SQL INJECTION(redtiger.lab)-Part4

Till now we have completed up to level 4 of redtiger lab and learned various ways of performing SQL Injection to extract information.

Today in this part we will be completing level 5 of the redtiger lab.

Now lets first complete level 5 . In level 5 we have to bypass the login system and the hint given is that it is not Blind(which means error can be seen ) and the password is md5-encrypted.

fig 1: Interface of level 5

Now at first if we enter some random username and password its says no user found . so we must first by pass the username input.

So as we know that it is not blind SQL injection ,let’s try to generate some error by providing ‘ as an input in username and password field.

fig 2: error response after after providing ‘ as an input to username and password field

Here we get error:
mysql_num_rows() expects parameter 1 to be resource, boolean.

From this we can know that username can be boolean so
let try to bypass the username using query
username: hey’ union select 1 #
and password: hey

Here instead of hey you can use anything it doesn’t matter.

fig 3: user not found

Now lets again try by increasing no of column of select statement to 2.

username :hey’ union select 1,2 #
and password: hey

fig 4: login failed(bypass username)

Here it says login failed which means that we have successfully bypass the username but login failed because password is not bypassed.

So now to bypass password lets look into hint .It says that password is md5 encrypted.

Here from above we can see that there are two columns in the table and one of them is password and another is username now lets try to determine which columns is password for this lets try to enter following query.

  1. username : hey’ union select md5(‘hey’),2 #
    and password: hey

Here the string in md5() and in password must be same.

Result of this query is login failed(just like shown in fig 4).

From this we came to know that if login is failing while putting password in column 1 then the password must be second column So now lets modify our query accordingly.

username : hey’ union select 1,md5(‘hey’) #
and password: hey

fig 5: Successfully bypassed login

BINGO!!! We successfully bypass the login system.

Link to part 5:

References

Data Engineer, Cybersecurity enthusiast , PLSQL, Data Analyst