[ Certified Ethical Hacker v10 ] :: [ Chapter 6 cont’d] :: SQL Injection

This entry is part 11 of 30 in the series [ Certified Ethical Hacker Training ]

SQL injection

Definition and Examples

Your basic task in to interrupt a SQL query and force it to run your own code. Usually you can do this be adding an invalid character, like a single quote. You can attack GET and POST submissions using options.

Definition, Risk Factors and Examples from https://owasp.org/www-community/attacks/SQL_Injection :

In SQL:

select id, firstname, lastname from authors

Input from a web form:

Firstname: evil'ex
Lastname: Newman

The query string becomes:

select id, firstname, lastname from authors where forename = 'evil'ex' and surname ='newman'

SQL Injection Examples

From https://portswigger.net/web-security/sql-injection :

There are a wide variety of SQL injection vulnerabilities, attacks, and techniques, which arise in different situations. Some common SQL injection examples include:

- - Retrieving hidden data, where you can modify an SQL query to return additional results.
  - Subverting application logic, where you can change a query to interfere with the application’s logic.
  - UNION attacks, where you can retrieve data from different database tables.
  - Examining the database, where you can extract information about the version and structure of the database.
  - Blind SQL injection, where the results of a query you control are not returned in the application’s responses.

Examples for SQL Server, MySQL, PostgreSQL and Oracle

Our old friends at PenTestMonkey provide LOTS of examples for:

MS SQL Server: http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet

Oracle DB: http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet

MySQL (MariaDB): http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet

A cheat sheet and examples for MS SQL, MySQL, PostgreSQL and Oracle

https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/

Dumping a Complete Database

http://resources.infosecinstitute.com/dumping-a-database-using-sql-injection/

OWASP Web Security Testing Guide

This is a rocking complete methodology for web app testing. I’ll link to the SQL Injection section, but check out the many other areas this guide covers.

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection

Website Hacking: Dumping Database Using SQL Injection [DVWA SQL]

https://www.youtube.com/watch?v=6OONGIH5pdQ

Exercises

1. Log into your root-me.org account, click Challenges and click Web Server. This will get you here:
https://www.root-me.org/en/Challenges/Web-Server/.

Start with “SQL Injection – Authentication”. Note all the other SQL Injection challenges. Can you beat them all?

2. In either Metasploitable2 or your own installation, go to DVWA, find Vulnerability – SQL Injection, and dump all user names. See this guide if you need help:
https://pentestlab.blog/tag/metasploitable-2/page/6/

Series Navigation<< [ Certified Ethical Hacker v10 ] :: [ Chapter 6 ] :: Web Servers and Applications[ Certified Ethical Hacker v10 ] :: [ Chapter 6 cont’d] :: sqlmap >>