In our latest report Data Pirates' Toolkit (Leveraging SQLmap for Unearthing Digital Gold), we take a comprehensive look at a tried-and-tested cyberattack methodology that threat actors can use to unlock sensitive and critical data from unsecured databases: SQL injection (SQLi) attacks.
Aside from giving an overview of SQLi attacks, the Damn Vulnerable Web Application’s (DVWA), and the DVWA’s Dockerized environment, our new report tackles the fundamental mechanisms of SQL injection vulnerabilities within the DVWA low, medium, difficult, and impossible levels, leveraging SQLmap to demonstrate core exploitation techniques.
From dissecting PHP source code to crafting effective SQLmap commands, we gained practical insight into how insecure coding practices and weak web interface design can lead to complete database compromise.
Some highlights of the report include:
- SQLMap can be executed with the `--banner`, `--batch`, `--dbs`, `--tables`, `--columns`, `--verbose`, and `--dump` flags to present a wide variety of output in DVWA’s low level.
- Attackers can still circumvent the security of DVWA’s medium-level interface via numeric-based SQL injections.
- The medium-level interface has dropdown restrictions, a security enhancement that, unfortunately, can still be bypassed by intercepting the HTTP request after form submission via special tools. This can allow malicious actors to replace legitimate dropdown menu values with malicious SQL code.
- In the high-level interface, DVWA introduces the retrieval of the user ID from server-side session variables and using a `LIMIT 1` clause to minimize data exposure. It also incorporates better error handling to obscure database details. However, the continued use of direct string interpolation in SQL queries leaves a residual risk, particularly if an attacker compromises the session.
- DVWA’s impossible-level interface appears deceptively simple; however, it uses critical protections such as secure query handling and token-based session validation that effectively block SQL injection attacks. We show how the impossible level fares against the use of advanced and more aggressive SQLMap flags.
Read the full Trustwave SpiderLabs report here.
SQL injection, a code injection technique that exploits vulnerabilities in an application’s interactions with its underlying database, is not a new type of attack, but it’s still a cybercriminal favorite.
Last year, security researchers discovered a vulnerability in an air transport security system that enabled attackers to evade airport security screenings and even obtain access to aircraft cockpits. Threat actors can insert malicious SQL statements for malicious database queries in FlyCASS, a service that allows airlines to manage the Known Crewmember (KCM) program and the Cockpit Access Security System (CASS).
This vulnerability can allow threat actors to login to the system, create a fake employee account that has access to the KCM and CASS systems, evade security screening, and ultimately, access the cockpits of commercial airliners.
Gain a better understanding of the importance of mastering SQLMap to defend against ever-evolving attacks in our full report.
