From the course: CompTIA PenTest+ (PT0-003) Cert Prep

SQL injection demo

From the course: CompTIA PenTest+ (PT0-003) Cert Prep

Start my 1-month free trial Buy for my team

SQL injection demo

- SQL injection is the granddaddy of all injection attacks. It's been around for really a long time, pretty much as long as distributed applications have been around and even host-based applications. But we still see these exploits over and over again, and we see the vulnerabilities continue year after year after year. The reason behind that is that developers do not pay enough attention to sanitizing the input. That's all it takes to stop SQL injection attacks in their tracks, sanitize the input. It doesn't happen, but that means the vulnerabilities are still there and we have to test for them. So let's take a look at how a SQL injection attack actually occurs. We're gonna go back into Kali and we're going to use Kali to attack our Damn Vulnerable Web Application. So the first thing we're gonna do is let's launch our web browser and let's go into our DVWA box. So we know it's at 10.10.1.11. And if we log in, it asks me to, actually, if we connect, we ask to log in, go into admin, and password is the password. And now we are in the web app itself. The first thing we need to do for this particular attack is change our security. To make it obvious what's happening, I'm gonna change our security to low. So I'm gonna change it to low, make sure I click on Submit. And now I'm going to go into the SQL injection attack. So, let's see what's there. If we look at user one and submit, we see user one is admin, admin. User two is Gordon Brown. So we're gonna use user two. So let's take a look at user two. Let's go up to our address bar and we see the query right there. We have our URL, 10.10.1.11/vulnerabilities/ SQL injection, sqli/id=2. So what happens if we use a special character? A single quote? A single quote basically tells SQL, the SQL language, that we've terminated a command and we're going to provide more stuff. All right, let me show you again. If I just say input two, it shows me Gordon Brown. But if I say, 2' order by 1 # and submit that notice it didn't gimme an error this time. The order by one seemed to work. Hmm. All right, well let's try this. Now what I'm telling SQL to do is to order or sort by column number one. So clearly we have column number one. What if I said order by two? Okay, well that worked as well. What does that mean? That means we have at least two columns in our SQL table that we're querying. All right, let's try three. Hmm. It didn't seem to like that. All right, so it looks like we just have two columns there. So what this told us was we have two columns in this table that we're trying to query. So the idea is we can do all kinds of interesting things. What if we try to extend it a little bit more by saying, instead of order by, let's try union, which in SQL means I'm going to add another command and I'm gonna produce the output as a union of the two outputs. So I'm gonna union that with the command select 1,2. All right, what that means, I wanna select all the data in columns one and two, add that to whatever output is coming back to my webpage. When I submit that, notice we get more than this now. Now we get first name and surname for two different, well, it's the same ID, but it's union. So it shows us more than just the first name and the surname. It gives us a little bit more information. And if we had more columns, we could ask for more data. Now, we're not teaching SQL here, and so it's not expected for you to know what all the SQL commands are. The idea that you need to take away from this really short demo is simply that if we're not sanitizing, if the application is not sanitizing input, you can use the single quote and add more SQL commands to do more and more things. It's very tedious if you do this manually like we're doing here, but there's a tool that'll help us do it a little bit easier. So let's go look at the tool. If we go look at SQLMap, SQLMap is going to allow us to do a lot of things here. And if we just simply give SQLMap the URL that we were just using, 10.10.1.11/vulnerabilities/sqli/id=2 that's what we've been using, submit, submit, we can let SQLMap do all of our work. The problem is that we have to give it a cookie because SQLMap needs a valid login. So if we go back over here to Firefox, remember we logged in already? When we logged in, the application gave us a cookie, which is our session ID. So we need to grab our cookie and give it to SQLMap so that SQLMap can pretend to be us. So how do we do that? We need to go into the developer tools. If I just press Control + Shift + I it brings me back into my inspector mode, basically. It takes me into inspector mode and lets me look at everything that's going on. So if I click on Network and then reload the page, this shows me what's being sent back and forth. And notice this top level here is the command that I sent. If I click on that first top level, which is the command, which includes my union, select, so on and so forth, move over to the right-hand side, click on Headers, notice it gives me the cookie down here at the bottom. So I'm going to copy that cookie. That is the session ID for my session. And I'm gonna give that to SQLMap. And all I did was I just copied it from one place and pasted it in. And here's my URL. I'll stretch this out so it looks a little bit nicer. There we go. So I'm gonna give SQLMap the URL that I used. Simply, 10.10.1.11/vulnerabilities/sqli/id=2&Submit=Submit So that's what I copied from the address bar. And then I'm gonna say --cookie= I'm gonna paste in that cookie. If I enter this, SQLMap does all the hard work for me. He said, "It looks like the backend is MySQL. Do you wanna skip test payloads specific for other DBMSes?" Sure, if you figured out it's MySQL, I don't need you to test out all the Oracle and the SQL servers. "In the remaining tests, do you wanna include all tests for MySQL?" Sure, why not? And so this is automatically allowing us, or is actually automatically testing out all this stuff that I was typing in by hand, and gives us a lot of input back. And let's see it tells me that "the GET parameter ID is vulnerable. Do you wanna keep testing the others, if any?" Eh, yeah, sure. Um, nah we'll just stop it right there. So basically what that told me was you can use this type of query. In other words, the parameter ID. It's Boolean based and the title is this, and here's our payload we can use for further application attacks. So MySQL, what he does is he just automatically tries all these different types of SQL injection attacks, tells us which column is vulnerable, and how we might use that to construct another attack. So that's the basis of SQL injection attacks. If you find a website and you can grab an actual login, you grab an actual session cookie, you can give that to SQLMap and it will do all the hard work to tell you how you can further attack that web application.

Contents