Tips for an Information Security Analyst/Pentester career - Episode 9: DVWA (SQL injection)
- The following SQL injection attacks were run on a deliberately vulnerable virtual machine for demonstration purposes only. Don't attempt them on systems you don't have any authorization for, otherwise you're in for a spot in a Federal jail. You've been warned!!
- For these attacks to succeed, you need to toggle security level to low, otherwise they won't run. The whole point of DVWA is to show the impact from common attacks and how mitigation techniques can help prevent such attacks from being exploited.
In this post, we're gonna have fun with some SQL injection attacks.
SQL injections attacks are possible when a website fails to implement input validation either client-side or server-side, or both.
When these conditions occur, an attacker can input SQL queries in an input field where he/she wouldn't be supposed to do that, for example in a login field, getting illicitly access to the underlying database.
I found a cheat sheet here and successfully performed some of the attacks listed on the site.
I could find out DVWA uses a MariaDB software, so this gives us a hint as to the language used under the hood.
This is a bad error feedback. You don't want a server to issue an error message like this one, because it gives away too much information.
- First injection: ' or 1=1 #
It shows us all the users on the system.
- Second injection: 'OR '1'='1' -- ';
- Third injection: 1' order by 1 #
If we progressively increase the user ID (2’ order by 1 #, etc.), we can get all the other users in the database as well.
- Fourth injection: 1' or 1=1 order by 1 #
It returns an output pretty much alike the first two ones.
- Fifth injection: ' and 1=1 union select database(),version() #
Returns the database type and version.
- Sixth injection: ' and 1=1 union select null,user() #
Returns information on the root user of the database, so we can wreak havoc with it.
SQL injection attacks date back some decades but are a very powerful and harmful attack still today when some favorable conditions exist, namely lack of user input validation both client-side and server-side.
Sadly, databases keep getting breached every day because of bad coding and careless security practices.
There’s nor room for complacency in today’s marketplace.
A company failing to protect its database is sadly destined to fail miserably.