Network and Information Security Laboratory: Assignment No - 09 Title: Simulation of SQL Injection

Download as pdf or txt
Download as pdf or txt
You are on page 1of 5
At a glance
Powered by AI
The key takeaways from the document are that SQL injections are a common web application vulnerability and different techniques like prepared statements can help prevent SQL injections.

The different types of SQL injections are in-band SQLi, UNION based SQLi, inferential SQLi, blind boolean based SQLi, blind time based SQLi and out-of-band SQLi.

An actual SQL injection attack can be demonstrated by inputting malicious payloads in the password field of a login page to expose the users table without proper validation.

Network and Information Security Laboratory

Assignment No – 09
Title: Simulation of SQL Injection

PART A
 SQL Injection Attack:
 SQL injection is a code insertion or "injection" method, utilized to attack data-
driven applications, in which malicious SQL statements are inserted or "injected"
into an entry field for execution. A successful SQL injection exploit can read raw
data from the database, modify database data (DML/DDL/DQL), execute
administrative operations on the database etc.
 The OWASP organization (Open Web Application Security Project) notes SQL injections
in their OWASP Top 10 2017 report as the number one threat to web application security.

 Types of SQL Injections:

In-Band Error Based SQLi


SQLii
UNION based SQLi
Inferential Blind Boolean based SQLi
SQLi
Blind Time based SQLi
Out-Of-Band
SQLi

Fig: Types of SQL Injection

 Various input strings that cause SQL Injection are:


 Anything’ or ‘x’=’x (Here the trailing inverted quote is not added because it
is automatically added by the SQL statement after execution).
 Anything’ or 1 = 1
 UNION based SQL queries like:
Url/dept_id = 1 UNION select column_name from users--+

 Commenting out part of SQL Query:


 While performing SQL Injection, we need to sometimes comment
out rest of the query after the payload.
 For example: password' or '1' = '1' -- , password' or '1' = '1'#
 For example: something’ or ‘1’ = ‘1’ --+ (For URLs)
 Installation Steps
 OS Configurations:
Windows 10, 64-bit Operating System

 Local Server: XAMPP (Cross Platform Apache, MySQL, PHP, Pearl)


Apache HTTP Server, version 2.4.41
XAMPP version 3.2.4

Fig: XAMPP Control Panel

 Database: MySQL
Database Name: test_db
Table Name: users
Column Names: username, password

Fig: Database Structure Fig: users table


 Demonstration of actual SQL Injection Attack
 A login page has been designed to input username and password from the user.
This login page is connected to the MySQL database. The username and password
is cross checked from the credentials stored in the database.

Fig: Login Page Design

 The login page is accessed using the Apache Local Server


http://localhost/login.html
 To perform SQL Injection, username is input as admin and password as
admin@123’OR’a’=’a or simply ‘OR’a’=’a
 The normal SQL Statement for login is:
SELECT * from users where username=’admin’ AND
password=’admin@123’

 After adding extra inputs to the password field, the SQL Statement becomes:
SELECT * from users where username=’admin’ AND
password=’admin@123’ OR ‘a’=’a’

As ‘a’ = ‘a’ is always true and is an OR condition, the statement always


returns a true value and thus user is logged in successfully.

Fig: SQL Injection


Fig: users table exposed after SQL Injection

 Prevention of SQL Injection


 SQL Injection can be prevented using Prepared Statements in SQL. In this
example, PDO is used.
 PDO (PHP Data Objects) is a database abstraction layer that allows developers to
work with many different types of databases quickly and securely.
 The first step is to connect to the database using:

 Next, prepare statements are used as placeholders for data rather than the data
itself. Prepare statements prevent SQL Injection as no extra information is
included in the statement.

 The login page is again accessed using Apache Local Server


http://localhost/login.html
 The login page accepts username and password as input. Here the password field
is given input as ‘OR’a’=’a and the login is denied as credentials are invalid.

Fig: SQL Injection Prevention


Fig: SQL Injection Failed (Invalid Credentials)

 For valid input, access is granted

Fig: Valid Credentials

Fig: Login Successful for Valid Credentials

You might also like