1

SQL Injection Exploitation

A Project Report for Industrial Training and Internship

submitted by

Sourav Dan
( )

In the partial fulfillment of the award of the degree of

Diploma in Computer Science and

Technology
in the

CST Department

of
Bishnupur Public Institute of
Engineering
at

Ardent Computech Pvt. Ltd.

 2

CERTIFICATE FROM SUPERVISOR

This is to certify that Sourav Dan has completed the project titled "SQL
Injection Exploitation" under my supervision during the period from
“18.11.24” to “21.11.24” which is in partial fulfillment of requirements for
the award of the Diploma in Computer Science and Technology
degree and submitted to the Department of “CST” of “Bishnupur Public
Institute of Engineering”.

Signature of the

Supervisor Date: /

Name of the Project Supervisor: Rahul Rudra (BPIE, HOD of CST)

 3

BONAFIDE CERTIFICATE

Certified that this project work was carried out under my supervision

“SQL Injection Exploitation” is the bonafide work of

Name of the students: Signature:

SIGNATURE
Name : Shashwat Dey

PROJECT MENTOR
 4

ACKNOWLEDGEMENT

The achievement that is associated with the successful completion of any

task would be incomplete without mentioning the names of those people
whose endless cooperation made it possible. Their constant guidance and
encouragement made all our efforts successful.

We take this opportunity to express our deep gratitude towards our project
mentor, Mr. Shashwat Dey for giving such valuable suggestions,
guidance and encouragement during the development of this project work.

Last but not the least we are grateful to all the faculty members of Ardent
Computech Pvt. Ltd. for their support
 5

CONTENT
 What is cybersecurity?
 Why is cybersecurity
important in todays world?
 What is SQL Injection in cyber security?
 What Are the
Types of SQL
Injection?
 Why Is SQL Injection dangerous
in Cyber Security?
 Website: testphp.vulnweb.com
 Objective
 Task
 Future Scope
 Conclusion
 Bibliography
 6

What is Cybersecurity?

Cybersecurity refers to the practice of protecting computer

systems, networks, programs, and data from unauthorized
access, exploitation, or damage. It encompasses a wide
range of measures, technologies, and processes designed
to safeguard digital information and assets against various
cyber threats, including cyberattacks, data breaches,
malware infections, and other malicious activities.

The primary goals of cybersecurity are to ensure the

confidentiality, integrity, and availability of information.
Confidentiality ensures that data is accessible only to
authorized users, integrity ensures that data is accurate
and trustworthy, and availability ensures that data and
resources are accessible when needed.

Cybersecurity involves multiple layers of defense, including:

1. **Network Security:** This involves securing computer

networks from unauthorized access or attacks, typically
through firewalls, intrusion detection systems (IDS), and
virtual private networks (VPNs).
 7

2. **Endpoint Security:** This focuses on protecting

individual devices (such as computers, smartphones, and
tablets) from malware, ransomware, and other threats
using antivirus software, endpoint detection and response
(EDR) solutions, and mobile device management (MDM)
tools.

3. **Application Security:** This entails securing software

applications and web services from vulnerabilities and
exploits through secure coding practices, application
firewalls, and regular security testing (such as penetration
testing and code reviews).

4. **Data Security:** This involves protecting sensitive

data from unauthorized access or theft using
encryption, access controls, data loss prevention (DLP)
solutions, and secure data storage practices.

5. **Identity and Access Management (IAM):** IAM

focuses on managing user identities, authentication, and
access privileges to ensure that only authorized users can
access resources and data.

6. **Cloud Security:** With the increasing adoption of

cloud computing, cloud security measures protect data,
applications, and infrastructure hosted in cloud
environments from cyber threats, ensuring data privacy
and compliance with regulations.

7. **Incident Response and Disaster Recovery:** These

processes involve preparing for, detecting, and
responding to cybersecurity incidents (such as breaches
or attacks) and implementing measures to recover from
disruptions and minimize damage.

In today's interconnected world, where businesses,

governments, and individuals rely heavily on digital
technologies, cybersecurity is paramount for protecting
sensitive information, preserving trust, and maintaining the
stability of critical infrastructure and services.
 8

Why is cybersecurity important in todays world?

Cybersecurity is crucial in today's world for several reasons:

1. **Protection of Sensitive Information:** In our digital age,

organizations and individuals store vast amounts of sensitive data

online, including personal information, financial data, intellectual

property, and government records. Cybersecurity measures help

safeguard this information from unauthorized access, theft, or

manipulation.

2. **Prevention of Cybercrime:** Cybercriminals exploit

vulnerabilities in computer systems, networks, and applications to

commit various crimes, such as identity theft, fraud, and extortion.

Effective cybersecurity measures help prevent cyberattacks and

mitigate the impact of cybercrime on businesses, governments,

and individuals.

3. **Preservation of Trust and Reputation:** A cybersecurity breach

can have severe consequences for an organization's reputation

and credibility. Customers, partners, and stakeholders expect their

data to be handled responsibly and securely. By investing in

cybersecurity, organizations can demonstrate their commitment to

protecting sensitive information and preserving trust with their

stakeholders.
 9

4. **Protection of Critical Infrastructure:** Critical infrastructure

sectors, such as energy, transportation, healthcare, and finance,

rely heavily on computer systems and networks to deliver essential

services. A cyberattack on critical infrastructure can disrupt

operations, cause economic damage, and pose risks to public

safety and national security. Robust cybersecurity measures are

essential to safeguarding critical infrastructure from cyber threats.

5. **Compliance with Regulations and Standards:** Governments

and regulatory bodies worldwide have implemented cybersecurity

regulations and standards to protect sensitive data, prevent

cybercrime, and ensure the resilience of critical infrastructure.

Compliance with these regulations, such as the General Data

Protection Regulation (GDPR) and the Health Insurance Portability

and Accountability Act (HIPAA), requires organizations to implement

adequate cybersecurity measures.

6. **Protection Against Emerging Threats:** Cyber threats are

constantly evolving, with cybercriminals developing new tactics,

techniques, and procedures to bypass security defenses.

Cybersecurity professionals must remain vigilant and adapt to

emerging threats by implementing advanced security

technologies, conducting regular security assessments, and

staying informed about the latest cybersecurity trends and best

practices.
 10

7. **Support for Digital Innovation and Economic Growth:**

Effective cybersecurity measures foster trust and confidence in

digital technologies, enabling businesses and individuals to

leverage the benefits of digital innovation without compromising

security. By creating a secure digital environment, cybersecurity

promotes economic growth, innovation, and competitiveness in

the global marketplace.

In summary, cybersecurity is essential in today's world to

protect sensitive information, prevent cybercrime, preserve

trust and reputation, safeguard critical infrastructure, ensure

regulatory compliance, mitigate emerging threats, and

support digital innovation and economic growth.

 11

SQL Injection

 What is SQL Injection in cyber security?

SQL injection (SQLi) is a cyberattack that injects malicious SQL

code into an application, allowing the attacker to view or modify a
database. According to the Open Web Application Security Project,
injection attacks, which include SQL injections, were the third most
serious web application security risk in 2021. In the applications
they tested, there were 274,000 occurrences of injection.

 What Are the Types of SQL Injection?

Classic SQL Injection (In-Band)
 Error-Based: Exploits error messages to gather database
information.
 Union-Based: Combines results of multiple SELECT queries
to retrieve data.
Blind SQL Injection
 Boolean-Based: Observes application behavior (true/false
responses) to infer data.
 Time-Based: Uses delays in responses to determine
true/false conditions.
Out-of-Band SQL Injection
 Exploits external resources like DNS or HTTP to
exfiltrate data (requires certain configurations).
 12

 Why is SQL Injection dangerous in Cyber Security?

SQL Injection (SQLi) is dangerous in cybersecurity because it allows

attackers to manipulate databases through vulnerable applications,
leading to severe consequences. Here's why it's particularly
hazardous:
1. Data Breach
 Attackers can access, steal, or delete sensitive data,
including personal information, financial details, or
business-critical records.
2. Unauthorized Access
 SQLi can be used to bypass authentication mechanisms,
allowing attackers to gain admin-level access to systems.
3. Data Manipulation
 Attackers can modify, corrupt, or delete data, disrupting
business operations and causing financial or reputational
damage.
4. System Compromise
 By exploiting SQLi, attackers may execute commands on
the server, gaining control of the underlying operating
system or network.
5. Financial Loss
 Companies face fines due to regulatory non-compliance
(e.g., GDPR, HIPAA) and expenses from incident response,
remediation, and lawsuits.
6. Reputation Damage
 A successful SQL injection attack can severely harm an
organization's credibility and trust with customers and
stakeholders.
7. Scalability of the Attack
 13

 SQLi is easy to automate using tools like SQLmap, making it

scalable for attacks on large numbers of systems.
 14

 testphp.vulnweb.com
“testphp.vulnweb.com” is a deliberately vulnerable website
created by Acunetix for security testing and learning purposes. It
allows cybersecurity professionals, students, and researchers to
practice ethical hacking techniques like SQL Injection, XSS, and
others in a controlled environment.

 Objective:-
To understand how SQL Injection works and how attackers hack
database in real life.

 Task:

We used “SQLMap” for exploiting the SQL Injection Vulnerability in

“testphp.vulnweb.com”

In the artist page we found an input parameter named “artist”

URL: http://testphp.vulnweb.com/artists.php?
artist=1 Now we took the help of SQLMap.
SYNTAX: sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1
--dbs
 15

sqlmap: To activate the tool

-u: To write the url

--dbs: To fetch the available databases.

From this phase, we found one Boolean based, one time based
and one UNION based SQL Injection.
We also found two database named- acuart and information_schema

After that we go through the acuart database and find out the tables
and columns .

This syntax is used to fetch the tables in acuart database.

 1

We found 8 tables in the database and after that we fetch the data
from the “users” table.

This syntax is used to fetch the columns in the “users” table.

We got the Information about the “user”

table. After that we dumped the data as
below:
 1

We got some login credentials.

It works.
We successfully stole the credentials using SQL Injection Attack.
And that’s how attackers or hackers hack website databases and
sell the data.
 17

Future Scope

The future scope of SQL Injection (SQLi) attacks remains

significant due to evolving technologies and persistent

vulnerabilities. Here's a brief overview:

1. Targeting New Technologies:

o SQLi may expand to attack cloud databases,

microservices, and NoSQL environments as these

technologies grow.

2. Automated and AI-Powered Attacks:

o Tools using AI and automation will make SQLi more

efficient, scalable, and harder to detect.

3. Advanced Attack Techniques:

o Combining SQLi with other vulnerabilities, like

remote code execution or supply chain attacks, to

increase impact.

4. Increased Use in Ransomware:

o SQLi could be used to access and encrypt sensitive

database information for ransom.

5. Persistent Threat in Legacy Systems:

o Organizations relying on outdated systems will

remain highly vulnerable due to poor patching and

maintenance.
 18

Conclusion
SQL Injection attacks remain one of the most critical cybersecurity threats,
capable of compromising sensitive data, disrupting systems, and causing
significant financial and reputational damage. Despite their long history, SQLi
attacks continue to exploit vulnerabilities in poorly secured applications,
highlighting the need for robust defensive strategies. By implementing secure
coding practices, regular vulnerability assessments, and modern security
tools, organizations can significantly reduce the risk and impact of these
attacks. Proactive measures and continuous awareness are essential to stay
ahead in the ever-evolving landscape of cybersecurity.
 19

Bibliography

 testphp.vulnweb.com
 chatgpt.com
 Github
 Geeks for geeks
 Portswigger
 Acunetix