Website Hacking Series; Part C: Manual & Automated SQL Injection

Cover Image: Anarchist hacker banner for HOPE — Hackers on Planet Earth conference, source: Rek2/Wikimedia commons

Disclaimer: This article is for educational purposes and promotes ethical hacking and superior cybersecurity practices in organisations and private entities. It does not advocate for any malicious intent. Furthermore, all materials used in this tutorial are solely personal and intentionally set vulnerable. I, therefore, absolve myself from any future unauthorized scripting from parties reading this article that may compromise the integrity of respective wireless networks

Hello, welcome back to this series. We are exploiting website hacking tricks and today I will be demonstrating the Famous and most revered SQL Injection. This is part C of a running series. In the previous article, I covered malicious file/code injection into websites.

In this one, we will undertake the SQL injection which involves attackers taking advantage of an SQL query that is not being sanitized. This allows any user to execute any SQL command and this may allow attackers to dump all the contents of the website’s database as long as their commands are right. The first part covers manual SQL injection and the second part automates SQL injection using SQLmap

To brush up on the most basic SQL code and PHP code that we may need, consider the snippets below

SELECT username from user where id = 1 → SQL code that selects the username based on id from a database called users. The most admin id is 1.

$id = $_GET[‘id’]

$getid = “select username from users where id = ‘$id’ ” → If we take advantage of the fact that the PHP application that does not sanitize input, we can use the $id field to parse onto it any commands we want.

Requirements

• Kali Linux Separate OS /VMware Kali Linux
• Burpsuite(installed by default in Kali)
• DVWA (download from https://github.com/digininja/DVWA )
• MySQL ( installed by default in kali)
• Apache (installed by default in kali)
• Basic mastery of MySQL, PHP & Bash scripting.
• Basic prompt engineering skills: chatGPT
• SQLmap (default installed in Linux)

Procedure — Manual SQL injection

1. Installing & running DVWA. This video offers the best explanation for getting DVWA up and running and explains in video my script instructions below (if you succeed, jump to step 2 directly ). Furthermore, I fully covered it in the previous article step 1. Read more here. Make sure you have a window as below. We set our Username and password as Admin & password respectively.

The default username and password are admin and “password”

2. Navigate to the SQL injection window, that appears below and starts typing random IDs to try to identify which users may exist on the Website. We note that indeed our admin was 1 and other users have ids from 2 etcetera. [Optional — click view source code to observe how the authentication PHP works]

Fig. 2.1 : typing 1 to get the admin name

Fig. 2.2:Showing other users from admin etc

3. We need to type a single ‘ to observe how the code breaks and gather any information that we may need prior to starting our SQL injection attack. Indeed, after typing a single quote, the code breaks and you should see a blank screen

4. To start SQL injection, we need to type 1’ or 1=1#. This code gives us the admin credentials and effectively bars any syntax errors caused by any incomplete query. Find the elegant chatGPT explanation below as well

ChatGPT explaining the logic behind the

5. We want to think of ways we can take advantage of the code above and Parse onto it other commands that can possibly allow us to gather information about the passwords etc. We type the self-explanatory code below to do the necessary commands → 1 or 1=1 union select user, password from users#. We can view the hashes below

Hashes for all users in the DB

6. We need to create a basic .txt file and copy-paste all the hashes from the window as below.

Pasting the hashes to hashes.txt

7. We need to invoke John the Ripper to crack the hashes using the command: john — wordlist=/usr/share/wordlists/rockyou.txt — format=Raw-MD5 hashes.txt. [If you ran into an error about rockyou.txt not being located, check figure 7.2 below to extract… it’s in .gz ]

Figure 7.1 : Using John ripper for direct cracking

Figure 7.2: How to resolve rockyyou.txt not found

8. Now it’s time to display the cracked hashes and determine whether our crack was successful → john — show — format=Raw-MD5 hashes.txt

9. Voila, we get the admin password as the “password” as we set it before. We can try any of the passwords as below on the login page below: I will use Pablo, with his cracked password being letmein

Voila, we are in

Procedure — Automated SQL Injection

1. We need to copy and paste the URL of the DVWA which is: http://127.0.0.1/DVWA/vulnerabilities/sqli/
2. Code the sqlmap code as below and click Y except for storing the hashes to a temporary file for eventual further processing

sqlmap -u “http://127.0.0.1/DVWA/vulnerabilities/sqli?id=1&Submit=Submit" — cookie=”security=low” -b — current-db — current-user — dump

Figure 3.1

3. Boom, We can see the output below from the previous step command

Figure 3.2: A generated Database showing hashes, usernames and passwords etc

Follow-Up notes

1. SQL injection is pretty intensive and requires practice on different levels in CTFs or open websites. Consider setting up and trying on dummy login pages
2. This is a simple SQL injection and “real” websites have far superior sanitization algorithms. But of course, Practice makes a better dev

Recommendations

The only best way to prevent SQL injection attacks is input validation. Developers must write code that multi-checks each and every parameter on the login