SQL Injection Vulnerability Fundamentals

Introduction

Welcome to this interactive lab! Our focus is on SQL injection vulnerabilities - a prevalent and serious risk to web applications. In simple terms, SQL injection attacks happen when an application receives data that hasn't been properly checked or coded, and this data is included in a SQL query. This loophole can allow cyber attackers to run harmful SQL commands, which might lead to unauthorized access to confidential data or enable them to perform other harmful actions.

The goal of this lab is two-fold. Firstly, we aim to demystify the core concepts of SQL injection vulnerabilities, breaking them down into understandable pieces. Secondly, we provide hands-on practice to help you learn how to exploit these vulnerabilities, not for malicious intent, but to better understand and prevent them. This practical approach will equip you with the knowledge and skills to protect your applications from such threats.

Set up the Lab Environment

In this section, we'll guide you through the process of setting up a lab environment where you can practice SQL injection attacks.

1. Pull the DVWA Docker Image:
   The DVWA Docker image is available on Docker Hub. You can pull it using the following command:

   docker pull vulnerables/web-dvwa

2. Run the DVWA Docker Container:
   After pulling the image, you can run it with the following command:

   docker run -d -p 80:80 --name dvwa vulnerables/web-dvwa

   This command will start a new container and map port 80 in the container to port 80 on your host machine.

The step above prepares the necessary environment for the lab. After the setup completes, launch the Firefox browser on your desktop and enter the following URL: http://localhost.

After a brief moment, you'll find yourself on the login page. The default credentials are as follows: username - "admin" and password - "password".

You will be greeted by the DVWA (Damn Vulnerable Web Application) webpage. Click the "Create/Reset Database" button to generate a new database for the application.

Important Note: For the purpose of this lab, we'll be setting the security level to "low". This adjustment makes the SQL injection vulnerabilities more evident. To do this, select "low" from the "Security Level" dropdown menu, and then hit the "Submit" button.

Identify the SQL Injection Point

In this module, we're going to uncover the presence of an SQL injection vulnerability in an application.

Step 1: Navigate to the SQL Injection Page

On the left-hand menu of the application, you'll find a link labeled "SQL Injection." Click on this link to navigate to the SQL Injection page. Here, you'll encounter a form asking for a user ID.

Step 2: Enter an Example User ID

Let's try entering a user ID to see what happens.

Example Input:

1

Type "1" into the form and click the "Submit" button. The output should display details about a user with the ID of 1.

Step 3: Inspect the Source Code

By clicking the "View Source" button, you can inspect the source code of the page. You should see something resembling the following PHP code:

$id = $_GET['id'];
$sql = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
$result = mysqli_query($conn, $sql);

This code reveals that the application constructs an SQL query by concatenating the user's input directly with the SQL statement. This is a common error that can potentially create SQL injection vulnerabilities.

Step 4: Confirm the SQL Injection Vulnerability

To verify the existence of an SQL injection vulnerability, let's attempt to inject a single quote (') after the value "1". Enter the following into the form:

1'

If you see a database error message, it signifies that the application is indeed vulnerable to SQL injection attacks. This is a key step in identifying and subsequently addressing such vulnerabilities.

Determine the SQL Injection Type and Database Type

In this section, we will guide you through the process of identifying the type of SQL injection vulnerability and the type of database being used by a given application.

Our first aim is to determine the number of columns being returned by the original SQL query. To achieve this, we will employ the ORDER BY clause.

Sample Code:

1' ORDER BY 1## 1' ORDER BY 2## 1' ORDER BY 3## ```

Please input the above SQL statements one by one into the form. If the application behaves as expected, the first two queries will execute without errors, while the third will result in a failure. This failure indicates that the original SQL query is returning two columns.

Following this, we can use the `UNION` operator to extract additional data from the database.

**Sample Code:**

```sql
1' UNION SELECT version(), @@version_compile_os## ```

This SQL statement will fetch the version of the database and the version of the operating system it is being run on.

After executing this query, the output should display the information regarding the database version and operating system.

Retrieve the Database Name

In this lesson, we will guide you through the process of retrieving the name of a database that an application is using. This is an essential skill, especially when you're trying to understand the structure and organization of a database.

Example Code:

1' UNION SELECT database(), user()## ```

The above SQL query is an example of a technique called "SQL Injection". It is a code injection technique that attackers use to exploit a security vulnerability occurring in the database layer of an application. This specific query retrieves the current database name and the user executing the query.

Here's what's happening:

- `1' UNION`: This is the first part of the SQL injection. The `1'` part is to complete the query that the application is likely to be running. The `UNION` keyword is used to combine the results of two or more SELECT statements without returning any duplicate rows.
- `SELECT database(), user()#`: This part of the query is the payload that you're injecting. The `database()` function retrieves the name of the current database, and the `user()` function retrieves the name of the user executing the query.

After submitting the query, you should expect to see the database name and the user information in the output. This information can be essential for further understanding the database structure and the privileges of the user in the context of the application.

Remember, understanding these techniques not only helps in exploiting vulnerabilities but also in creating secure applications by knowing what to defend against.

Retrieve Table Names

In this lesson, we will take a step further to explore more about the structure of the database by retrieving the names of the tables in it. Understanding the table structure is crucial when trying to extract or manipulate data in a database.

Example Code:

1' UNION SELECT table_name, table_schema FROM information_schema.tables WHERE table_schema = 'dvwa'## ```

The above SQL query continues to utilize the SQL Injection technique. This time, it is used to retrieve the names of tables in the database and their respective database schema.

Here's the breakdown:

- `1' UNION`: As previously explained, this part is meant to complete the application's likely query and combine it with our injected payload.
- `SELECT table_name, table_schema FROM information_schema.tables WHERE table_schema = 'dvwa'`: This part of the query is our injected payload. It retrieves the table names and their respective database schema from the `information_schema.tables` system table, specifically for the 'dvwa' schema.

The `information_schema.tables` is a system table that holds information about all the tables in the database. The `table_schema` refers to the name of the database the table is part of, and `table_name` is the name of the table.

After submitting the query, you should expect to see the table names and their respective database schema in the output. This information can provide a roadmap for further exploration or exploitation of the database.

As always, remember that understanding these techniques is essential not only for exploiting vulnerabilities but also for creating secure applications by understanding what to defend against.

Retrieve Column Names and Data

In this lesson, we will delve deeper into the database structure by retrieving the column names of a specific table. With this knowledge, we can then extract potentially sensitive data from the table.

Example Code:

1' UNION SELECT 1, group_concat(column_name) FROM information_schema.columns WHERE table_name = 'users'## ```

The above SQL query uses SQL injection to retrieve the column names of the 'users' table. It concatenates these column names into a single string for easier viewing.

Here's the breakdown:

- `1' UNION`: As previously explained, this part is meant to complete the application's likely query and combine it with our injected payload.
- `SELECT 1, group_concat(column_name) FROM information_schema.columns WHERE table_name = 'users'`: This part of the query is our injected payload. It retrieves the column names from the 'users' table and concatenates them into a single string using the `group_concat` function.

After submitting the query, you should expect to see the column names in the output.

Now that we have the column names, we can retrieve sensitive data from the 'users' table.

**Example Code:**

```sql
1' UNION SELECT user, password FROM users## ```

This SQL query uses SQL injection to retrieve the 'user' and 'password' columns from the 'users' table.

After submitting the query, you should expect to see the usernames and hashed passwords in the output. This information can be extremely sensitive, and understanding how it can be extracted is essential for both exploiting vulnerabilities and defending against such attacks.

Remember, the goal of understanding these techniques is twofold: to identify potential vulnerabilities and to build more secure applications.

Summary

In this lab, you learned about SQL injection vulnerabilities and how to exploit them through hands-on practice. You set up a vulnerable web application, identified the SQL injection point, determined the SQL injection type and database type, and retrieved sensitive information from the database by exploiting the SQL injection vulnerability.

By completing this lab, you gained practical experience in understanding and exploiting SQL injection vulnerabilities, which are among the most common and dangerous web application vulnerabilities. This knowledge will help you in identifying and mitigating such vulnerabilities in real-world scenarios, enhancing your web application security skills.