[EN] Web For Pentester II – SQL Injections

PwnLab.Me

Admin
Katılım
21 Ocak 2024
Mesajlar
202
Tepkime puanı
9
Puanları
18
Yusuf Bilal Batır tarafından yazılmıştır.

[EN] Web For Pentester II – SQL Injections​


Hello everyone, we’re setting off a new journey on the Web For Pentester II SQL Injections prepared by PentesterLab.

In this journey we’ll investigate samples of SQL Injections, Authentication, Captcha, Authorization, Mass Assignment, Randomness Issues and MongoDB Injection.

Let’s start with SQL Injection samples. You can check the link below to download and install Web For Pentester II ISO in your own VM machine.

https://www.pentesterlab.com/exercises/web_for_pentester_II/attachments

Samples

Samples

Sample 1​

Sample 1

Sample 1

When we have a look at sample 1, it’s likely an easy bypass process is standing out there. Let’s try a simple SQL code like ‘1 =

‘1=

‘1=

As we can see from the error occurred in above sample, the SELECT * FROM users WHERE username=’USERNAME’ AND password=’PASSWORD’ command is being worked in the behind scene.

Therefore, let’s use ‘ or 1=1# command.

‘ or 1=1#

‘ or 1=1#

Sample 2​

Sample 2

Sample 2

Our second sample has the same vulnerability with our first sample, however, here we can see that the data being returned has been restricted. So that in order to take advantage of this vulnerability we need to use LIMIT

Our SQL code is now, ‘ or 1=1 LIMIT 1#

‘ or 1=1 LIMIT 1#

‘ or 1=1 LIMIT 1#

Sample 3​

Sample 3

Sample 3

Here the apostrophe (‘) mark is being filtered. In order to escape from this filtration we can use the backhanded slash (\). We write PwnlabMe\ in username part and ‘ or 1=1# in our password part.

PwnlabMe

PwnlabMe\

Sample 4​

Sample 4

Sample 4

In this sample we can see that the query in the URL is being transferred to the server. To take advantage of this, we can use the previous command on the URL part. ‘ or 1=1#

‘ or 1=1#

‘ or 1=1#

Sample 5​

Sample 5

Sample 5

This sample is an Union Based SQL Injection. It means that the page gets limited information. So the web page sends a query that includes all inputs, however, it only shows a restricted part of the result.

Here the command that we will use is union all select * from users

union all select * from users

union all select * from users

Sample 6​

Sample 6

Sample 6

This sample is sincerely similar to the previous one. We can use either the same input with the previous one which is union all select * from users, or, we can delete the group from the URL.

Firstly, let’s use union all select * from users

union all select * from users

union all select * from users

Secondly, let’s delete group

group

group

Sample 7​

Sample 7

Sample 7

Here we can see that the URL includes id. And this can be exploited in different ways. Firstly, we can use SQLMap. In Kali terminal we can execute this command:

sqlmap -u http://ip-address/example7/?id=1-dump-all

In another case, we can see whole users by deleting id part from URL

id

id

Sample 8​

Sample 8

Sample 8

First of all, to exploit this sample let’s create a user by using ‘ or 1=1 #

‘ or 1=1 #

‘ or 1=1 #

Now we just click on the enrollment number we created.

User

User

To run different queries and obtain user-related data you can create different users.

Sample 9

Sample 9

In this sample it’s being used a filtration method named mysql-real-escape-string. It is a PHP function that removes escape characters in a particular way and prevents code injections in form fields from attackers.



There is a problem if the database and connection setup do not use the same character sets.

In this case, if the connection allows you to add a character set from GBK (a chinese character set), the function will not escape from the inserted characters as they are valid.

So in this sample the code we will use is, 呵’ or 1=1 #

呵’ or 1=1 #

呵’ or 1=1 #

When we click on the “Submit Query” button we can see that our command works.

Submit Query

Submit Query

End​


Now, we have finished the SQL Injection samples on Web For Pentester II. We’ll be exploring further samples and sharing with you.
 
Moderatör tarafında düzenlendi:
Geri
Üst