How to train your skills in SQL Injection

ABSTRACT

It is important to know the ways of attack to learn to defend your company.

Once identified the systems and services belonging to the network in question, the next step is to identify which one has known vulnerabilities or paths that can be exploited for the invasion. In this article we seek to exploit flaws in web applications.

Through vulnerabilities and attack vectors found we get access the database. We can trigger attacks aimed at obtaining unauthorized access with the highest level of privileges possible.

INTRODUCTION

Python is a high-level language, multi-platform, very intuitive, it was created in 1991 by Guido Van Rossum for teaching programming. Python is an interpreted language such as Perl, Shell Script, among others. That means it is not necessary to compile the code for it to run. Object-oriented, it has extensive features library for processing XML and HTML, databases and more. One of Python's features is to be a strong typed language, thus a variable acquires a certain type and it is still that kind unless it is recreated.

FUNDAMENTALS

The sqlmap is an open source tool to use SQLinjection technique, widely used by pentesters and developed in Python. Your goal is to automate the process of detecting and exploiting SQLinjection vulnerabilities in applications or Web sites, as it detects one or more SQL injections on a target, the user can choose from a variety of options that SQLmap available to explore the data stored within the DB, you can take complete control of database servers vulnerable web pages, including database outside the invaded system, such as extracting the list of users, passwords, privileges, tables and more... It has a powerful detection engine employing the latest and most devastating penetration testing techniques for SQL Injection and executing commands on the operating system via out-of-band connections.

CONCEPTS

Many web developers do not know how SQL queries can be handled and assume that an SQL query is a trusted command. This allows for SQL queries to circumvent access controls, thereby bypassing standard authentication and authorization checks. And sometimes SQL queries even may allow access to the command shell on the server operating system level.
Direct injection of SQL commands is a technique where an attacker creates or alters existing SQL commands to expose hidden data or to override valuable data, and even to execute dangerous system level commands on the server.

 

Requirements:

BWAPP and WebScarab

Apache (you can configure with xampp)

Sqlmap.py(if you use kali linuxsqlmap is ready to use ;)

 

What the reader will learn

The basics of SQLinjection

Pentest with python

Familiarity with security tools

Notes of author:

1) Move the directory(extract before) 'bWAPP' and its entire content to the root of your web server.

3) Give full permission to the folders 'passwords' and 'images'.

Example

chmod 777 passwords/

chmod 777 images/

4) Edit the file 'admin/settings.php' with your own database connection settings.

Example

$db_server = "localhost"; // your database server (IP/name), here 'localhost'

$db_username = "root"; // your MySQL user, here 'root'

$db_password = ""; // your MySQL password, here 'blank'

5) Browse to the file 'install.php' in the directory 'bWAPP'.

Example

http://localhost/bWAPP/install.php

6) Click on 'here' (Click 'here' to install bWAPP).

The database 'bWAPP' will be created and populated.

7) Go to the login page. If you browse the bWAPP root folder you will be redirected.

Example

http://localhost/bWAPP/

http://localhost/bWAPP/login.php

8) Login with the default credentials or make a new user.

default credentials: bee/bug

Now you are ready to start, let’s hack ;)

STEP BY STEP

Figure 1) Use the command webscarab.(in kali linux)

Figure 2) The interface of webscarab.

Figure 3) Open BWAPP, the application vulnerable.

Figure 4) Open browser settings, for proxy configuration.

Figure 5) Choose, Manual proxy configuration and insert localhost port as 8080 and after click in OK.

Figure 6) Insert login and password in the application vulnerable, only variable show in webscarab.

Figure 8) Application authenticate

Figure 9)On themoment when application was intercept for webscarab.We can see methods post in WebScarab.

Figure 10) Search local that had place for inside data in application. "SEARCH FOR A MOVIE"

Figure 11) Insert data Letsgopentest.

Figure 12) Intercept Website with proxy.

Figure 13) Save all that was intercept.

Figure 14) Open, sqlmap and insert command sqlmap -r /root/Desktop/sqlinjection/conversations/7-request --dbs

Sqlmap = Tool that will use for run Sqlinjection.

-r = Command from sqlmap for give 7-request.

--dbs = Command from sqlmap for give database.

/root/Desktop/sqlinjection/conversations/ = Path that saved requisition captured "Webscarab"

7-request = Request vulnerable.

Figure 15) Now you can see the databases.

Figure 16) Database bWAPP

Figure 17) Command to list tables.

Figure 18) Tables

Figure 19) Command to see collumns

Figure 20) Collumns

Figure 21) Command to see users.

Figure 22) Tables users

Figure 23) Run command to dump tables.

Figure 24) Afterthis command, you can see the question about user other tools to get users.

Figure 25)Question about use dictionary attack

Figure 26) Choose dictionary you want use

Figure 27) Select Y

Figure 28) Run Dictionary

Figure 29) Dump users

Figure 30) Command for know the user: dba

Figure 31) User is DBA

Figure 32) Show user’s privilege

Figure 33) You can see user’s privilege

DOCUMENTATION AND REPORTING

It must be generated documentation throughout the test in order to keep records of all activities in a transparent way, information such as project scope, tools used, dates and times of tests, list of all identified and exploited vulnerabilities, as well recommendations for implementing improvements.

CONCLUSION

Information is an important and essential asset in the business environment. With the increased interconnectivity in organizations, information of the same become more exposed and therefore more susceptible to threats and vulnerabilities. There are several ways of how information is presented, stored and shared. Information security provides protection for these forms of information, ensuring continuity while minimizing risk and the return of business investment by implementing a set of appropriate controls. With the evolution and sophistication of various types of malicious attacks organizations are increasingly exposed to threats, making information security necessary to protect business assets.

 

 

 

 

 

 

 

 

About the authors:

 

Diego Barboza Pereira is Information Security Consultant at CIPHER Intelligence LAB with focus in Penetration Testing, Vulnerability Assessment, Analysis and Mitigation. He is a Computer Engineer and has interest in Web Application Security field. Holds certification about security tests in SUSE Certified Linux Administrator,LPIC-1 Junior Level Linux Certification, ISFS - Information Security Foundation based on ISO/IEC 27002, systems and attended many projects for banks and companies of Brazil and He's has channel in YouTube about Security information called Letsgopentest.

Rafael Fontes Souza is Information Security Consultant at CIPHER Intelligence LAB with focus in Penetration Testing, Vulnerability Assessment, Analysis and Mitigation.

Good communication in groups and the general public, started studying with thirteen years(SQL database), member of French Backtrack Team, helps to increase the safety and develop softwares for HackersOnlineClub(Indian).

Contributes to magazines and websites with articles and interviews from countries like Poland, Pakistan, USA and Indonesia.

Accepted speaker in many security conferences and related events as DefCamp, Secure Brasil, Hack in The Box, ISSA, ICSN, Hack Miami, CyberSecurePakistan, Ciberguard and others.

 

 

 

July 2, 2015
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013