Provide steps on how to investigate an SQL injection attack.

In this part, you will perform an SQL injection to access credit card information that is stored on a web
server. The Metasploitable VM is functioning as a web server configured with a MySQL database.

Step 1. Perform an SQL injection.
a. Log into Kali VM using the username root and password cyberops.
b. In the Kali VM, click the Firefox ESR icon ( ) to open a new web browser.
c. Navigate to 209.165.200.235. Click Mutillidae to access a vulnerable web site.

d. Click OWASP Top 10 > A1 – Injection > SQLi – Extract Data > User Info.

f. In the Username field, double-click the 20 and change it to 100 so you can view the
longer string as you enter the query into the Name field. Close the Inspect Element
when finished.

g. Enter ‘ union select ccid,ccnumber,ccv,expiration,null from credit_cards -- in the
Name field. Click View Account Details to extract the credit card information from the
credit_cards table in the owasp10 mysql database.
Note: There is a single quote ( ‘ ), followed by a space at the beginning of the string. There is a space after -- at the
end of the string.

h. Scroll down the page for the results. The result indicates that you have successfully
extracted the credit card information from the database by using SQL injection. This
information should only be available to authorized users.

Step 2. Review the Sguil logs.
a. Navigate to the Security Onion VM. Double-click the Sguil icon on the Desktop. Enter

the username analyst and password cyberops when prompted.
b. Click Select All to monitor all the networks. Click Start SGUIL to continue.
c. In the Sguil console, in the bottom-right window, click Show Packet Data and Show

Rule to view the details of a selected alert.

d. Search for alerts related to ET WEB_SERVER Possible SQL Injection Attempt

UNION SELECT. Select the alerts that start with 7. These alerts are related to seco-
nion-eth2-1, and they are probably the most recent alerts. Because Sguil displays real

time events, the Date/Time in the screenshot is for reference only. You should note the
Date/Time of the selected alert.

e. Right-click the number under the CNT heading for the selected alert to view all the

related alerts. Select View Correlated Events.

f. Right-click an Alert ID in the results. Select Transcript to view the details for this alert.
Note: If you mistyped the user information in the previous step, you should use the last alert in the
list.

g. In this window, you can see that the GET statement using the UNION operator was

used to access the credit card information. If you do not see this information, try right-
clicking another of the correlated events.

Note: If you entered the injection script more than once because of a typo or some other reason, it
may be helpful to sort the Date/Time column and view the most recent alert.

What information can you gather from the Transcript window?
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
The Transcript window displays the transaction between the source
209.165.201.17:52644 and the destination 209.165.200.235:80. The transcript indicates
209.165.201.17 is trying to access credit card information using a SQL UNION operator.
The transcript for the web server at 209.165.200.235 shows the HTML content that was
displayed to the attacker.

h. You can also determine the information retrieved by the attacker. Click Search and enter

username in the Find: field. Use the Find button to locate the information that was cap-
tured. The same credit card information may be displayed differently than the figure below.

Note: If you are unable to locate the stolen credit card information, you may need to view the tran-
script in another alert.

Compare the credit card information from the Transcript window and the content
extracted by the SQL injection attack. What is your conclusion?
____________________________________________________________________________
The credit card information is the same because the transcript shows all the content
transmitted between the source and destination.

i. Close the windows when finished.
j. Return to the Sguil window, right-click the same Alert ID that contains the exfiltrated

credit card information and select Wireshark.

k. Right-click on a TCP packet and select Follow TCP Stream.

l. The GET request and the exfiltrated data are displayed in the TCP stream window. Your
output may be different than the figure below, but it should contain the same credit
card information as your transcript above.

m. At this time, you could save the Wireshark data by clicking Save As in the TCP stream
window. You can also save the Wireshark pcap file. You can also document the source
and destination IP addresses and ports, time of incident, and protocol used for further
analysis by a Tier 2 analyst.

n. Close or minimize Wireshark and Squil.
Step 3. Review the ELSA logs.
The ELSA logs can also provide similar information.

a. While in the Security Onion VM, start ELSA from the Desktop. If you receive the mes-
sage “Your connection is not private”, click ADVANCED to continue.

b. Click Proceed to localhost (unsafe) to continue to the localhost.
c. Log in with the username analyst and password cyberops.
d. In the left panel, select HTTP > Top Potential SQL Injection. Select 209.165.200.235.

e. Click Info on the last entry. This information is related to the successful SQL injection.

Notice the union query that was used during the attack.

f. Click Plugin > getPcap. Enter username analyst and password cyberops when prompt-
ed. Click Submit if necessary. CapMe is a web interface that allows you to get a pcap

transcript and download the pcap.

g. The pcap transcript is rendered using tcpflow, and this page also provides the link to
access the pcap file. You can also search for the username information. Type Ctrl +
F to open the Find... dialog box. Enter username in the field. You should be able to
locate the credit card information that was displayed during the SQL injection exploit.