Introduction

This post is a tutorial on SQL Injection attacks, particularly testing for vulnerabilities in a machine designed for ethical hacking practice. The instructor demonstrates how to identify a vulnerable website, test SQL injection manually, and exploit it using automated tools like SQLMap. The tutorial is structured into multiple parts, with this video covering the identification and exploitation phase.

Offensive Security Web Assessor (OSWA) Study Notes

E-learn Junior Penetration Tester (eJPTv2) Study Notes

SQL Injection Basics

SQL Injection (SQLi) is one of the most common and dangerous web vulnerabilities. It allows attackers to manipulate a websiteโ€™s database by injecting malicious SQL queries. This can lead to data leaks, account takeovers, and even full system control.

What is SQL? (The Foundation of SQLi)

SQL (Structured Query Language) is the language used to interact with databases. It allows websites to:
โœ… Store user data (e.g., usernames, passwords, emails)
โœ… Retrieve data (e.g., fetching user profiles)
โœ… Update records (e.g., changing a password)
โœ… Delete information (e.g., removing a user)

Example SQL query to fetch user data:

SELECT * FROM users WHERE username = 'admin' AND password = 'password123';

If the user provides the correct username and password, access is granted.

What is SQL Injection?

SQL Injection happens when an attacker inserts malicious SQL code into an input field (like a login form) to manipulate the database.

๐Ÿšจ Example Attack:
Imagine a login form that checks user credentials like this:

SELECT * FROM users WHERE username = 'user' AND password = 'pass';

Now, an attacker enters this in the username field:

' OR 1=1 --

This changes the SQL query to:

SELECT * FROM users WHERE username = '' OR 1=1 -- ' AND password = 'pass';

Why does this work?

  • OR 1=1 is always true, so the database returns all users.
  • -- comments out the rest of the query, ignoring password checks.
  • The attacker logs in without a valid password!

What Can Attackers Do with SQL Injection?

๐Ÿ”น Bypass Login โ€“ Gain unauthorized access
๐Ÿ”น Steal Data โ€“ Dump usernames, emails, and even passwords
๐Ÿ”น Modify Records โ€“ Change user details, reset passwords
๐Ÿ”น Delete Data โ€“ Wipe out entire tables or databases
๐Ÿ”น Gain Full Control โ€“ Execute commands on the server

Example:
An attacker uses SQLi to dump all user credentials:

SELECT username, password FROM users;

If passwords are stored without hashing, the attacker can steal and use them.

Exploiting SQL Injection

The tutorial aims to demonstrate SQL Injection in a controlled environment.The target machine is an artificial intelligence-themed security challenge.The process is divided into two or three parts, covering meaningful security concepts.

Step 1: Identifying a Vulnerable Input Field

  • The target system requires submitting a User ID to retrieve user information.
  • When testing with different numerical values, responses indicate an underlying database (e.g., 1 = Admin, 2 = Root).
  • This suggests that SQL injection might be possible.

๐Ÿ”น Step 2: Intercepting Requests with Burp Suite

  • Since the URL doesnโ€™t change dynamically, Burp Suite is used to intercept requests.
  • The video shows how to capture and analyze HTTP requests to find vulnerable parameters (UID, operation).

๐Ÿ”น Step 3: Using SQLMap for Automated Exploitation

  • SQLMap is used to:
    • Identify the database type (MySQL).
    • Discover the database name (artificial_intelligence).
    • List tables and columns, including user credentials.
  • The database contains usernames and hashed passwords, which can be cracked.

๐Ÿ”น Step 4: Extracting and Cracking Passwords

  • SQLMap extracts:
    • Usernames
    • Passwords (hashed)
  • The video demonstrates hash cracking to reveal plain-text passwords.

๐Ÿ”น Step 5: Gaining Further Access

  • With database credentials, the next step is to log in and gain further control.
  • The goal is to escalate access to a web shell, enabling deeper system penetration.

Manual SQL Injection Testing

We inspect the request and response structure. The URL does not change when switching between user IDs, making manual injection more challenging. We use Burp Suite to intercept the request and analyze parameters (UID and operation).

Key Observation: The input field is potentially vulnerable to SQL Injection, but the direct URL doesn’t reveal parameters.

Exploiting SQL Injection with SQLMap

  • Since the URL does not expose parameters, the instructor copies the intercepted request and feeds it to SQLMap.
  • SQLMap helps:
    1. Identifying the database type (MySQL).
    2. Extracting database version (MySQL 5.0 running on Apache/Linux).
    3. Retrieving database name (artificial_intelligence_1).
    4. Listing available tables (e.g., wizard and system_user).
    5. Extracting columns (e.g., ID, username, password).
Extracting User Credentials
  • SQLMap dumps the contents of the system_user table.
  • Retrieves usernames and hashed passwords.
  • Uses hash-cracking techniques to retrieve plaintext passwords.
  • Successfully obtains admin credentials.

Video Walkthrough

,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles