Finding & Exploiting SQL Injection Vulnerabilities

The objective of this post is to show how one might go about identifying a SQL injection vulnerability on a website and then exploiting that vulnerability by obtaining any sensitive information contained within the database.

First, we need to have a target.  In our case, we’re going to obfuscate the domain name of our target because it’s an actual working, live site with SQL injection vulnerabilities and they take credit information (ouch).  Obviously this is not good – so we don’t want to put them on blast.

Once we have a target domain, we need to think about our approach. First and foremost, before we can exploit a SQL injection vulnerability, we need to find one. There are a number of ways to hunt for them, but we’re going to use OWASP Zed Attack Proxy (ZAP) to help with automating discovery. ZAP may not be as robust as Burp Suite but it’s easy to use and what we’ve chosen. In the interest of ensuring our testing is not traced back to us, we’ve launched ZAP using the following commands:

service tor start
service tor status
root@kali:/usr/share/zaproxy# java -DsocksProxyHost=127.0.0.1 -DsocksProxyPort=9050 -jar zap-2.4.1.jar

We begin by plugging in our target domain name (as seen below) and clicking “Attack”.

Capture1

The length of time it takes to fully scan a domain depends on a number of factors.  As ZAP finds vulnerabilities, they’ll be listed in the “Alerts” tab:

Capture2

As you can see, ZAP has found a number of possible of areas within the site that are susceptible to SQL injection. ZAP is not really capable of exploiting any vulnerabilities that it discovers, so we need to another tool.  In this case, we’ve chosen sqlmap. Sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.

As mentinoed above, we want to ensure that our work is not traced back to us.  For this reason, we’re going to proxy our connections with switches built into sqlmap.  The full command we want to run is this:

sqlmap –tor –tor-type=SOCKS5 –check-tor –random-agent –dbs –dump -u http://domain-name-here.org/board/board.php?id=6

Capture3

The following output from sqlmap indicates injection point vulnerabilities:

Capture4

Capture5

While some tables from the database contains non-sensitive information (like the one above), others contain very sensitive information:

Capture6

We also obtained a list of usernames and password hashes when we dumped their databases…which could probably be cracked with minimal effort.

Capture7

Happy Hacking!

Advertisements

One thought on “Finding & Exploiting SQL Injection Vulnerabilities

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s