Injections are nothing but the security flaws (i.e. vulnerabilities), using which the attacker can take advantage of Application DB through client-side submission of malicious input. i.e. Malicious Input/Data/Commands are provided as input into the Client-side fields, which when accepted by the System will lead to compromising of vulnerabilities in the system and allowing the attacker to bypass the authentication & gaining administrative privileges to fully access the application and its database. If you are not aware of the Injections, go through the below posts before going through this post.
Pre-requisites: The following pre-requisites need to be performed before using the SQL Injection payload
- Download and Install XAMPP on your machine, configure it and start Apache Server & SQL
- Download and Host bWAPP in the server
Caution: Look into the following steps before testing the application for SQL Injections:
- Don’t try the following example on other websites.
- Only perform these payloads on the application which are open for Penetration testing.
- If you perform Penetration testing on the application without a written statement from its owner, you have to face legal problems, face cyber police and even go to jail.
Payload One: Follow the below steps to simulate the payload as an attacker on the bWAPP application (i.e. An open application for performing Penetration Testing):
Important Information: Enter single quote into the input fields to check whether the application is vulnerable to SQL Injections. This single quote Payload is the first payload we need to enter into the input fields to check whether the input field in the application is vulnerable to SQL Injection. If the input field is verified as vulnerable to SQL Injection using the single quote payload, we need to plan for other payloads to exploit the application DB using the vulnerable input field.
Step#1 – Once the above-specified pre-requisites are ready, open the bWAPP application in the Firefox Browser using the URL http://localhost:8080/bwapp/login.php as shown below:
Step#2 – Login to the application by entering bee into the Login field and bug into the Password field and click on Login button as shown below:
Step#3 – Once the user is logged in, select SQL Injection (GET/SEARCH) option from the ‘Choose your bug’ drop-down field and click on ‘Hack’ button as shown below:
Step#4 – In the displayed ‘SQL Injection (GET/SEARCH)’ screen, enter single quote (i.e. ‘ ) into the ‘Search for a movie:’ text box field and click on ‘Search’ button as shown below:
Step#5 – If we get an error (as shown below) by performing the above step, then we can confirm that the input field is vulnerable to SQL Injection and more advanced payloads to exploit the Application DB can be tried from the vulnerable input field:
Conclusion: Untrusted data can be entered into the input fields, which when processed by the Server will trick its interpreter into executing malicious commands or queries present in the provided untrusted data. To check whether the client-side input fields in the application are vulnerable to these kinds of attacks, as a Security Tester we need to enter single quote into these fields and submit. If we get an error on submitting the single quote (i.e. ‘ ) in client-side input fields, we can guess that these input fields in the application are vulnerable to SQL Injection and using this clue we can input more advanced payloads to check whether there is any possibility for the attacker to exploit the Application DB.
Please leave your questions/comments/feedback below.
Happy Learning 🙂
Arun Motoori (www.QAFox.com)