Mutillidae: Manual SQL Injection By The Help of Firebug
Web Penetration Testing: Part 3
What is SQL Injection?
SQL Injection is a technique used to data by Web page or data driven applications. This is done by using SQL statement or SQL command in an entry field of the website. It is a vulnerability inside the web application which allow attacker to run SQL command to the database. The vulnerability happens when user input incorrectly string and SQL statement executed unexpectedly. SQL Injection most probably attack vector for the website, can be used to attack any SQL database.
Pre-Requisite Lab:
- How to configure mutillidae in Fedora
- How to install Kali Linux on Virtual Box.
- How to install Firebug
Work On Victim Machine (Fedora 20)
- Run the Virtual Machine
- Open the Terminal.
- Check the IP Address
#ifconfig
This IP Address will be used by attack to access Mutillidae. In mine case it is 192.168.56.117. In your case may be changed.
Work On Attacker Machine (Kali Linux 1.0.7)
- Run the Virtual Machine of Kali Linux.
- Open Terminal and check the IP Address by using following command in terminal.
#ifconfig
Check the connectivity with Victim Machine (Fedora 20)
#ping [Ip_Address]
In Mine Case:
#ping 192.168.56.117
- Open the IceWeasel Web Browser and type in Address Bar
http://[Victime _IP_Address]/mutillidae
In Mine case its.
http://192.168.56.117/mutillidae
SQL Injection on Username Field
- Click on the Login/Register Menu in mutillidae.
Task:
Enter the single quote(‘) in the username Text Box, and click on the login button
Result:
After you click on the Login button, an error massage will be displayed
- Analyze Result
A single quote (‘) is a reserved SQL character that breaks the SQL query by placing in the Username text box.
SELECT * FROM accounts WHERE username=’’’ AND password=’’
Normal query is looks like following query
SELECT * FROM accounts WHERE username=’admin’ AND password=’admin’
SQL Injection: By Pass Password without Username
TASK:
Enter the following in the Username Textbox à ‘ or 1=1 —
Make sure you have put the space after the “–“, Click on the login button to continue
Result:
Notice on the mutillidae screen you are logged in as admin, because admin is the first user in account table.
Placing ‘ or 1=1 — means, Search for the username that is either to equal nothing or 1=1. So, the condition 1=1 is always true, and the “–“ string is a comment in SQL statement. Whick make the comment of left SQL query ( AND password= ‘’), which manipulate the password authentication. Query looks like following,
SELECT * FROM accounts WHERE username=’’ or 1=1 — ’ AND password=’’
Log Out from the admin user, just click on LogOut menu in the picture
SQL Injection: Single Quote Test On the Password Field:
TASK:
- Click on the Login/Register.
Put the name as admin - Password field: Right Click and select Inspect Element
- Fire bug: Firebug bar will be open, String “password” is replaced with the word “text”, Minimize the firebug
- Apply true test to password Textbox. So fill following status,
Name= ‘ or 1=1
Don’t forget to put a space after the “–“ click the login button.
ANALYZE THE RESULTS:
It is a happy moment, you are logged in as Admin. @Logout session
Obtain Access by SQL Injection: Single Quote Test:
Inspect Password Box Element
TASK:
Click on Login/Register option.
Name: samurai
Password: Right Click and Select Inspect Element
Edit the Following Element:
Replace the string “password” by “Text”
Replace string “20” with “50” within size and maxstrength.
Apply the true statement by Password Textbox:
Name: Samurai
Password: ‘ or ‘ (1=1 and username=’samurai’) –
Don’t forget to put the space after the command
Click the login button to proceed.
Result: Notice you are logged on the application as Samurai than for SQL Injection.