Today Web applications are the most popular way of creating programs at an accelerated rate. These applications come with a variety of security intimation. But there are many flaws in these systems. One of them is SQL Injection. A backend database is connected to the web application where all the information is stored about the users. SQL statements are used to store this information in Database. Similarly, you can use SQL commands to retrieve data from the database. But sometimes the input is not filtered properly and an attacker uses different SQL commands to retrieve data from the database. This process is called SQL injection. This means that attacker injects malicious code and tries to compromise the security.
This attack allows stealing important data of any person. Attacker can also modify and delete the data from database by the use of SQL commands. Input fields, Login forms, Search boxes and text boxes are used to inject malicious commands in the database. In this guide we will look at an example of SQL injection using burp suite.
Burp suit us an automated vulnerability testing tool for web applications and is preinstalled in Kali. Now we will setup the vulnerable web application.
We will use DVWA as our vulnerable web application. If you don’t know how to install DVWA in Kali you can check that here.
Let’s Start,
First Of all we need to run apache and mysql services in kali to access DVWA. Type in the following commands to run the above two services:
service apache2 startservice mysql start
Now we will check if we can access DVWA on our browser. I have renamed DVWA as master in /var/www/html folder. To access that we will locate to the following URL:
http://localhost/master
Configure Browser For BurpSuit
Now we will configure our browser to work with burp suit so that each request should pass through burp suite. Burp suite will act as a proxy and we will be able to intercept the requests. We will use firefox as our browser.
First of all go to "Preferences" and click on "Advance" and then select the "Network" tab and select settings and check the Manual Proxy Configuration button then put HTTP Proxy as 127.0.0.1 and Port to 8080 and leave rest of the setting as the following picture.
Intercept The Request With Burp Suite
Open the burp suite in Kali and go to Proxy tab and turn on the intercept. Make sure that ‘Intercept In On’ is pressed, So that we can modify the requests that will be sent by the browser and check for our SQL Injection. Now get back to the DVWA page and select SQL Injection and enter anything in the User ID field and click submit. Now you can see that the request in intercepted properly and you can check the raw ,parameters and headers information.
Now we only need to modify the id field so we will will send this request to the intruder by right clicking and selecting Send to Intruder Option.
Set Positions And Payloads
Now move to the intruder tab and click on positions. Burp suite will indicate the position where payload needs to be inserted. We just need to insert payload in the id field so we will clear all positions by clicking the clear button on the right. Now select the value for id and click on Add button to select this position.
Now the position is set, we will configure our payload. When we submit the request SQL command tries to interact with the database. The command that interact the database looks like the following:
SELECT first_name, last_name FROM users WHERE user_id=’$id’;
Now if we put the simple payload ‘ 'or 1=1’ then the above command will become:
SELECT first_name, last_name FROM users WHERE user_id=’$id’ or ‘1=1;
The single quote will make the first part as a blank string and 1=1 will evaluate the value to true and database will return the value.
Now click on the Payloads tab and go to payloads option and loads the payload from the following directory:
/usr/share/wfuzz/wordlist/injections/SQL.txt
Running an Attack With Intruder
Now everything is setup just click on the Start Attack button, a new window will open and show you the attack progress. It will take sometime to complete depending on the size of the payloads list.
You can analyze the result by clicking on the request. Click on the response tab and then click on render, you can see the SQL injection result that we have the first name and surname of the database users.
Conclusion:
We saw that today in the world of a web application that security is everything. Many web applications are still vulnerable to these types of attack that may risk the data of users. We saw that how an attacker could get the credentials of users just by putting malicious code in the text fields to steal data. If you have any site then you should test SQL injection on all the fields of your site.