This blog is about how to approach a website that is vulnerable to SQL Injection and exploit it manually using Burp Suite. Here I’m taking a room named Game Zone from TryHackMe for demonstration purpose.
1. Find vulnerable column having string data type.
2. Find the number of tables.
3. Find the number of columns.
4. Retrieve interesting information like username and password.
By accessing the given IP address we can see that the webpage has a username and password input field.
The most basic syntax to bypass a login using SQL injection is
Syntax: ' OR 1=1-- -
This is how a typical query looks like in the backend when we request to login.
SELECT username FROM users WHERE username='xyz' and password='xxx’
This is how our payload looks like in the backend.
SELECT username FROM users WHERE username='xyz' OR 1=1-- -' and password='xxx'
The application checks if the conditions are true, if the password matches the given username, the user is logged in otherwise not.
In our payload, we specified a single quote that closed the first query, then the OR operator that displays the record when either of the two conditions is true, hyphens to comment the rest of the query.
As 1=1 is a true condition, we are able to bypass the login.
Once the login is bypassed, we can see another search input field. By putting in a single quote it throws back an error that confirms that the input field is vulnerable to SQL Injection.
Capture the search request in Burp and send the request to repeater. The vulnerable parameter name is searchitem where we’ll input our payload.
Find the number of columns
First thing is to find the current number of columns through which we can design the upcoming payloads that will eventually help us to find the other tables and their columns.
To determine the number of columns, we are going to use ORDER BY clause and increment the column index until an error occurs.
Note: URL encode the payload using Ctrl+U
Syntax: ' ORDER BY 3-- -
By Incrementing the index column to 4, we can see that the response says Unknown column ‘4’ in ‘order clause’ because no column four exist hence the total number of columns is three.
Find vulnerable column having string data type
As the username,password are mostly in string format, we need to find a column whose data type is string.
Having already determined the number of columns, we can probe each column to test whether it can hold string data by submitting a series of UNION SELECT payloads that place a string value into each column, in our case ‘test’.
A field with a NULL value is a field with no value. It is possible to add or update a record without adding value to it. Then, the field will be saved with NULL value.
We are trying to inject a query to test in different columns and checking the response in the browser to see if it adds it.
Syntax: ' UNION SELECT NULL,'test',NULL-- -
By placing ‘test’ at different indexes, we can see that the column two reflects back the input in the response means column two can hold string data type.
Find the number of tables
We are going to use information_schema.tables to determine the total number of tables in the database.
INFORMATION_SCHEMA provides access to database metadata, information about the MySQL server such as the name of a database or table, the data type of a column, or access privileges. Read More
Syntax: 'UNION SELECT NULL,table_name,NULL FROM information_schema.tables-- -
Show the response in browser using show response in browser option in Burpsuite and while scrolling down we can see an interesting table name ‘users’.
Retrieve all columns in users table
The INFORMATION_SCHEMA. COLUMNS view allows to get information about all columns for all tables and views within a database.
In this case, we are going to retrieve all the columns for the users table.
Syntax: ' UNION SELECT NULL,column_name,NULL FROM information_schema.columns WHERE table_name='users'-- -
Retrieve interesting information like username and password
WOOHO! We found two interesting columns named username and pwd , now let’s retrieve the username and password.
Syntax: ' UNION SELECT NULL,username,NULL FROM users-- -
Syntax: ' UNION SELECT NULL,pwd,NULL FROM users-- -
Using these credentials an attacker can simply log into the application that leads to Account Takeover.
Thank You for Reading.