Premise
In this walkthrough, we covered the steps taken to perform a testing for the presence of SQL injection vulnerability. We used TryHackMe Advent of Cyber 2 / Day 5 / Someone stole Santa’s gift list! as a practical scenario.
TryHackMe Advent of Cyber Challenge Description
After last year’s attack, Santa and the security team have worked hard on reviving Santa’s personal portal. Hence, ‘Santa’s forum 2’ went live.
After the attack, logs have revealed that someone has found Santa’s panel on the website and logged into his account! After doing so, they were able to dump the whole gift list database, getting all the 2020 gifts in their hands. An attacker has threatened to publish a wishlist.txt file, containing all information, but happily, for us, he was caught by the CBI (Christmas Bureau of Investigation) before that. On MACHINE_IP:8000
you’ll find the copy of the website and your goal is to replicate the attacker’s actions by dumping the gift list!
Challenge Questions
- Without using directory brute forcing, what’s Santa’s secret login panel?
- How many entries are there in the gift database?
- What did Paul ask for?
- What is the flag?
- What is admin’s password?
The Phases of a SQL Injection Attack
A SQL injection attack usually happens in a few phases:
- Breaking the Logic: The first thing I do is try to break the database query. I’ll usually do this through a search field or a login form. If I can make the database spit out an error, it’s a good sign that it’s vulnerable to a direct SQL injection. If I don’t see an error, but the page changes in some way, that could mean it’s vulnerable to a blind SQL injection, which is a bit trickier to pull off.
- Finding the Number of Columns: Next, I use the
ORDER BY
statement to figure out how many columns are in the database table. I just keep increasing the number in theORDER BY
clause until I get an error. The number right before the error is the number of columns. - Extracting Information: Once I know the number of columns, I can use
UNION SELECT
statements to start pulling out sensitive information like database names, tables, columns, and even user password hashes.
Manual vs. Automatic SQL Injection
There are two main ways to go about a SQL injection attack:
- Manual Method: This way is very time-consuming because you have to try a lot of different SQL payloads. You also need to have a really good understanding of SQL. But, the results you get are usually very accurate and comprehensive. This method is best when you’re targeting a single client.
- Automatic Method: This is the faster way to do things. You can use tools like SQLMap, Burp Suite, or OWASP ZAP to automate the process. The downside is that the results might not always be accurate, especially if there are firewalls or filters in place. But, it’s great for when you need to scan multiple clients at once. If the automatic method doesn’t work, I always fall back to the manual method.
Practical Demonstration
To show you how this all works in practice, I’ll walk you through the “TryHackMe Advent of Cyber 2 Day 5” challenge.
First, I’ll show you how to bypass a login form using a simple payload: ' OR 1=1--
. This little trick makes the OR 1=1
part of the query always true, and the --
comments out the rest of the query, so you can log in without a password.
Next, I’ll show you how to exploit a search field. I’ll use the ORDER BY
trick to find the number of columns, and then I’ll use a UNION SELECT
statement to pull out all the usernames and passwords from the users
table.
Finally, I’ll show you how to do the same thing using SQLMap. I’ll capture a web request with Burp Suite, save it to a file, and then feed it to SQLMap to automatically find the database version, enumerate the tables, and dump the contents.
Technical Commands Used
Here are the technical commands I used in the terminal during the demonstration:
order by
sudo sql map
dash tamper equal space to comment
dash dash current dash tv current http
dash dash tables
dash t sql slides
dash t table name is users
c the column name for example dash to users the column name is password
Room Answers / Day 5
Without using directory brute forcing, what’s Santa’s secret login panel?
Visit Santa’s secret login panel and bypass the login using SQLi
How many entries are there in the gift database?
What did Paul ask for?
What is the flag?
What is admin’s password?