Professional Documents
Culture Documents
This is
purely for educational purposes. I’m don’t even know you
SQL injection (SQLi) is an application security weakness that allows attackers to control an
application’s database
– letting them access or delete data, change an application’s data-driven behaviour, and do
other undesirable things
– By tricking the application into sending unexpected SQL commands. SQL injections are
among the most frequent threats to data security.
The types of attacks that can be performed using SQL injection vary depending on
the type of database engine. The attack works on dynamic SQL statements. A
dynamic statement is a statement that is generated at run time using parameters
password from a web form or URI query string.
Let’s consider a simple web application with a login form. The code for the HTML
form is shown below.
</form>
The above form accepts the email address, and password then submits them
to a PHP file named index.php.
It has an option of storing the login session in a cookie. We have deduced this
from the remember_me checkbox. It uses the post method to submit data.
This means the values are not displayed in the URL.
Let’s suppose the statement at the backend for checking user ID is as follows
Page | 1
Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is
purely for educational purposes.
Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is
purely for educational purposes. I’m don’t even know you
The above statement uses the values of the $_POST[] array directly without
sanitizing them.
The password is encrypted using MD5 algorithm.
We will illustrate SQL injection attack using sqlfiddle. Open the URL
http://sqlfiddle.com/ in your web browser.
Step 4) Click Run SQL and you will see the query output. Answer the question, what
is the password in encrypted form.
____________________________________________________________________
____________________________________________________________________
Suppose user supplies admin@admin.sys and 1234 as the password. The statement
to be executed against the database would be
Page | 2
Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is
purely for educational purposes.
Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is
purely for educational purposes. I’m don’t even know you
The above code can be exploited by commenting out the password part and
appending a condition that will always be true. Let’s suppose an attacker provides the
following input in the email address field.
xxx@xxx.xxx ends with a single quote which completes the string quote
OR 1 = 1 LIMIT 1 is a condition that will always be true and limits the returned
results to only one record.
-- ' AND … is a SQL comment that eliminates the password part.
Copy the above SQL statement and paste it in SQL FiddleRun SQL Text box, when
you run the SQL statement, you can see its return a record (which is the password).
____________________________________________________________________
____________________________________________________________________
Open this test site https://demo.testfire.net/ . Then Click the online banking login page.
The page will then ask you to enter username and password; you can use SQL
injection technique to bypass the authentication and gain the admin privileges. Enter
the following statement to username and password field to bypass the authentication:
' or 1=1--+
Once you have gain the admin credentials, please provide screenshot of the admin
page
____________________________________________________________________
____________________________________________________________________
How many Account details you can view from the admin page? Please list down all
account number
____________________________________________________________________
____________________________________________________________________
Page | 3
Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is
purely for educational purposes.
Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is
purely for educational purposes. I’m don’t even know you
Sqlmap is open source software that is used to detect and exploit database
vulnerabilities and provides options for injecting malicious codes into them.
You can run SQLMap in Kali Linux by opening a terminal and type this command
#sqlmap. In this practice we will use http://testphp.vulnweb.com as the test site.
You can list information about the existing databases using SQLMap using this
command
From the output, what is the database version and the available database on the
server
____________________________________________________________________
____________________________________________________________________
Next, you can list information about all Tables present in a particular Database by
using this command
From the output, please list down all table available in the database
____________________________________________________________________
____________________________________________________________________
If you are interested with SQL injection and want to challenge yourself, you can
explore this website: https://redtiger.labs.overthewire.org/
Page | 4
Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is
purely for educational purposes.
Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is
purely for educational purposes. I’m don’t even know you
Metasploit is a penetration testing framework that makes hacking simple. It's an essential tool
for many attackers and defenders. Point Metasploit at your target, pick an exploit, what
payload to drop, and hit Enter.
Before we can begin this exercise, we need to setup additional lab environment.
Firstly we need to setup additional internal network. In your virtualbox, click file menu
> preferences > Network Tab. In the network tab, please create additional NAT
Network (called it LabNetwork). After that, you need to import additional VM known as
Metasploitable (You can get it from me). Metasploitable is a VM which contains
vulnerability.
After you have import the VM, you need to add network interface to the Kali and
Metasploitable VM. Make sure the additional network interface is connected to the
NAT Network (LabNetwork) which you just created. You may need to restart you kali
linux VM and also your metasploitable VM.
After you have successfully run both VM, make sure the network is running properly
for both VM. Check the IP address of both VM using #ifconfig command on terminal
and make both VM can ping each other.
From the Scan result, it will show the metasploitable VM has vulnerability on it FTP
services. Please state when was the vulnerability been reported?
____________________________________________________________________
____________________________________________________________________
After we have determined the vulnerability of Metasploitable VM using NMap, it’s time
to exploit it using Metasploit tool in Kali Linux. First you need to run the metasploit
console by entering #msfconsole in terminal. After that, you need to search for ftp
exploit exploit by typing this command msf> search vsftpd. The search may take a
while. After that, you can start to use the exploit by typing
Page | 5
Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is
purely for educational purposes.
Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is
purely for educational purposes. I’m don’t even know you
Then you need to set the target host, by typing msf>set rhost {your-
metasploitableVM-ip}
You can also check your exploit option by typing msf>show options. If everything
has been set, you can execute the exploit to the target host by typing msf>exploit. If
everything goes well, you will take gain access to Metasploitable VM shell.
To verify you have root access, please type whoami, check the VM hostname by
typing hostname. Check the Kernel version by typing uname –a. Provide screenshot
of the output.
____________________________________________________________________
____________________________________________________________________
1.3 Reflection
In your opinion, provide ways to prevent SQL Injection Attack to website under your
administration
____________________________________________________________________
____________________________________________________________________
In your opinion, provide a way to prevent an application level attack using tools such as
Metasploit
____________________________________________________________________
____________________________________________________________________
Page | 6
Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is
purely for educational purposes.