SQL injection is a very common web application vulnerability, where hackers inject malicious SQL query to fetch sensitive information from the website’s database by modifying and requesting text field’s inputs.
Step1: Setup the vulnerable web application
In this example, we are using Mutillidae as a vulnerable web application and we will try to log in as an admin user using SQL injection attack.
Firstly you need to create a local web server from where you can run the vulnerable web application.
In this case, apache would be run as a web server and MySQL as a backend database.
We shall download XAMP and install it in our respective operating systems.
Download link: https://www.apachefriends.org/download.html
After the installation starts the servers from the XAMPP control panel.
Now download and place the Mutillidae application inside the server.
Download link: https://sourceforge.net/projects/mutillidae/
After the download and extraction of the file now place it in the appropriate position.
Now open Kali Linux OS placed in the same LAN, and configure the browser proxy so that you can pass every request and response through burp suit.
Open Firefox and type <your windows os ip>/mutillidae in the address bar
Open Firefox > Go to Options
Under the General Tab search for Network settings
Select Manual proxy configuration and set up the proxy IP with your 127.0.0.1 (localhost) and also mark the checkbox to use the same proxy for other protocols as well.
Now open Burpsuite
Under the proxy tab go to Options and make sure the interface is selected.
Now enable the intercept button to capture the ongoing request and response between client and server.
Now you are done with the setup part, consecutively start the attack.
Open Mutillidae login page > enter the user name as admin and press the login button.
Now look at BurpSuite and see what you have got there.
On the above screen, using POST method you are sending the username as “admin” and leave the password field blank. Now you must start trying to bypass the login.
Now right click on the screen and select “Send to Intruder”
Go to Intruder Tab > Positions
Click on Clear and add the only field where we will start exploiting. Here we want to exploit the username value using SQL injection tokens so I will select the value of the username parameter.
After that come to Payload Positions to choose what type of payload we will use to exploit the credentials.
In this case, Simple List is selected as a Payload type. Click on Load to add the file where all possible injection tokens were already added.
Note: In Kali Linux, you can get a default SQL injection token list in the following path.
/usr/sare/wfuzz/wordlist/Injections/SQL.txt
After choosing the file click on Start attack and wait. It will take some time to finish depending upon the list count.
After the attack is performed, usually we check the status and the length if any changes are there as compared to other lists value.
In this case, we have different types of field lengths so we have to check one after another to see which one has successfully exploited the authentication.
As I have already checked which one is working, let’s come to the list number 40 and double click on it. Now click on the Response tab and under that come to the sub-tab Render. It will give you real-time results of the attack.
Congratulation!! We have bypassed the login page and got the Admin privilege.
If you have any further doubts or need any help on this topic feel free to write in the comment box below. Happy Hacking!
I really enjoyed this article. I need more information to learn so kindly update it.
ReplyDeleteclinical sas training in chennai
clinical sas course
clinical sas Training in Anna Nagar
SAS Training in Chennai
SAS Training Institute in Chennai
Placement Training in Chennai
soft skills training in chennai
core java training in chennai
The given information was excellent and useful. This is one of the excellent blog, I have come across. Do share more.
ReplyDeleteEthical Hacking course in Chennai
Ethical Hacking Training Institute in Chennai
Hacking course in Chennai
ccna Training in Chennai
Salesforce course in Chennai
PHP Training in Chennai
Tally course in Chennai
Ethical Hacking course in OMR
Ethical Hacking course in Anna Nagar
Ethical Hacking course in Vadapalani
Top Courses to learn
ReplyDeleteExcellent blog with lots of information. I have to thank for this. Do share more.
Valuable one...thanks for sharing...
ReplyDeleteDOT NET Training in Chennai
Best DOT NET Training institute in Chennai
Best DOT NET Training in Chennai
dot net coaching centers in chennai
dot net training in Guindy
Html5 Training in Chennai
Spring Training in Chennai
Struts Training in Chennai
Wordpress Training in Chennai
SAS Training in Chennai
Awesome blog, very informative content... Thanks for sharing waiting for next update...
ReplyDeleteArtificial Intelligence Course in Chennai
AI Training in chennai
artificial intelligence training in chennai
C C++ Training in Chennai
javascript training in chennai
Html5 Training in Chennai
QTP Training in Chennai
Spring Training in Chennai
DOT NET Training in Chennai
I just couldn't leave your website before telling you that I truly enjoyed the top quality info you present to your visitors? Will be back again frequently to check up on new posts. 2k moulding
ReplyDeleteThis knowledge.Excellently written article, if only all bloggers offered the same level of content as you, the internet would be a much better place. Please keep it up.
ReplyDeletegreat post guys
Ai & Artificial Intelligence Course in Chennai
PHP Training in Chennai
Ethical Hacking Course in Chennai Blue Prism Training in Chennai
UiPath Training in Chennai
ReplyDeleteThe strategy you have posted on this technology helped me to get into the next level and had lot of information in it. The angular js programming language is very popular which are most widely used.
Dot Net Training in Chennai | Dot Net Training in anna nagar | Dot Net Training in omr | Dot Net Training in porur | Dot Net Training in tambaram | Dot Net Training in velachery
Nice Information I learned a lot From this Post
ReplyDeleteSalesforce Training | Online Course | Certification in chennai | Salesforce Training | Online Course | Certification in bangalore | Salesforce Training | Online Course | Certification in hyderabad | Salesforce Training | Online Course | Certification in pune
The development of artificial intelligence (AI) has propelled more programming architects, information scientists, and different experts to investigate the plausibility of a vocation in machine learning. Notwithstanding, a few newcomers will in general spotlight a lot on hypothesis and insufficient on commonsense application. machine learning projects for final year In case you will succeed, you have to begin building machine learning projects in the near future.
ReplyDeleteProjects assist you with improving your applied ML skills rapidly while allowing you to investigate an intriguing point. Furthermore, you can include projects into your portfolio, making it simpler to get a vocation, discover cool profession openings, and Final Year Project Centers in Chennai even arrange a more significant compensation.
Data analytics is the study of dissecting crude data so as to make decisions about that data. Data analytics advances and procedures are generally utilized in business ventures to empower associations to settle on progressively Python Training in Chennai educated business choices. In the present worldwide commercial center, it isn't sufficient to assemble data and do the math; you should realize how to apply that data to genuine situations such that will affect conduct. In the program you will initially gain proficiency with the specialized skills, including R and Python dialects most usually utilized in data analytics programming and usage; Python Training in Chennai at that point center around the commonsense application, in view of genuine business issues in a scope of industry segments, for example, wellbeing, promoting and account.
nice blog..valuable information....thanks for sharing...
ReplyDeleteStudy Abroad Consultants in Kerala
study abroad consultants in thrissur
Study Abroad Consultants in Calicut
abroad job consultancy in coimbatore
abroad job consultancy in thrissur
overseas education consultants in thrissur
study abroad
study in poland
study in europe
education in germany
Nice blog was really feeling good to read it. Thanks for this information.
ReplyDeleteaws interview questions and answers for devops
devops interview questions and answers for freshers
java interview questions and answers
selenium interview questions and answers
digital marketing interview questions and answers
hadoop interview questions and answers
Took me time to read all the comments, but I really enjoyed the article. It proved to be Very helpful to me and I am sure to all the commenters here! It’s always nice when you can not only be informed, but also entertained! aesthetic expert training
ReplyDeleteit was so good to read and useful
ReplyDeleteData Science course in Tambaram
Data Science Training in Anna Nagar
Data Science Training in T Nagar
Data Science Training in Porur
Data Science Training in OMR
Data Science course in Chennai