Module 09: Database Penetration Testing Methodology - Exercise 3: SQL Injection Attacks on MS SQL Database

Exercise 3: SQL Injection Attacks on MS SQL Database

Scenario

Today, SQL injection is one of the most common and perilous attacks that a website undergoes. This attack is performed on SQL databases that have weak codes. A website’s vulnerability can be used by an attacker to execute database queries to collect sensitive information, modify the database entries, or attach a malicious code resulting in total compromise of the most sensitive data.

As an Expert Penetration Tester and Security Administrator, you need to test web applications running on the MS SQL Server database of vulnerabilities and flaws.

Lab Duration: 20 Minutes

1. Click Windows Server 2012 (Internal Network)and click Ctrl+Alt+Delete.
   
2. In the password field click Pa$$w0rd and press Enter.
   

   You can use the Type Password option from the Commands menu to enter the password.

   
3. To launch Firefox browser, double-click Firefox icon on the desktop.
   

   You can also click Firefox icon on the taskbar or launch it from Start menu apps.

   
4. In this lab, we will perform SQL injection on the database server installed in the machine Windows Server Subnet C. We will be exploiting the SQL injection vulnerability present in the URL http://172.19.19.13/goodshopping to tamper the contents in the database server.
5. The main window of Firefox appears, type http://172.19.19.13/goodshopping in the address bar and press Enter.
   
6. GoodShopping home page appears, as shown in the screenshot.
   
7. Assume that you are new to this site and have never registered with this website earlier.
   Now hover your mouse cursor on My Accounton the top right corner of the GoodShopping homepage and type blah' or 1=1 -- in the Username field, leave the Password field empty and click on the Log in button.
   
8. You have successfully logged on to the target website with a fake login as shown in the screenshot.
   
9. Your credentials are not valid, but you have successfully logged in. Now, you can browse all the web pages of the website as a registered member.
   Click Logout to log out from the account.
   
10. Click My Account tab in the top-right corner of the web page, enter the query blah';insert into login values ('sandra','sandra123'); -- in the Username field (as your login name) and leave the password field empty.
    Click on the Log in button.
    

    If no error message is displayed on the web page, it means that you have successfully created your login using SQL injection query.

    By giving this query, a user account is created in the database with the following credentials:
    Username: sandra
    Password: sandra123

    
11. To verify whether your Login credentials have created successfully, hover the mouse cursor on the My Account button, clear the text in Username field, enter sandra in the Usernamefield and sandra123 in the Password field, and click Login.
    
12. You have successfully logged on to the target website as shown in the screenshot.
    
13. Click Windows Server Subnet C and click Ctrl+Alt+Delete.
    
14. In the password field click Pa$$w0rd and press Enter.
    

    You can use the Type Password option from the Commands menu to enter the password.

    
15. Click on the Close button at the top right corner of the Server Manager window.
    

    If a Microsoft Windows pop-up appears, click Restart Later.

    
16. Click Start, type SQL Server Management Studio and select the application.
    
17. Microsoft SQL Server Management Studiowindow appears along with Connect to Serverdialog box.
    In the Authentication: field, select Windows Authentication option from the drop-down list and click Connect.
    
18. Microsoft SQL Server Management Studiowindow appears, as shown in the screenshot.
    
19. In the left pane of the window, Expand Databases by clicking on + node, expand goodshopping database by clicking on + node, expand Tables by clicking on + node, right-click dbo.Login and click Select Top 1000 Rows.
    
20. You can observe that you have created a username and password in the database of goodshopping under Results tab as shown in the screenshot.
    
21. You have successfully created your own user account using a specific code.
    Exit the Microsoft SQL Server Management Studio, Click Windows Server 2012 (Internal Network) Logout from GoodShopping account.
22. In the GoodShopping website, hover the mouse cursor on My Account button, type blah';create database Stevemartin; --
    in the Username field, leave the Password field empty and click Log in.
    

    In the above query, Stevemartin is the name of the database which we are going to create.

    
23. If No error message or any message displays on the web page, it means that the site is vulnerable to SQL injection and a database with the name Stevemartin has been created in the server's database.
    You can observe that there is no error message displayed on the webpage.
    To confirm that the database has been created, switch back to Windows Server Subnet Cmachine and view the database created in SQL Server Management Studio.
    
24. Now click Windows Server Subnet C machine and launch SQL Server Management Studio.
    
25. Microsoft SQL Server Management Studiowindow appears along with Connect to Serverdialog box.
    In the Authentication: field, select Windows Authentication option from the drop-down list and click Connect.
    
26. SQL Server Management Studio main window appears, as shown in the screenshot.
    
27. In the left pane of the window, expand Databases by clicking on + node.
    You can observe a database named Stevemartin, as shown in the screenshot.
    
28. You have successfully created your own Database using a specific code.
    Close SQL Server Management Studio and switch back to Windows Server 2012 (Internal Network) machine, and close the web browser.

In this lab, you have learned how to analyze the results related to the lab exercise. Give your opinion on your target’s security posture and exposure