It is amazing that one of the biggest vulnerabilities when it comes to database driven web applications is SQL Injection since this vulnerability is not difficult to resolve. The sad fact is for what ever reason this threat remains on the OWASP Top Ten Project. Developers, managers, testers, and pretty much everyone across the globe must wake up and deal with this threat. If you do not then you may find yourself dealing with a breach in security from Havij or other similar products that carry out SQL Injection attacks. Havij is simple to use and is 100% GUI based and my goal is to demonstrate the risks surrounding SQL Injection.
Before going any further, I must say that you should never execute an attack on any machine that you do not personally own. If you wish to dabble with this attack, then I suggest either a virtual machine or specific online sites that are available for this specific reason. If you have any doubts, then do not proceed!
Virtual Machines (VMs):
To get started we will attack the website testasp.vulnweb.com. Upon visiting the website we are presented with the following screen
Go ahead and select your forum of choice, for me I selected Acunetix Web Vulnerability Scanner. Once you have clicked the forum link go ahead and inspect the URL address and you should see http://testasp.vulnweb.com/showforum.asp?id=0, which is all we need to begin the SQL Injection attack.
Fire up Havij and copy and paste the URL of http://testasp.vulnweb.com/showforum.asp?id=0 as the target. Once you have done so, click analyze.
Keeping in mind that you need not understand the specifics as to how SQL Injection attacks are carried out and the fact that we know nothing about the server where this forums resides, we quickly ascertain some very important details that can be very useful for an attacker.
Keeping in the tradition of the black hat, we see that we have a great deal of information that we could use to our advantage in the area of exploiting a known vulnerability. I say this because we see the database server and web server are older versions of Microsoft products and it may be likely that these products are not patched. However, this avenue of attack is for another day.
Go ahead and click tables, then click get databases.
Amazing, we just uncovered seven databases on this server. With the database acuforum checked, click get tables.
Now that we have a list of the tables next comes the columns, check the users table and then click get columns.
Now for the moment you have been waiting for. Select the email, uname, and upass checkboxes and click get data.
So there you have it, in less than ten minutes you have executed a SQL Injection attack and accessed data that you should have never had access to.