SQL INJECTION(redtiger.lab)-Part2

aayush malla
4 min readSep 22, 2020

--

Previously we have completed level 1 and 2 of redtiger lab.

Today we will be doing lab 3 .As the level goes up difficulty will also go up.

Level 3:

Here the task is to get the password of Admin and the hint given is try to get an error so we will try to get an error first.

For getting errors at first we click admin then a get request will be sent as shown below.

fig 1: Interface of level 3 with a get request

Here now to get an error lets change the parameter ?usr to ?usr[].

fig 2: Showing an error

Once we change the parameter we will get an error as shown above. After reading the error we get to know that the error exists in file urlcrypt.inc so now lets go to

http://redtiger.labs.overthewire.org/urlcrypt.inc

Here a blank page will appear now right click on the page and then choose inspect element here we will see a php code double click on the code and then copy the code.

fig 3: encryption and decryption code

This is the code to encrypt and decrypt the url content.which means that we can’t just directly pass a query through the parameter.We have to encode our query using the encrypt function .

So let’s copy the encrypted code from the above location and paste in your local system or some online php compiler.

Here please use php version 5 as this code works on php version 5 as stated above.

Now the process of SQL injection is the same as in level 1 that we have learned in part 1, the only difference is that we have to encrypt the query using the above function.

Step 1: Determining No of columns

So at first let’s determine the no of columns for this we have to use hit and trail In this case as i have already solved it i know there are 7 columns so if you use more than 7 it will generate an error.

So the query will be : Admin’ order by 7 #

As discussed above we have to encrypt it know the encrypted query will be

MDQyMjExMDE0MTgyMTQwMTY5MjE2MDI0MjA1MTE1MTg1MTUzMDkxMjM5MDI5MDI4MjU1MDg2MTg5MDcz

Step 2: After determining no of columns let’s determine which columns can be used to display information in the website.

query: usr = ‘ union select 1,2,3,4,5,6,7 from level3_users where username=’Admin’ #

Now encrypting the above query :

usr=MDc2MTUxMDIyMTc3MTM5MjMwMTQ1MDI0MjA5MTAwMTc3MTUzMDc0MTg3MDk1MDg0MjQzMDgzMTc3MDg5MDMzMjIzMjQzMTk0MDcyMjM2MTMwMjAzMTY1MDQyMTk5MTU5MTA1MDU2MTg4MTMxMjEyMTcwMTE0MTE5MTQzMTM3MDUwMTU5MTkwMTc5MDY0MjIwMDc0MTU1MTAwMDg1MjAyMTMxMDkxMDQzMTYyMTg1MDQzMDU5MDcwMTk0MDk2MTAyMTI0MTIyMTAzMjEzMTkyMDEzMjIw

Once we pass the above query as parameter we get the following output.

fig 3: Columns that are displayed in website

Here we can see column 2,6,7,5,4 can be used to display information so we can use any two of the columns to display username and password.

Step 3 :Now to display username and password we use the below query.

usr =‘ union select 1,username,3,4,password,6,7 from level3_users where username=’Admin’ #

Here i have chosen column 2 and 5 , you can choose any columns that can display information(2,4,5,6,7).

Encrypting the query we get

usr = MDc2MTUxMDIyMTc3MTM5MjMwMTQ1MDI0MjA5MTAwMTc3MTUzMDc0MTg3MDk1MDg0MjQzMDgzMTc3MDMxMTI2MTQyMTczMTUzMDA1MTgzMjAzMjA4MTc3MDk2MTk3MTQ1MTE5MTA3MTY3MTM3MjA4MTcxMDUwMTE0MjUyMjAzMDk3MTU2MTkwMTc1MDEzMTM5MDc4MTU1MDk2MDg1MTM0MTk3MTE5MDU5MTYzMTc4MDU2MDM3MDAzMTM2MDQ3MDY2MTA2MTE0MDQ2MjA2MTQ4MDcyMTQxMjE0MDc1MDQ0MjE1MjAzMDM3MDgyMTk4MDcyMTIzMjE1MTE0MjIwMTQw

Now passing this encrypted query in usr parameter we get.

fig: user credentials

Here we found out the username is Admin and its password is thisisaverysecurepasswordEEE5rt

By this way we can perform SQL injection. It is the same type of SQL injection that we have done in level 1 with some modification.

I highly recommend you to perform all the steps by yourself don’t copy the codes if you want to learn . You can read this walk-through as reference.

References:

--

--

aayush malla

Data Engineer, Cybersecurity enthusiast , PLSQL, Data Analyst