- Python Penetration Testing Tutorial
- Python Penetration Testing - Home
- Introduction
- Assessment Methodology
- Primer on Network Communication
- The Socket and its Methods
- Python Network Scanner
- Network Packet Sniffing
- ARP Spoofing
- Pentesting of Wireless Network
- Application Layer
- Client-side Validation
- DoS & DDoS attack
- SQLi Web Attack
- XSS Web Attack
- Useful Resources
- Quick Guide
- Useful Resources
- Discussion
Python Penetration Testing - SQLi Web Attack
The SQL injection is a set of SQL commands that are placed in a URL string or in data structures in order to retrieve a response that we want from the databases that are connected with the web applications. This type of attacksk generally takes place on webpages developed using PHP or ASP.NET.
An SQL injection attack can be done with the following intentions −
To modify the content of the databases
To modify the content of the databases
To perform different queries that are not allowed by the application
This type of attack works when the applications does not validate the inputs properly, before passing them to an SQL statement. Injections are normally placed put in address bars, search fields, or data fields.
The easiest way to detect if a web application is vulnerable to an SQL injection attack is by using the " ‘ " character in a string and see if you get any error.
Types of SQLi Attack
In this section, we will learn about the different types of SQLi attack. The attack can be categorize into the following two types −
In-band SQL injection (Simple SQLi)
Inferential SQL injection (Blind SQLi)
In-band SQL injection (Simple SQLi)
It is the most common SQL injection. This kind of SQL injection mainly occurs when an attacker is able to use the same communication channel to both launch the attack & congregate results. The in-band SQL injections are further divided into two types −
Error-based SQL injection − An error-based SQL injection technique relies on error message thrown by the database server to obtain information about the structure of the database.
Union-based SQL injection − It is another in-band SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result, which is then returned as part of the HTTP response.
Inferential SQL injection (Blind SQLi)
In this kind of SQL injection attack, attacker is not able to see the result of an attack in-band because no data is transferred via the web application. This is the reason it is also called Blind SQLi. Inferential SQL injections are further of two types −
Boolean-based blind SQLi − This kind of technique relies on sending an SQL query to the database, which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result.
Time-based blind SQLi − This kind of technique relies on sending an SQL query to the database, which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE.
Example
All types of SQLi can be implemented by manipulating input data to the application. In the following examples, we are writing a Python script to inject attack vectors to the application and analyze the output to verify the possibility of the attack. Here, we are going to use python module named mechanize, which gives the facility of obtaining web forms in a web page and facilitates the submission of input values too. We have also used this module for client-side validation.
The following Python script helps submit forms and analyze the response using mechanize −
First of all we need to import the mechanize module.
import mechanize
Now, provide the name of the URL for obtaining the response after submitting the form.
url = input("Enter the full url")
The following line of codes will open the url.
request = mechanize.Browser() request.open(url)
Now, we need to select the form.
request.select_form(nr = 0)
Here, we will set the column name ‘id’.
request["id"] = "1 OR 1 = 1"
Now, we need to submit the form.
response = request.submit() content = response.read() print content
The above script will print the response for the POST request. We have submitted an attack vector to break the SQL query and print all the data in the table instead of one row. All the attack vectors will be saved in a text file say vectors.txt. Now, the Python script given below will get those attack vectors from the file and send them to the server one by one. It will also save the output to a file.
To begin with, let us import the mechanize module.
import mechanize
Now, provide the name of the URL for obtaining the response after submitting the form.
url = input("Enter the full url")
attack_no = 1
We need to read the attack vectors from the file.
With open (‘vectors.txt’) as v:
Now we will send request with each arrack vector
For line in v: browser.open(url) browser.select_form(nr = 0) browser[“id”] = line res = browser.submit() content = res.read()
Now, the following line of code will write the response to the output file.
output = open(‘response/’ + str(attack_no) + ’.txt’, ’w’) output.write(content) output.close() print attack_no attack_no += 1
By checking and analyzing the responses, we can identify the possible attacks. For example, if it provides the response that include the sentence You have an error in your SQL syntax then it means the form may be affected by SQL injection.