Lab 9.1 : SQLi Review

Preparation

Mysqld Configuration

• I configured msqyld on my Kali VM using the following commands:

sudo systemctl enable mysqld 
sudo systemctl start mysqld
sudo mysql_secure_installation

• For the mysql installation prompts, I chose the following options:

Switch to unix_socket authentication [Y/n] n
Change the root password? [Y/n] Y
Remove anonymous users? [Y/n] y
Disallow root login remotely? [Y/n] y
Remove test database and access to it? [Y/n] y
Reload privilege tables now? [Y/n] y

Clone the sql-lapb-php git repository

• From my /sec335/week9 directory, I cloned the sql-lapb-php git repository using the command, git clone https://github.com/skyblueee/sqli-labs-php7.git
• I then changed into the sqli-labs-php7 directory using, cd sqli-labs-php7
• I then edited the sql-connections/db-creds.inc file to look like the following:

<?php

//give your mysql connection username n password
$dbuser ='root';
$dbpass ='passwordgoeshere';
$dbname ="security";
$host = 'localhost';
$dbname1 = "challenges";

?>

• From the sqli-labs-php7 directory I ran the command php -S 127.0.0.1:8090 -t . to start the application
• In my browser, I navigated to http://127.0.0.1:8090 and clicked the "setup/reset Database for labs" link
• I then edited the sqli-labs-php7/Less-1/index.php file as such:

SQL Injection

• I followed a tutorial that can be found here to perform SQL Injection via a URL. Using this tutorial, I was able to gather information from the database.

Using sqlmap

• I used sqlmap to dump the users table from the security database with the command sqlmap -u http://127.0.0.1:8090/Less-1?id=1 --level 3 --dump -D security -T users
  • -D specifies the database
  • -T specifies the table