SQL INJECTION 102 (Inj3ction Time CTFLEARN)

Introduction

Hello guys back again with another walkthrough. This time am going to be introducing SQL Injections and we are going to be solving a capture the flag challenge both automatically (using SQLMap) and manually by using burpsuite. SQL Injection vulnerability occurs when unsanitized user controlled input is passed to a database through a query. This cause a user or an attacker to be able to run raw SQL Commands on a database .Through Research done in the past, SQL Injections have led to dumping of databases which in turn leads to data breaches of all information from the database, It has also lead to information disclosure on system though arbitrary file read using the LOAD_FILE command available on MySQL databases and has also led to remote code execution (RCE) through the INTO OUTFILE command which is also available on MySQL databases. In the article we are going to be focusing on using UNION injection to cause a verbose leak on the information stored in the database. Without much say let’s jump in

Looking at the information below we are provided a link to a web application. The challenge is rated to be hard but according to my opinion it’s actually easy

On opening the web application using Mozilla we get a standard webpage page which allows a user to search for dogs

And depending on the ID number use to search for dogs we always get a different result

In the hint we are told that UNION might be a useful command. This immediately causes us to think that the web application might be vulnerable to a SQL Injection. So first i intercepted the request using burpsuite and copied the request to a file so that i could ran SQLMap using it

SQLMap is an automatic SQL injection tool which detect and take advantage of SQL injection to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL statement and read specific files on the file system.

After saving the request to a file on my system i ran SQLMap

And after a few seconds it came back with results that it had found three different techniques that it can use to exploit the SQL Injection

1. boolean-based blind
2. time-based blind
3. UNION query

I decided to dump the entire database using the — dump command which is on SQLMap to dump the database. SQLMap which automatically choose the technique it going to use to dump the database

And after a few seconds it came back with the flag

abctf{uni0n_1s_4_gr34t_c0mm4nd}

But what exactly did SQLMap do to get the flag from the system???. Let’’s exploit the vulnerability manually and find out

Some of you might ask why exploit the vulnerability manually when we already have the flag??

I haven’t done OSCP yet and am planning on doing it once i have enough cash but i think OSCP doesn’t allow automated tools like SQLMap so if you find a lab that require the particular skillset of exploiting SQL Injection vulnerability you’ll have to exploit the vulnerability manually and that’s why we will be doing this whole process manually

The first step whenever we are trying to identify if an application is vulnerable to SQL Injection is to first try causing the application to error out

The most common way is be adding either a single or double quote which breaks the SQL query

Example:

Below is an example of the SQL query the web application maybe running

SELECT Name, Breed, Color FROM dogs where id = "

An attacker may inject a SQL query where I’ve specified in the screenshot below since that’s where the user provides an id number

Then the application probably closes the quote afterwards like I’ve demonstrated below

SELECT Name, Breed, Color FROM dogs where id = "1"

So if the attacker or the user adds a quote in the query it causes an uneven number or quotes as seen below:

SELECT Name, Breed, Color FROM dogs where id = "3""

or

SELECT Name, Breed, Color FROM dogs where id = '3''

And this causes a SQL Error on the web application

Let’s try and see if we can cause the web application to error

Double Quotes doesn’t cause the web application to error out

What about single quotes???

Still the web application doesn’t error out.

We didn’t get any result back!!!

Then i started to think that maybe the web application is expecting a string but an integer value

So quotes are not going to work in our case but we can try and use comments and see how the web application will reacts

Looking at the screenshot we see that the web application didn’t error even though we injected the long comment. That is a sign that the web application is probably vulnerable to a SQL Injection

The next step is to manually find the number of columns the database has and we can use the union or order technique to find out

What I’ll be doing ordering the result of that SQL query result using the order by statement

Looking at the screenshot above the web application doesn’t error so we’ll continue adding the number in the order statement till the application errors out

When we reach 5 the web application errors since we get zero results

This is a way for the web application to tell you that “Hey i can’t order your query using that number of columns since you don’t have that many columns”

So to get the number of column in the database we subtractfrom 1 from the number in the order statement the query errored out

This means that we have four columns on the database now we can use union technique since we know the exact number of columns we have in the database

Looking at the results we can inject in position 1,2 or 3 since we get an output back. Meaning if i put anything in that position it gets reflected back

Next let’s leak the exact database version the web application is running on using @@version command

Looking at the screenshot above it’s version 5.5.58–0ubuntu0.14.04.1

And the database the query is using is called webeight looking at the screenshot below

Next step i tried dumping all the database MySQL was hosting using the following query

2 UNION SELECT 1,2,gRoUp_cOncaT(0x7c,schema_name,0x7c),4 fRoM information_schema.schemata-- -

Looking at the the result we have two databases

1. information_schema
2. webeight

Since we have so much junk in the result i decided to create a python script that will only return the information we want(The result of the query)

On executing the script we see that there are two database present

We are interested in the webeight table. let’s see the tables it has using the command

2 UNION SELECT 1,2,gRoUp_cOncaT(0x7c,table_name,0x7C),4 fRoM information_schema.tables wHeRe table_schema='webeight'-- -

Looking at the screenshot above we see that the query returns an error with both single and double quotes. This meant that quotes are blacklisted characters. And to bypass them we need to convert any strings into hexadecimal characters

Then we’ll use that hexadecimal value as the table_scheme or (database)

Let’s try the query again but this time convert any strings into hexadecimal characters

Looking at the screenshot above it worked perfectly we see that the webeight database has two tables

1. w0w_y0u_f0und_m3
2. webeight

But we are interested in the w0w_y0u_f0und_m3 table. Lets dump the columns it has using the query

2 UNION SELECT 1,2,gRoUp_cOncaT(0x7c,column_name,0x7C),4 fRoM information_schema.columns wHeRe+table_name=0x7730775f7930755f6630756e645f6d33-- -

Remember we have converted the table w0w_y0u_f0und_m3 into a hexadecimal value since strings breaks the query

Running the query we get that the table w0w_y0u_f0und_m3 has only one column called f0und_m3

Let’s extract the information in that column using the query

UNION SELECT 1,2,gRoUp_cOncaT(0x7c,f0und_m3,0x7C),4 fRoM w0w_y0u_f0und_m3-- -

Looking at the result we get the flag again

abctf{uni0n_1s_4_gr34t_c0mm4nd}

We’ve learnt how to bypass strings if the strings breaks the query we are trying to execute