If you can see this check that

Main Page


Database Pentesting - SQL Injection Testing/Attacks

User:
Password:

Authors: Rich Macfarlane, Gordon Russell

Aim: To investigate SQL Injection testing/attack methods, firstly follwing a manual methodology, and then using tools from the Kali Linux platform to automate similar testing methods.

To reset all the check buttons from a previous attempt click here

Question 1: SQL Target Initialise

Press this button to crete the data store test bed, before we explore SQL testing/attack methods. If your machine is reset or you reboot then you may have to press this button again.

Tests - not attempted
Init Script UNTESTED
DB Seems ok UNTESTED
pricecheck works UNTESTED

Question 2: Db Testing - SQL Injection Methodology

A number of database tables and scripts have been installed on your kali machine. These are very simple scripts, but should allow you to explore some of the methods in an end-to-end SQLi process, as covered in the lecture materials.

In order to run the scripts, you can use a browser from within Kali (and if you get any issues this is the easiest way), or can your own computer's browser. From your own machine's browser, and from the linuxzoo "connect" tab in the control panel click on the "VM Web" link. This will open a browser window onto your own Kali apache2 server. The url is in the form of http://host-?-?.linuxzoo.net, where the first ? should be the 3rd octet of your VM IP, and the last ? is your 4th octet. If using Kali browser you can simply connect to localhost (or 127.0.0.1) which the web app script is running on. Edit the address line by adding the following to the end of the URL:

/cgi-bin/stock.pl
When you check the price of eggs by clicking on the link a new page appears with information on eggs. Analyse this request and response. HINT: look at the response URL in your browser address field, or the source code for the form.

What is the HTTP request method used to get the price of eggs?
What is the form variable name/parameter used in generating the eggs information? variable name:

Tests - not attempted
Method right UNTESTED
Variable name UNTESTED

Check for SQLi Vulnerability/Injection Point - Check if the code data value/HTTP Request is Vulnerable

On the address line of the response page, modify the HTTP form variable to inject a ' after the valid code for eggs, or replace the code with a ':

stock.pl?code=01550041'
stock.pl?code='
This should check if we can send our own SQL through to the Database query created by the application, unbalancing the string in the WHERE clause in this case.

Tautology SQLi - Inject SQL to force SELECT to Return All Rows

On the address line of the response page, modify the form variable to inject

' OR 2=2 --
As the comment needs a space after, remember to continue to add the URL encoded space value %20 after the "--". This should bypass the aspect of the SQL where it only shows information on eggs, setting the WHERE clause to TRUE. This database dump may be useful for later questions.

How many different items are stored in the database?
number of items:
What is the name of the item with the highest code number?
item name:

Tests - not attempted
Number of items UNTESTED
last item UNTESTED

This stock.pl script must have an SQL query in it, returning a number of columns.

Use the UNION SELECT NULL technique and identify how many columns are actually being queried in this SQL query you are injecting into.

Number of columns that it confirms in the SQL query:
Column number:

Tests - not attempted
Columns in SQL query UNTESTED
Access log looks plausable UNTESTED

Find out the name of the table being queried using fuzzing.

Take your previous SQL injection you used to work out the number of columns and add to the end "from TABLENAME", where the TABLENAME needs to be guessed. As this is all about stock and inventory, try one of the following tablename candidates:

stock
stocklist
stockinfo
items
inventory
stockinventory
iteminventory
investorylist

Name of the table:

Tests - not attempted
Table name UNTESTED
Access log looks plausable UNTESTED

Find out the name of one of the columns in this table using fuzzing.

Combine your previous SQL injection which you used to work out the number of columns, and replace one of the NULL entries with a guess as to the item codes column name. Try the following candidates:

code
item
id
barcode
itemid
codeid
barid
idcode

Name of the barcode column:

Tests - not attempted
Table name UNTESTED
Access log looks plausable UNTESTED

Find out the name of another missing column in this table using fuzzing.

Combine your previous SQL injection and replace one of the other NULL entries with a guess as to the item codes column name. As this is about stock it seems plausable that the missing column is about how much stock is available. Try the following candidates:

stockno
stocknumber
itemsinstock
instock
totalstock
totalitems
total
available
itemsavailable

Name of the stock count column:

Tests - not attempted
Table name UNTESTED
Access log looks plausable UNTESTED

Recall your first injection where you discovered all the items in the database and their codes? Use that to find the row for milk in this injection. How much milk is in stock?

Milk in stock:

Tests - not attempted
Milk stock UNTESTED

In your SELECT injection go back to the example with all columns NULL. Explore the metadata of the database using this UNION SELECT hack, making use of the first NULL to run some additional functions.

Use the first attribute and find out the username of the database user being hacked. This is in the form of "thename@machinename". This is done using a mysql function.

database user:

Tests - not attempted
User correct UNTESTED
Access log looks plausable UNTESTED

Use the first attribute and find out the version of the mysql database being hacked. This is done using a mysql variable. The output with have numbers, dots, minus signs, and potentially extra information after a plus character.

database version:

Tests - not attempted
Version correct UNTESTED
Access log looks plausable UNTESTED

Use the first attribute and find out the name of the database (i.e. the schema name) which we are using. This is a mysql function.

database schema name:

Tests - not attempted
Schema name correct UNTESTED
Access log looks plausable UNTESTED

With the database name and your SQL injection, use your injection and with the first NULL column change that to select the "table_name" from "information_schema.tables", restricting your query to those which have the "table_schema" set to the database name identified above.

Number of tables:
Likely table name of the application users:

Tests - not attempted
Number correct UNTESTED
Table name guess ok UNTESTED
Access log looks plausable UNTESTED

Using "information_schema.columns", what are the column names (known as column_name) of the table which you suspect of being the user information table in this database schema? In your query restrict the injected query to only the correct table_schema and table_name. Enter the column names in alphabetical order.

Column 1:
Column 2:

Tests - not attempted
Column 1 looks ok UNTESTED
Column 2 looks ok UNTESTED
Access log looks plausable UNTESTED

Now extend your original SQL injection, using the name of the application user's table and the newly discovered column names to access the application's user table information, showing the usernames and passwords.

What is the password for user "clever"?
password:

Tests - not attempted
Password correct UNTESTED
Access log looks plausable UNTESTED

Again extending your original SQL injection, make use of the LOAD_FILE function to access /etc/passwd. The password file has the following repeating format:

username:x:userid:groupid:/home:/bin/bash

Using this information, what is the first username seen in /etc/passwd using this injection?
username:

Tests - not attempted
Username correct UNTESTED
Access log looks plausable UNTESTED

The output of the above is a little messy to read. Use the CONCAT command and concat the output of LOAD_FILE between the html strings "<pre>" and "</pre>" Repeat your experiment with this new formatting...

Using this information, what is the userid for the username ntp? In /etc/passwd, columns are seperated by ':', and userid is column 3.
NTP user id:

Tests - not attempted
User id correct UNTESTED
Access log looks plausable UNTESTED

Question 3: More SQLi Fun

Consider the script /cgi-bin/card.pl

Although this is technically using the POST method, the script takes information via the GET method too, as this makes life a lot nicer for us!

Look at the html source for the form. What is the name of the text box?

text box form name:

Tests - not attempted
Textbox name UNTESTED

Try looking at "tony", using a GET request. His credit card details are obscured...

Inject SQL to negate the test restricting the checks to "tony", so that all user's details can be returned.

How many credit cards are stored in the database?

Tests - not attempted
Card number correct UNTESTED
Access log looks plausable UNTESTED

How many columns are used in the SQL query related to this injection attack in card.pl?

Number of columns that it confirms in the SQL query:
Column number:

Tests - not attempted
Columns in SQL query UNTESTED
Access log looks plausable UNTESTED

Which of the columns is the one related to the credit card number? Inject the card "9999-9999-9999-9999" into each column and see which appears in the output.

Column number of the card column (numbered from 1).
Column number:

Tests - not attempted
Columns in SQL query UNTESTED
Access log looks plausable UNTESTED

On the basis that the credit card information is held in a table called "ccards", and the username field is "uname" and the credit card number in "code", use substring and concat to access characters 1-4 of the credit card number associated with "tony".

BE WARNED. The format of the credit card number has to be groups of 4 with hyphens or the script will block the display.

Digits 1-4 of tony's card
First 4 codes:

Tests - not attempted
First 4 codes UNTESTED
Access log looks plausable UNTESTED

Continue that technique and build tony's complete credit card number.

Tony's complete card in the form XXXX-XXXX-XXXX-XXXX.
Card Codes:

Tests - not attempted
Card code is right UNTESTED
Access log looks at group 2 UNTESTED
Access log looks at group 3 UNTESTED

Question 4: SQli Tools: SQL Map

Not you have seen the weaknesses that exist in the two target scripts, and exploited those manually... now experience the power of the automated tools!

Use sqlmap from a Kali Linux terminal window to fingerprint the target app and db. Use the same injection point:

http://127.0.0.1/cgi-bin/stock.pl?code=
Run sqlmap on the URL, and enumerate all of the Db's, and the current User and Db
sqlmap -u http://127.0.0.1/cgi-bin/stock.pl?code= -f -b -v 2 --dbs --current-user --current-db
What does sqlmap say is the number of databases?
number of databases:

Tests - not attempted
Number correct UNTESTED

Enumerate Db Tables and Columns

Now keep the same injection point, but this time use only "--tables" and "--columns" using only "-D hack". Use this information to discover the maximum VARCHAR length of "uname" in the "ccards" table.

uname length:

Tests - not attempted
uname char length UNTESTED

Retrieve Data From Db Table

Keeping the same injection point and database, but this time lets query soem user data. Try to "dump" the "table" ccards data using sqlmap. Use the man page to discover how to "dump" and how to select a specific "T"able. You still need the "-D hack" Use this information to view the whole of the ccard table data.

When does Tony's card expire? Use the format 12/99 expiry:

Definitely easier than doing it manually...

Tests - not attempted
uname char length UNTESTED

SQLMap SQL Shell

Again using sqlmap, with the same injection point and database, use the "--sql-shell" flag to open a SQL interface to the database via the injection point.

Use that to run the SQL command:

select * from theusers;
Who has the password "magic"?
user:

Tests - not attempted
Who is magic... UNTESTED


Centos 7 intro: Paths | BasicShell | Search
Linux tutorials: intro1 intro2 wildcard permission pipe vi essential admin net SELinux1 SELinux2 fwall DNS diag Apache1 Apache2 log Mail
Caine 10.0: Essentials | Basic | Search | Acquisition | SysIntro | grep | MBR | GPT | FAT | NTFS | FRMeta | FRTools | Browser | Mock Exam |
Caine 13.0: Essentials | Basic | Search | Acquisition | SysIntro | grep | MBR | GPT | FAT | NTFS | FRMeta | FRTools | Browser | Registry | Mock Exam |
CPD: Cygwin | Paths | Files and head/tail | Find and regex | Sort | Log Analysis
Kali: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7a | 8a | 8b | 9 | 10 |
Kali 2020-4: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7 | 8a | 8b | 9 | 10 |
Useful: Quiz | Forums | Privacy Policy | Terms and Conditions

Linuxzoo created by Gordon Russell.
@ Copyright 2004-2024 Edinburgh Napier University