Web App Pentesting: SQL injection 101

For the last few days, I have been studying about different web app attacks through the PWK course. Some of them were refreshers for me as I learned them in the MS program. However, for some of them, I just read about them and never actually tried attacking vulnerable machines with the methodologies.

OWASP(Open Web Application Security Project ) shares the top 10 web app vulnerability list which gets updated every few years. 2017 Top 10 | OWASP

The injection is number one in the 2017 list.

As I learned some basic attack methodologies for SQL injection, I decided to familiarize myself more with the topic.

I first watched some videos by HackerSploit on YouTube for Web App Penetration Testing and reviewed how to use the BurpSuite (https://youtube.com/playlist?list=PLBf0hzazHTGO3EpGAs718LvLsiMIv9dSC).

• BurpSuite is a great tool where you can capture and manipulate network traffic and possibly break into web application’s user or even into privileged accounts such as an admin account.
• I learned that you can use the Burpsuite in conjunction with other SQL-related tools such as SQLmap.
• Following the tutorials, I set up a metasploitable 2 machine on a virtual machine and brute force attacked some vulnerable web apps(DVWA & Mutillidae).

DVWA is a vulnerable web app running on a Metasploitable 2

For SQL injection, I watched some videos from TCM’s Practical Ethical Hacking course. https://www.udemy.com/course/practical-ethical-hacking/

Below are some notes from the walkthrough:

Intro:

• Foxy Proxy is an easy way to set up a proxy to intercept the network traffic.
• Follow https://airman604.medium.com/installing-docker-in-kali-linux-2017-1-fbaa4d1447fe to install docker in Kali
• Follow https://github.com/bkimminich/juice-shop under Docker Container to start up the OWASP juice shop

OWASP juice shop is a vulnerable web app that’s developed by OWASP and it has different web app pen testing challenges that you can brush up your skills with.

Once you’re on the Juice Shop website, you can start exploring it by clicking through different links/items.

if you go to localhost:3000/#/score-board, you can see many challenges that are categorized in levels.

The SQL injection section of the TCM’s course briefly walks through the “Login Admin” challenge where you attempt to login to an admin account by exploiting SQL injection vulnerabilities.

First of all, you turn on the foxyproxy extension and launch the burpsuite (turn on intercept > send to the repeater to craft HTTP requests once entering random values on user input fields on a browser)

A Valid SQL statement example would be something like,

Input: test

SQL: SELECT * FROM Users WHERE email=’test’;

If we enter “ ‘ “(single quotation) in the email field, it can break the SQL query (if the web app is vulnerable to the attack)

input: test’

SQL: SELECT * FROM Users WHERE email=’test’’;

(the improper number of quotations crushes the query)

Another example would be adding ‘ OR 1=1; —

SQL: SELECT * FROM Users WHERE email=’test’ OR 1=1; — ‘;

‘test’ email doesn’t exist but the statement would be true(1 always equals to 1) and — makes everything after it a comment.

This image above from the burpsuite shows that the injection succeeded and we have a admin privilege now.

Usually, it’s not that easy to break the engine.

Testing some sleep commands is one way to see if it’s vulnerable.

i.e) try entering ‘ (sleep 5) and see if the engine pauses for 5 seconds. If it does, that means the injection was successful.

For SQL injection defenses, there are two main ways to do so.

1. Parameterized Statements

• making sure that inputs are used safely in SQL statements.

example sqlQuery=’SELECT * FROM custTable WHERE User=? AND Pass=?’

With this setting, attackers cannot just enter “Test OR 1=1'; — “ since the database knows what to do before the query runs; it would look for a username of ‘Test OR 1=1; — ‘ and it will return an error.

2. Sanitizing input

• you can specify different input as not acceptable to avoid the injection.
  i.e) OR 1=1; —

Web App pen testing is such a broad topic and I’m glad I did some researching and walkthrough after learning it on PWK today. I’m going to keep watching tutorials and practice attacking vulnerable web apps to sharpen my skills on it.

Here are some additional topics I would like to explore:

• Utilize sqlmap to discover SQL injection vulnerabilities on webapps.
• complete a few more challenges on OWASP Juice shop
• complete overthewire’s Natas challenges for webapp pentesting practice.

Happy Hacking!!