burp Suite ,
Download it from https://portswigger.net/burp/communitydownload its available in Kali
linux Distribution.

Consider below application.(Link to the application to be Provided to students).

Can you try to login to the system? Did you manage to guess the passwords used? , You
will try to hack above system using Dictionary Attack.

See Next Page for Practicals

Practical.
Start Burp Suite and Locate Proxy, Then Click Open Browser

On the browser that opens enter Link to eVital System , You’ll have something similar to
below screen. For this Practice you will use a remote Link(e.g http://192.168.43.78/Vital/)
not Localhost to access eVital (Link to be provided)
Ow, Set the Intercept On in Burp Suite, then on the browser open inn burp suite, type
username as admin and any password you know.(Guess) and click Login.

In the Above Screen, we see on the Left, Burp Suite has captured the Request we Sent.
We cam locate the username and password you submitted. Correct? Below is the
Response we get.
In above screen, right click and send to intruder, then click on the Intruder Tab in Burp
Suite as shown below. You can still see the username and password in the Intruder.

Next, On the Right side shown in red arrow click on Clear, then double click on the
Password value shown in Green Arrow, then Click Add shown in Red Arrow. The Password
is now highlighted as shown below Blue Arrow
We selected the password only meaning our Intruder will only provide a SQL Injections of
passwords not usernames. For username we use admin, This will try username admin
combined with a List of SQL Injections. Next click on Payloads Tab as shown below Red
Arrow. You can get sample SQL Injections from the Link. https://justpaste.it/cm5sr

Below shows the pasted SQL Injections.

Click on Start Attack. Shown in Orange Button. The intruder tries username admin
with all SQL Injections in the List, I get below screen showing that all passwords were
tested.

In above screen we assumed that there was an admin username, and we provided List of
Injections, To interpret the Results in above screen, we see all Injections were tested and
majority show a length of 5096 or 5095 (This is the response length after trying a given
Injection). But some of the injections has a different length of 3738? Why?

Argument: Could it be 5096 has the Majority because its wrong password, majority of
passwords are wrong? Then 3738 is for a right answer because its the only one? Or they
are few of them? Remember we can have several injections working from our List.

Lets try to login the system with username admin and injection ' or true-- . At this point
you can turn off the intercept from Proxy Tab.

Credentials worked. We were able to Login eVital with username admin and
password ' or true--. This is how Hackers gain access to systems that have SQL
injection vulnerability.
See Next screen, we can access data in eVital System admin portal. This shows that
eVital has failed to keep the users data Confidential in CIA triad.

Countermeasures.

How to Prevent an SQL Injection

The only sure way to prevent SQL Injection attacks is input validation and parametrized
queries including prepared statements. The application code should never use the input
directly.

Prepared Statements.

This includes having placeholders in our queries to avoid executing the variables directly
example; Recall our Flask application (%s Placeholders?)

sql = “INSERT INTO MyGuests (firstname, lastname, email) VALUES (%s, %s, %s)"

Placeholders make sure that an SQL injection provided will not execute together with the
SQL as the SQL does not specify the variables directly. The SQL is executed then values
are passed later hence avoiding SQL injection. See below

sql = “INSERT INTO MyGuests (firstname, lastname, email) VALUES (%s, %s, %s)"

cursor.execute(sql, (firstname, lastname, email))

Input validation
Input validation is the process of testing input received by the application for compliance
against a standard defined within the application. Input validations makes sure that the
application accepts valid inputs. I.e if its an Email, You must Enter an Email Format.

TODO Practicals on input Validations.

Check
https://github.com/modcomlearning/CyberCodes/blob/master/checkdigit.py
https://github.com/modcomlearning/CyberCodes/blob/master/checkEmpty.py
https://github.com/modcomlearning/CyberCodes/blob/master/checkEmail.py
https://github.com/modcomlearning/CyberCodes/blob/master/checkRegNo.py

Useful Links
https://infosecwriteups.com/sql-injection-payload-list-b97656cfd66b
https://portswigger.net/web-security/sql-injection