Skip to content

sql-injection-demo

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

sql-injection-demo

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
dvwa-k8s
dvwa-k8s
 
 
script
script
 
 
slackbot
slackbot
 
 
README.md
README.md
 
 

README.md

SQL Injection Demo

This is a demo of how Pixie can be used to capture SQL injections on a Kubernetes application. In this demo, we will spin up a DVWA web application that is vulnerable to SQL injection monitored by Pixie, run SQLMap (a sql injection tool) against that application, and detect the SQL injections at the database level using a PxL script. This demo was created to accompany the "Detect SQL injections with Pixie" blog post.

You can also view a live version of this demo at this talk (SQL injection content at about 11:51 in).

WARNING

DVWA is an intentionally vulnerable web application. It should NOT be deployed to a live web server. These instructions will cover deploying DVWA to a minikube environment. See DVWA's disclaimer for more details.

Create your Minikube cluster

  1. Install Minikube

  2. Run minikube. Linux users should use the kvm2driver and Mac users should use the hyperkit driver. Other drivers, including the docker driver, are not supported by Pixie.

    minikube start --driver=<kvm2|hyperkit> --cni=flannel --cpus=4 --memory=8000 -p=<cluster-name>

  3. Verify your cluster is up and running.

    kubectl get nodes

Deploy Pixie to your cluster

  1. Follow an install guide to Install Pixie.

Deploy the Vulnerable Application

WARNING This image is vulnerable to several kinds of attacks. You should only deploy it to your minikube cluster.

  1. Ensure that you are still running on your minikube environment.

    kubectl config current-context

  2. git clone this repo and cd into the sql-injection-demo directory.

    git clone <path to repo>
cd <repo_path>/sql-injection-demo

  3. Deploy the vulnerable demo application.

    kubectl apply -f ./dvwa-k8s

  4. Get the pod name for dvwa-pixie-demo.

    kubectl get pods

  5. Forward the port so you can access the UI. Leave this running. You can use a different value for 1234 if you want, just make sure you replace it in subsequent instructions.

    kubectl port-forward <dvwa-podname> 1234:80

  6. In your browser, navigate to localhost:1234

  7. Login with username: admin, password: password

  8. Follow instructions on webpage and click Create / Reset Database

  9. Relogin with username: admin, password: password

Manual SQL Injection

DVWA was designed with a SQL injection that originates from taking raw user input in a URL query parameter. The path of the vulnerability is http://localhost:1234/vulnerabilities/sqli/?id=<SQL-Injection-Point>&Submit=Submit#. An attacker could supply a crafted value for the ID query parameter which ultimately would lead to a SQL injection.

At the database level, the raw query will look like: SELECT First_Name,Last_Name FROM users WHERE ID=<SQL-Injection-Point>;

As an example, you can view try 1' union select 1,@@version# as the id value. This will append the database version to the results by including a union select injection.

Try accessing the following URL:

http://localhost:1234/vulnerabilities/sqli/?id=1%27+union+select+1%2C%40%40version%23%26Submit%3DSubmit%23&Submit=Submit#`

Automating finding SQL injections with SQLMap

SQLMap is a CLI tool that automates finding SQL injections via bruteforce and heuristic methods.

  1. In a new tab, git clone the SQLMap repo based on their instructions in the README and cd into it.

  2. To use SQLMap you will need the cookie from DVWA after logging in. Go to http://localhost:1234/phpinfo.php and scroll down to PHP Variables.

  3. Copy the cookie inside the entry $_COOKIE['PHPSESSID']. and export it into an environment variable.

    export DVWA_COOKIE='PHPSESSID=<YOUR-PHP-SESSID>; security=low'

  4. Run SQLMap.

    python sqlmap.py -u 'http://localhost:1234/vulnerabilities/sqli/?id=1&Submit=Submit#' -cookie $DVWA_COOKIE

  5. SQLMap will prompt for answers to various questions as it runs. Answer the following when prompted:

    • it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? y
    • for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? n
    • found a vuln, asking do you want to keep testing n

Capture the SQL Injections using PxL

  1. Execute a script via the Pixie CLI. This script returns the latest MySQL queries Pixie observed on your cluster.

    px run px/mysql_data

  2. Load the above view in the Pixie UI. In your browser, navigate to the URL printed at the bottom of the CLI output at Live UI:.

  3. Open the script editor (Ctrl + E).

  4. Replace the PxL Script tab contents with the contents of script/sql_injections.pxl.

  5. Replace the Vis Spec tab contents with the contents of script/vis.json.

  6. Click Run.

  7. You should now see the SQL Injection queries run by SQLMap in the data table.

(Optional) Run Slackbot to alert on possible SQL injections

  1. cd into the slackbot directory

  2. pip install -r requirements.txt

  3. Set the environment variables PIXIE_API_KEY, SLACK_BOT_TOKEN, PIXIE_CLUSTER_ID, and SLACK_ALERT_CHANNEL. You can reference these instructions for how to get PIXIE_API_KEY, SLACK_BOT_TOKEN, and PIXIE_CLUSTER_ID.

  4. Run the following command. Note: this requires Python 3.8.7 or greater.

    python slackbot.py

Clean up

  1. Delete your minikube cluster.

    minikube delete