Web for Pentesters 2-SQL Injection

Aaaanndd I’m back, sorry for the lack of posts over the last couple of weeks, but it’s the end of the semester which means that assignments are due and exams are coming up.However, now i should be able to get back to a regular posting schedule.
So lets start with the SQL injection from web for pentesters 2. This vm carries on from web for pentesters 1 and introduces some new and
more difficult attacks.

SQLi 1:

First enter a single quote (‘) in the username field, this will produce an error
and reveal the sql command for the database:
SELECT * FROM users WHERE username=”’ AND password=”

Now we need to escape the command:
SELECT * FROM users WHERE username=’‘or 1=1 — ‘‘ AND password=”
This will escape the command print out success.

‘or 1=1 # also works.

SQLi 2:

Here we follow the same steps as SQLi 1 but also need to include the limit command like so:
‘ or 1=1 limit 1 — ‘
We use 1 because the developer has limited the number of users displayed to one.

SQLi 3:

Here is where things get a little more difficult.
Since single quotes are being escaped from user input, we need to insert a backslash () to escape.
Once we escape the command we can inject our own sql code like so:
in the username field:

in the password field:
‘or 1=1 # ‘

SQLi 4:

For this exercise we are injectiing directly into a where clause.

You can produce and error this to look at the command by simply removing everything after username.
SELECT * FROM users WHERE username=;
or put in an unknown username like admin.
Mysql2::Error: Unknown column ‘admin’ in ‘where clause’: SELECT * FROM users WHERE username=admin;

Basically you can input anything you into their to display the users.
req=password
this will display all the users in the system.

SQLi 5:

Here we inject into the url bar.

To get an error message, try putting in or 1=1.
This will produce an error and show us the sql command:
SELECT * FROM users LIMIT 3 or 1=1;
Just like the pentester labs description, we exploit this through a union select command like so:
union select * from users.
This will display the entire users table of the database.

The union command combines the output of multiple select statements.

SQLi 6:

Same procedure as above, only this time we’re exploiting the GROUP BY command instead of the LIMIT command:
to get the entire users table:
union select * from users

SQLi 7:

In this example we follow the steps shown by pentesterlab and inject this as the id parameter:
extractvalue(‘%3Cxml%3E’,concat(%22/%22,(select%20version())))

This will produce an error with the mysql version.

SQLi 8:

Now we move into attacks that are exploited later in the system.Here we have to inject our sql into the username field
and then go to the users page to see the injection work.

First create a bunch of user profiles, you don’t need to put a password.
For one of the users, use just a single quote in the username field and submit it.
Then go to the single quote user page, this will show you the error with the sql syntax.

To see the users page, click on the id of the user.

Now for the exploitation.
Inject this into the username field:
name’union select * from users where id=1 #
This should return the first users page.

SQLi 9:

Now for the last sql injection exercise.

Here the problem occurs because the application does not handle chinese characters correctly.
So all we need is a chinese character and statement that always evaluates to true like so:
脫’ or 1=1 #

Tune in next week for authentication walkthrough.