See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/328972796

A Real-World Implementation of SQL Injection Attack Using Open Source Tools

for Enhanced Cybersecurity Learning

Conference Paper · May 2018

DOI: 10.1109/EIT.2018.8500136

CITATIONS READS

5 1,175

3 authors, including:

Tauheed Khan Mohd Ahmad Yazdan Javaid

Eastern Michigan University University of Toledo
74 PUBLICATIONS 192 CITATIONS 117 PUBLICATIONS 3,978 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Tauheed Khan Mohd on 06 October 2020.

The user has requested enhancement of the downloaded file.

A Real-World Implementation of SQL Injection Attack
Using Open Source Tools for Enhanced Cybersecurity
Learning
Shriya Vyamajala Tauheed Khan Mohd Ahmad Javaid
EECS Department EECS Department EECS Department
The University of Toledo The University of Toledo The University of Toledo
Toledo, Ohio 43606 Toledo, Ohio 43606 Toledo, Ohio 43606
[email protected] [email protected] [email protected]

Abstract— SQL injection is well known a method of executing automatically test any web site or web application for 3000+
SQL queries and retrieving sensitive information from a website vulnerabilities while helping teams prioritize and track
connected database. This process poses a threat to those applications remediation efforts throughout the SDLC.
which are poorly coded in the today’s world. SQL is considered as
one of the top 10 vulnerabilities even in 2018. To keep a track of the
vulnerabilities that each of the websites are facing, we employ a tool
called Acunetix which allows us to find the vulnerabilities of a
specific website. This tool also suggests measures on how to ensure
preventive measures. Using this implementation, we discover
vulnerabilities in an actual website. Such a real-world
implementation would be useful for instructional use in a
foundational cybersecurity course.

Keywords—Acunetix; Threats; SQL injection, Vulnerabilities;

I. INTRODUCTION
A Database is the core of most of the web-applications which Figure 1: Working of an SQL Injection
are used to store the information regarding that application. They
are usually started by making manipulations in the data on a web The mechanism of SQL injection takes place when the web
form where the fragments of SQL instructions are passed to the application doesn’t validate the values that it receives from the
application. The application combines the faulty SQL fragments web form, input, and the cookie even before passing the queries
with original SQL instructions generated by the application [1]. A which will further be executed on the server [2]. During this
study by the Gartner group showed that over 300 Web sites could process, the attacker will get access to manipulation of the code.
be vulnerable to these SQL attacks. Unauthorized access can pose Some of the common techniques are discussed in this paper. SQL
a threat to confidentiality, authority, and integrity [5]. Attacks like injection can be done through cookies which are the files which
these pose a serious threat to a web application which receives are placed on the system by a server and contains data about the
input from the users and then combines with the SQL queries to a preferences [4]. By doing this, a web server does not have to
database. These days, databases are a very lucrative target for request for the search information and helps in reducing the load
attackers to breach into. This attack can also allow the hacker to time [9]. The data within the cookie can be manipulated by a
make changes in the SQL statements passed to the database malicious user as the client has control over the cookie.
parameters. This not only lets the hacker to steal the data but also Furthermore, if the SQL queries are built using the contents of
performs modification and deletion. this cookie, the attacker can easily cause an attack by placing the
The cause of SQL attack is very simple: no proper validation for malicious code on this cookie. The major consequences of an
user input. To find a solution for this problem, various coding SQL attack are: An SQL database holds sensitive data regarding
guidelines have been proposed such as [9] validation and encode the application or an organization. During an injection, loss of
the user input. These techniques are implemented by humans, so it confidentiality is a frequent problem concerning getting access to
is also prone to error [3]. Acunetix is an automated web application sensitive information. If the commands that are malicious are
security scanner and vulnerability management platform. It is used to log in and check the usernames and passwords, it can
available both online and on-premise which can be used to
connect to the system as another person who has no information is programmed in Perl and functions can be extended by adding
about the password. own codes. This tool also offers a command interface which can
be used to inject one’s SQL queries to perform attacks. There has
This can further cause a problem of loss of authentication. The
been a lot of work . The injection can also be done using server
problem of authorization is witnessed when the information
variables which contain various environment variables and
within the database is changed through successful exploitation of
network headers. These variables are used to analyze and identify
the SQL commands that are faulty and malicious. Loss of
the browsing activity [9].
integrity occurs when deletion or addition or even updating of the
current information is made on the database with the help of an
Headers are modified and to contain the attack strings as the
SQL injection. This paper discusses how SQL injection can be
hacker can forge the values in the network headers. When this
executed through JSQL tool through Kali Linux. The JSQL tool
query is given to log in to the server variable which is then given
is a lightweight tool which is used to find the information from a
to the database, the attack is prompted. Shell injection attacks take
server at a distance. This is an open source tool which is also free
place when the input is compressed within the string that has to
and works cross-platform that is it works on Windows, Linux,
interpreted by the shell. This vulnerability is not just confined to
MAC OS. This tool is also included in Pentest Box, Parrot
the web applications [8]. The injections can be triggered using the
Security OS, Arch Strike or Black Arch Linux distributions and
user input. The web applications which are used as a target for the
is also a part of the official penetration testing distribution of Kali
SQL injection attacks get their user input from various
Linux.
submissions that are sent through requests like HTTP GET and
POST requests [6]. There has been progressive improvement in
There is a tool called Acunetix which is a web application
using Goal-Directed Model Checking through developing a
security scanner to identify threats and weaknesses in the
system called the QED that is capable of automatically
architecture of a web application. Through potential research in
generating attacks by exploiting the taint based vulnerabilities in
this area, some researchers produce the limitations of these
Java web application [14]. This system automaticlly finds attack
scanners in detecting the vulnerabilities [9][10][11][12][13], they
vectors for vulnerabilities in web applications which are written
have been adopted as they are independent of the technology that
in the same framework as that of the application.
the application is using and the usability. The crawler in the tool
is used to analyze the target starting from the URL and maps the
Due to advancement in the field of neural networks, a tool called
entire structure. The scanner will further test the pages found
the Viper is developed which performs penetration testing on web
through the crawler for vulnerabilities. The scope, scan coverage,
applications. The method of pattern matching is used on error
and speed can be easily customized. Multi-user and multi-role
messages and on the outputs from the application used for testing
access are used for access to settings, scan kickoff, and scan data.
and also based on the extensible knowledge base that consits of
There are filters that allow finding what we are looking for
large set of templates [15]. There are various defensive coding
quickly [6].It generates a wide variety of management and
practices that are defined to design web applications that are
compliance reports like PCI, DSS, etc. This tool also exports the
secured against SQL injection [16]. There is a technique that is
results to the XML and these results can be consumed by the other
used to protect web applications from SQL vulnerabilities which
systems. There is also a function called priority setting which is
is SQL Randomization [17]. The working idea is to select a web
based on business criticality. It also is based on continuous
application and append an integer to the SQL keywords which are
scanning where a quick scan is run on an everyday basis on the
used to build the statements in SQL.The parser used by the
target to catch vulnerabilities as soon as they are introduced.
application is written to accept only randomized keywords.
Hence, if malicious code is given as input , it will be declined by
II. RELATED WORK the parser. There are approaches that use statistical analysis for
A lot of tools have come up in the recent times to perform SQL detecting vulnerabilities in an application. With increasing
injection. One amongst them is the BSQL Hacker tool. It is used dynamic nature of applications, an increase in the false negatives
for Blind SQL injection and performs the multi-threaded and positives might also occur [18]. There are various methods to
attack.This tool performs four different kinds of attacks namely prevent the SQL injection attacks like AMNESIA, SQL rand,
Blind SQL Injection, Time Based Blind SQL injection, Deep SQL Guard [20] There are various vulnerability scanners that are
Blind Injection, and SQL Injection Error Based SQL Injection. prevalant in the market. One amongst them is HP Weblnspect. It
SQLmap is another tool which is available as an open source tool performs testing and assesment for web applications that are built
and is a popular tool for the injection attack. It is associated with on Web 2.0 technologies [19]. It is known for fast scanning
a detection engine which detects various SQL vulnerabilities. It capabilities and correct web application scanning results. The
supports a variety of database servers like MySQL, Oracle, scanning is based on a collection of database of vulnerability
Microsoft Access, Sybase, Microsoft SQL Server, SAPMaxDB signatures and aritificial intelligence techniques.
and IBM DB2. Another tool to mention is the SQLSus tool which
 III. OPEN SOURCE TOOLS This section discusses how different tools were employed to
implement the SQL injection attack. We also present a brief
A. JSQL overview of how tools are used specifically.
The JSQL tool works automatically on 23 kinds of databases The procedure of using JSQL tool is as follows. The tool is found
for SQL injection, and the databases are Access Cockroach DB,
in the applications tab of the Kali Linux operating system.
CUBRID, DB2, Derby, Firebird, H2, Hana, HSQLDB, Informix,
Further, if we go to Database Assessment within the applications
Ingres, Max DB MySQL {Maria Db}, PostgreSQL, Teradata, and
Vertica. It supports multiple injection strategies like the normal, tab, we obtain various tools for SQL injection. The SQL injection
Error, Blind and Time. This tool uses the SQL engine to study and tool is in the Database Assessment location within the application
optimize the SQL expression. It reads and writes files on the host tab. This tab also consists of tools like SQL map.
using injection. It also promotes coding and decoding a string.

B. Acunetix
Deep scan integrates with the world’s most widely used browser
engine called the WebKit. The scanner Rawls and scans the
HTML5 web applications and executes JavaScript like a real
browser. The scanner also reliably detects advanced DOM-based
Cross-site Scripting. Scans for malicious URLs and test popular
CMSs such as Drupal WordPress and others. Acu Monitor is the
service in the intermediate stage that allows the scanner to detect
Out of band vulnerabilities [6]. These include Blind Cross Site
Scripting External Entity, Out of Band SQL injection (OOB), host
header injection, email header injection, password reset
poisoning. Acu-Sensor is a server-side component which helps in
running a gray-box scan. It is used to inspect the source code of a
web application which is in execution. Figure 3: Retrieving the database in JSQL (emails have been redacted for user
privacy)
Acu-Sensor is a server-side component which helps in running a
gray-box scan. It is used to inspect the source code of a web Then the JSQL option is selected. A vulnerable website is picked
application which is in execution. It shows the vulnerable SQL as a target. The website is then injected as target to the application.
queries and ensures 100% verification of 12+ high severity To check if the website is vulnerable or not, an apostrophe or a
vulnerabilities. It also analyses sever configuration for star is used at the end of the website. The databases regarding that
vulnerabilities. website will be displayed. These databases contain a lot of tables
regarding various kinds of information about each component of
the website.

Figure 4: Test website in JSQL TOOL

The performed operation retrieves information from the

Figure 2: Vulnerabilities scanning process in Acunetix
registration table. The emails and passwords of all the users are
IV. METHODOLOGY obtained. Then log in on the vulnerable website from a browser
 Figure 5: Threat analysis in Acunetix

and enter the credentials that are obtained from the database. We
C. Acunetix
can make changes to the user’s profile like adding data without
the user’s notice. The attack is performed successfully. The working of the Acunetix tool is demonstrated as follows. The
crawler in the tool is used to analyze the target starting from the
URL and maps the entire structure. The scanner will further test
the pages found through the crawler for vulnerabilities. The
scope, scan coverage, and speed can be easily customized.

The scanner will further test the pages found through the crawler
for vulnerabilities. The scope, scan coverage, and speed can be
easily customized. Multi-user and multi-role access are used for
access to settings, scan kickoff, and scan data. There are filters
that allow finding what we are looking for quickly [6]. It generates
a wide variety of management and compliance reports like PCI,
DSS, etc. This tool also exports the results to the XML and these
results can be consumed by the other systems. There is also a
function called priority setting which is based on business
Figure 6: Uploading files to random user's dashboard in JSQL criticality. It also is based on continuous scanning where a quick
scan is run on an everyday basis on the target to catch
vulnerabilities as soon as they are introduced.

V. CONCLUSION
The JSQL tools is a simple tool to perform basic SQL injection
attacks. This tool cancan act like a learner tool for people to
understand SQL attacks and injections as the mechanism and the
working of the tool is very basic. It provides a generic view of the
attack and shows results which create curiosity amongst people
who want to learn ethical hacking. The Acunetix tool is one
amongst the leading tools for web application security. This tool
Figure 7: Giving input as any target website in Acunetix
also offers high detection rates which is very essential for [5] Kindy, D. A., & Pathan, A. S. K. (2011, June). A survey on SQL injection:
Vulnerabilities, attacks, and prevention techniques. In Consumer
websites within an organization as penetration attacks are very
Electronics (ISCE), 2011 IEEE 15th International Symposium on (pp. 468-
common. It has been awarded as the best vulnerability 471). IEEE.
management solution in the year 2017. It is also an OS-friendly [6] (Patil, S., & Agrawal, N. (2015). Web Security Attacks and Injection-A
tool as it is compatible with Windows, Linux and MAC OS. Survey. Department of Computer Science & Engineering, NRI Institute of
Science & Technology, Bhopal, India.
Keeping in mind all these features, it can be therefore concluded
[7] Acunetix Ltd, Web Vulnerability Scanner, 2007,
that this can be easily used for instructional purposes in an http://www.acunetix.com/vulnerability-scanner/
introductory course in cybersecurity education. [8] Z. Su and G. Wassermann “The essence of command injection attacks in
web applications.” In ACM Symposium on Principles of Programming
Languages (POPL’2006), January 2006.
[9] Saeed, F. A. (2014). Using waste to evaluate commercial web application
security scanners. International Journal of Soft Computing and Engineering
(IJSCE), 4(1), 177-181.
[10] Bau, J., Bursztein, E., Gupta, D., & Mitchell, J. (2010, May). State of the art:
Automated black-box web application vulnerability testing. In Security and
Privacy (SP), 2010 IEEE Symposium on (pp. 332-345). IEEE.
[11] Djuric, Z. (2013, September). A black-box testing tool for detecting SQL
injection vulnerabilities. In Informatics and Applications (ICIA), 2013
Second International Conference on(pp. 216-221). IEEE.
[12] Doupé, A., Cova, M., & Vigna, G. (2010, July). Why Johnny can’t pentest:
An analysis of black-box web vulnerability scanners. In International
Conference on Detection of Intrusions and Malware, and Vulnerability
Assessment (pp. 111-131). Springer, Berlin, Heidelberg.
[13] J. Fonseca, M. Vieira, and H. Madeira, "Testing and Comparing Web
Vulnerability Scanning Tools for SQL Injection and XSS Attacks", prdc,
13th Pacific Rim International Symposium on Dependable Computing
(PRDC 2007), 2007, pp.365-372
[14] Kieyzun, A., Guo, P. J., Jayaraman, K., & Ernst, M. D. (2009, May).
Automatic creation of SQL injection and cross-site scripting attacks.
In Proceedings of the 31st International Conference on Software
Engineering (pp. 199-209). IEEE Computer Society.
[15] Ciampa, A., Visaggio, C. A., & Di Penta, M. (2010, May). A heuristic-based
approach for detecting SQL-injection vulnerabilities in Web applications.
In Proceedings of the 2010 ICSE Workshop on Software Engineering for
Secure Systems (pp. 43-49). ACM.
Figure 8: Threat and its repair measures as detailed in Acunetix
[16] M. Howard and D. LeBlanc, Writing Secure Code, second ed. Microsoft
Press, 2003.
VI. REFERENCES [17] Y. Huang, F. Yu, C. Hang, C.H. Tsai, D.T. Lee, and S.Y. Kuo, “Securing
Web Application Code by Static Analysis and Runtime Protection,” Proc.
[1] SQL Injection Attacks: Detection in a Web Application Environment- of 13th Int’l Conf. World Wide Web, pp. 40-52, May2004.
http://www.dbnetworks.com/pdf/sql-injection-detection-web-
environment.pdf(Read on 2/2/18) [18] N.Jovanovic,C.Kruegel,andE.Kirda,“Pixy:AStatic Analysis Tool for
[2] Binnie, C. SQL Injection Attacks. Linux Server Security: Hack and Defend, Detecting Web Application Vulnera- bilities,” Proc. of IEEE Symp. Security
113-122. and Privacy, May 2006.
[3] Clarke-Salt, J. (2009). SQL injection attacks and defense. Elsevier. [19] SpiDynamics, WebInspecthttp://www.spidynamics.com/products/ web
[4] Halfond, W. G., Viegas, J., & Orso, A. (2006, March). A classification of inspect/index.html (Read on 4/13/2018)
SQL-injection attacks and countermeasures. In Proceedings of the IEEE [20] Kindy, Diallo Abdoulaye, and Al-Sakib Khan Pathan. "A detailed survey on
International Symposium on Secure Software Engineering (Vol. 1, pp. 13- various aspects of sql injection in web applications: Vulnerabilities,
15). IEEE. innovative attacks, and remedies." arXiv preprint arXiv:1203.3324 (2012)

View publication stats