Lab12 - SQL - Injection

Download as pdf or txt
Download as pdf or txt
You are on page 1of 13

© 2019 Caendra Inc.

| Hera for PTSv4 | SQL Injection 1


In this lab you can practice the SQL Injection techniques and tools studied during the
course. You can access the target web application at the following address 10.124.211.96.

The goal of this lab is to test the web application in order to find all the vulnerable injection
points. Once you find them, you should be able to dump all the data and successfully log
into the web application.

The best tools for this lab are:

• Web browser
• SQL map.

© 2019 Caendra Inc. | Hera for PTSv4 | SQL Injection 2


Explore the Web application at the address 10.124.211.96 and find all the possible
injection points.

By now, you should have found few injection points. Test them with different techniques.

Now that you know there is at least one exploitable SQL Injections in the target Web
Application, exploit it and dump all the data from the database. You should be able to
retrieve some very interesting information that will allow you to log into the web app.

Test the login form against SQL injection and use the correct payload to bypass the
authentication mechanism.

© 2019 Caendra Inc. | Hera for PTSv4 | SQL Injection 3


Please go ahead ONLY if you have COMPLETED the lab or you are stuck! Checking the
solutions before actually trying the concepts and techniques you studied in the course, will
dramatically reduce the benefits of a hands-on lab!

© 2019 Caendra Inc. | Hera for PTSv4 | SQL Injection 4


[This page intentionally left blank]

© 2019 Caendra Inc. | Hera for PTSv4 | SQL Injection 5


In order to explore the web application we just need to type the IP address in our browser:

Now that we are able to access it, let us navigate the application in order to find all the
possible injection points.

Right now, we do not know any working credential, so if we login we will get a message
similar to the following:

© 2019 Caendra Inc. | Hera for PTSv4 | SQL Injection 6


If we keep digging the application, we can see a very interesting page at the following
address: http://10.124.211.96/news.php.

Here we have a list of news and by clicking on any of the links listed, we can see a very
interesting page:

As you can see in the address bar of our browser, it seems that the application accepts a
parameter (id). This is probably used to retrieve the news from a database.

Let’s then use this injection point for our tests!

© 2019 Caendra Inc. | Hera for PTSv4 | SQL Injection 7


The first test we can run against the page found in the previous step is the following:

We just added a single quote in the address bar, and as shown in the screenshot above, we
obtained a mysql error. It is time to get our hands dirty! Let us create few payloads in order
to test if the parameter is vulnerable to SQL Injections.

We want to test it against Boolean conditions, so let us use the following payload:

10.124.211.96/newsdetails.php?id=26 and 1=1; -- -

© 2019 Caendra Inc. | Hera for PTSv4 | SQL Injection 8


Then let us try with the following payload (we changed the Boolean condition from 1=1 to
1=2):

10.124.211.96/newsdetails.php?id=26 and 1=2; -- -

As we can see from the previous two screenshots, we obtain two different results. When
the condition is true, the application returns the news. With a false condition the page
returns no content. This means that the parameter is vulnerable to SQL Injection!

© 2019 Caendra Inc. | Hera for PTSv4 | SQL Injection 9


Now that we know a vulnerable injection point, let us use sqlmap to exploit it and retrieve
all the data from the application database:

© 2019 Caendra Inc. | Hera for PTSv4 | SQL Injection 10


As we can see from the previous screenshot, sqlmap identifies the parameter as
vulnerable! Now we just have to get the structure of the database and dump the data.
First, let us get a list of tables:

© 2019 Caendra Inc. | Hera for PTSv4 | SQL Injection 11


Then dump all the data from the accounts table with the following command:

sqlmap -u http://10.124.211.96/newsdetails.php?id=1 -D awd -T accounts


--dump

As we can see, we now have a list of usernames and password to use in order to log into the
web application! Let us try one of these:

Great, we successfully logged into the web application!

© 2019 Caendra Inc. | Hera for PTSv4 | SQL Injection 12


Until now, we focused our tests against the newsdetails.php page and its parameter, but the
web application has one more injection point to test: the login form!

Let us run some tests and see if we are able to bypass the login! To do this we will use the
following payload:

' or 1=1; -- -

As we can see the form is vulnerable too, indeed the “Welcome!” message appears!

© 2019 Caendra Inc. | Hera for PTSv4 | SQL Injection 13

You might also like