SQL Injection
Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
This lab contains a SQL injection vulnerability in the product category filter. When the user selects a category, the application carries out a SQL query like the following:
SELECT * FROM products WHERE category = 'Gifts' AND released = 1
To solve the lab, perform a SQL injection attack that causes the application to display one or more unreleased products.
Solution
From the webpage, we can filter what category they are using the options they have there.
So, if we put ' at the end of the URL, we will get this message
However, if we put -- at the end, it will work.
Finally, we can do something like this to get unreleased items
Lab: SQL injection vulnerability allowing login bypass
This lab contains a SQL injection vulnerability in the login function.
To solve the lab, perform a SQL injection attack that logs in to the application as the administrator user.
Solution
First, we will go to the login page
Next, we will put this as the payload for both the username and password field
We should be able to login as administrator
Lab: SQL injection attack, querying the database type and version on Oracle
This lab contains a SQL injection vulnerability in the product category filter. You can use a UNION attack to retrieve the results from an injected query.
To solve the lab, display the database version string.
Solution
First, we will click on Accessories and it should bring us to this page.
Next, we will test how many columns are being returned. After some checks, we realized that there are 2 columns that is being returned.
Next, we will display the oracle version number out.
Lab: SQL injection UNION attack, determining the number of columns returned by the query
This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. The first step of such an attack is to determine the number of columns that are being returned by the query. You will then use this technique in subsequent labs to construct the full attack.
To solve the lab, determine the number of columns returned by the query by performing a SQL injection UNION attack that returns an additional row containing null values.
Solution
First, we will click on Accessories and it should bring us to this page
Since they are 3 column that is being displayed, there is a chance that there is only 3 columns that is being used.
So we will change the URL to be this:
Lab: SQL injection UNION attack, finding a column containing text
This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you first need to determine the number of columns returned by the query. You can do this using a technique you learned in a previous lab. The next step is to identify a column that is compatible with string data.
The lab will provide a random value that you need to make appear within the query results. To solve the lab, perform a SQL injection UNION attack that returns an additional row containing the value provided. This technique helps you determine which columns are compatible with string data.
Solution
Using the payload from the previous lab, we will modify each column and it turns out the 2nd column can return a text
Lab: SQL injection UNION attack, retrieving data from other tables
This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you need to combine some of the techniques you learned in previous labs.
The database contains a different table called users, with columns called username and password.
To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.
Solution
First, we will check where can we inject our SQLi payload
Next, we will check how many columns is being used using UNION
We can see that there are 2 columns being printed out. Since we table is users with the columns called username and password, we can use it print out the users table.
So with the administrator credential, we should be able to login as that user.
Lab: SQL injection UNION attack, retrieving multiple values in a single column
This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response so you can use a UNION attack to retrieve data from other tables.
The database contains a different table called users, with columns called username and password.
To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.
Solution
After visiting the website, we can see that there is 1 column that is being displayed so we cannot really use the payload from the previous lab.
We will need to modify the payload. First, we need to check how many columns that they are using for this query.
Since there are 2 columns, we need to find out which columns is displaying the data to the web application.
So from here, we can see that only the 2nd column is being displayed to the web application.
One that we can do is doing string concat for both username and password column in users table.
With the administrator credentials, we should be able to login as that user.
Lab: SQL injection attack, querying the database type and version on MySQL and Microsoft
This lab contains a SQL injection vulnerability in the product category filter. You can use a UNION attack to retrieve the results from an injected query.
To solve the lab, display the database version string.
Solution
First, we shall try to inject the SQL comment into the URL
From there, we need to determine how many column is used for the query using union
Since we know that this is MSSQL or MySQL, we can just use @@version to get the database version.
Lab: SQL injection attack, listing the database contents on non-Oracle databases
This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response so you can use a UNION attack to retrieve data from other tables.
The application has a login function, and the database contains a table that holds usernames and passwords. You need to determine the name of this table and the columns it contains, then retrieve the contents of the table to obtain the username and password of all users.
To solve the lab, log in as the administrator user.
Solution
First, we will inject a SQL comment into the product category filter.
Next, we will use UNION to check how columns is required.
Next, we will see which column is used to display data at which location.
Firstly, we will list down all schemas that is available
We will then find out what are the tables that stored in public schema.
We can see that there is a users_whtjkc table. We shall see what are the column names for that table.
From here, we can see that there are 2 column that is of interest to us (password_hxzrpy and username_rzdvhf).
Finally, we will just the content of those 2 columns.
With the administrator credentials, we are able to login.
Lab: Blind SQL injection with conditional responses
This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.
The results of the SQL query are not returned, and no error messages are displayed. But the application includes a "Welcome back" message in the page if the query returns any rows.
The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.
To solve the lab, log in as the administrator user.
Solution
Firstly, we will capture the request for the home page and send it into Repeater
We can see that for a valid TrackingId , we will see Welcome back! in the response.
So, we inject a condition that is true and a condition which is false and we will see if there is any difference.
First, we will inject a condition that is true.
We can see that Welcome back! is there.
Next, we will inject a condition which is false.
Since, we know which table where we need to look out for the password, we can just use substring to get the password one letter at a time.
We will send this request to Intruder.
Next, we will craft the request to what is shown below and add the payload position that will be used.
We will then add the alphanumeric characters into the payload list
To make our lifes easier, we will also add Welcome back! to Grep - Match.
After running the attack, we can see that the 1st character of the password is i.
We will do the same for the rest of the password.
After doing enough times, the password of administrator is ihi0ydi5whgvsms6u5mo. We should be able to login into the account after that.
Another way to do it, without manually changing the number in substring. We will use Cluster Bomb instead.
For payload 1, this is the settings
For payload 2, the settings will not change
The password can be obtained by highlighting those that have Welcome back! and sort in increasing order of Payload 1.
Lab: Blind SQL injection with conditional errors
This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.
The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows. If the SQL query causes an error, then the application returns a custom error message.
The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.
To solve the lab, log in as the administrator user.
Solution
Same the as the previous lab, we capture the request of the home page and send to Repeater
After that, we will craft the payload in a way that we are able to craft a subquery
We can see that there is no error which means this is a valid subquery.
From there, we will craft a conditional statement with a valid condition.
We can see that now it returns status code of 500 if the condition is valid.
Now, we will craft a conditional statement that is invalid.
Now, we can see the status code that is returned is 200 instead of 500. So from this, we can use it to craft out the password of administrator. We will send this request to Intruder.
We will modify the request and set the payload position.
For payload 1, we will use numbers.
For payload 2, we will use alphanumerical values.
After filtering through the result, we can see the password for administrator.
After getting the password for administrator, we are able to access the account.
Lab: Visible error-based SQL injection
This lab contains a SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie. The results of the SQL query are not returned.
The database contains a different table called users, with columns called username and password. To solve the lab, find a way to leak the password for the administrator user, then log in to their account.
Solution
Same as the previous lab, we will capture the request of the home page and send to Repeater
If we put a ' at the end, it will cause an error to show up on the webpage.
After some playing around with the query, we should be able to get the password from the users table.
Lab: SQL injection attack, listing the database contents on non-Oracle databases
This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response so you can use a UNION attack to retrieve data from other tables.
The application has a login function, and the database contains a table that holds usernames and passwords. You need to determine the name of this table and the columns it contains, then retrieve the contents of the table to obtain the username and password of all users.
To solve the lab, log in as the administrator user.
Solution
Click on the Gifts button will give us this page
After some checking, we realized that there is 2 columns that will be returned.
After some checking, we can see that it is running on Postgresql.
After which, we will get the table name from information_schema.tables
After which, we will find the column names of users_silxij
Since now we have the username and password column, we can use it to get the username and password of the administrator user.
To solve the lab, we just need to login as the administrator.
Lab: SQL injection attack, listing the database contents on Oracle
This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response so you can use a UNION attack to retrieve data from other tables.
The application has a login function, and the database contains a table that holds usernames and passwords. You need to determine the name of this table and the columns it contains, then retrieve the contents of the table to obtain the username and password of all users.
To solve the lab, log in as the administrator user.
Solution
Click on the Accessories button to view this webpage
After some checking, we realised that there is 2 columns that is being displayed.
After which, we are able to display all the tables using the all_tablesand we can see that there is a USERS_WCOIKS table
After which, we will dump all the column name for that table.
Since we have the all the columns and table needed, we can just dump all the content of the table
To solve the lab, we just need to login to administrator user.
Last updated