SQL INJECTION(redtiger.lab)-Part1

SQL Injection is a web security vulnerability that allows an attacker to interfere with the queries that an applications send to its database.Thus allowing attackers to view data that they are not normally able to retrieve.Data might be of the users of the application or any other data that the application can access. SQL injection might be quite severe as attacker can modify or delete the data from the database of the application even can compromise the underlying server.

Today we will be performing basic SQL injection in lab of redtigers.

Here we will be doing level 1 and Level 2 for now.

LEVEL 1:

When we choose level 1 we see.

fig1: Initial interface

Now when we click 1 website send a get request.

fig2: get request

Here Now we try to exploit the parameter cat.

Step 1:

Here our first step will be to determine the no of columns of the table name : level1_users.To make it easy here the table name is provided but we can still perform the attack without knowing the table name.

For determining the table name we can use query order by or select also. Here we will be using order by query .

Now lets pass the query in the parameter cat.

Query to pass: cat= 1 order by 4 #

# means commenting proceeding query.

Here when we use number greater than 4 (5,6 ,so on then ) it will show no category found .and when we use number less than or equal to 4 it will display the category thus from this we get to know that there are 4 columns in the table leve1_users.

Step 2:

Now Next step is to determine through which columns we can extract and display information from the table . For this we can use the Select query.

Query to be used : cat = 1 union select 1,2,3,4 from level1_users #

if table name was not given then we can use

cat =1 union select 1,2,3,4 #

fig 3: Information about columns

Here output of the query is shown in above figure from this we can see that we can display information using column no 3 and 4 .

Step 3:

Now we can extract username and password from the table using column 3 and 4.

query to be passed:

cat = 1 union select 1,2,username,password from level1_users #

fig 4: username and password

Some extra queries that can be used to gain more information about target(Not needed to complete level 1)

To get information of the database we can use database() in the SQL query.
query : cat =1 union select 1,2,database(),4 #

fig 5: database name

To get information about the version of the database we use function version()
query : cat =1 union select 1,2,version(),4 #

fig 6: database version

To get information of the current user we use the function current_user()
query:cat = 1 union select 1,2,current_user(),4 #

To get information about tablename we use ;
query :cat =1 union select ,1,2,table_name,4 from information_schema.tables where table_schema=database() #

LEVEL 2(A Simple login bypass):

When we choose level 2 we get the following interface.

fig 7 : Interface

Here from we can see hint is condition . So we know try to insert true statement in both username and password.

username: 1' or 1=1 #

password: 1' or 1=1#

Here writing this true statement will tell the database that the username and password are true and by this we successfully bypass the authentication.

fig 8: successfully bypass the login

References:

--

--

--

Data Engineer, Cybersecurity enthusiast , PLSQL, Data Analyst

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Idle Tap Cinema Hack Free Resources Generator

How to protect yourself while you trade on DApps and away from scams?

Raze Network Partners With Rocket Vault

Raze Network Partners With Omni

Raze Network & Phantasma Partnership Announcement

Tulips Farm v2.0 is here!

Tools and commands used in PTPs’ Labs.

5 Lucky Winners

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
aayush malla

aayush malla

Data Engineer, Cybersecurity enthusiast , PLSQL, Data Analyst

More from Medium

First Step to Burp Suite Certification

TryHackMe: Principles of Security a Walkthrough

Let’s learn WebApp Pentest from basic on DVWA.

TryHackMe: Attacktive Directory Walkthrough