![]() Although you can use dedicated options to deal with each case, I personally prefer to use the -r option. Sometimes, you deal with a POST request, or a request with JSON data. The following command will test for an injection against param1 and param2 on the given URL: sqlmap -u The basic usage of Sqlmap is a GET request with GET parameters. In fact, sometimes you have to tweak them in order to detect and exploit the SQL injection vulnerability. I personally prefer to play with sqlmap options. I use when I suspect an endpoint to be vulnerable, or to automate the process of dumping sensitive data from the database server.įor beginners, you can use sqlmap –wizard option, then follow the instructions. Sqlmap an open source penetration testing tool that automates the detection and exploitation of SQL injection. Exploiting SQL injection using sqlmap? Introduction to Sqlmap We can also use SQL’s length function to first find tom’s password length, then use the function substring to get tom’s password one character at a time, but we will see this in action using sqlmap. This will return true if tom’s password starts with a, meaning that we will get user already exists error message. Let’s analyze the following payload: tom' AND password like 'a%'. We will use this hint to systematically extract tom’s password. When PAYLOAD is true, we will get the first message saying that the user exists, otherwise, our user will be created. The idea behind exploiting this SQL injection is to inject tom’ AND PAYLOAD –. ![]() In fact, there is no direct error message, but a hint which we can use to infer data in the Database. We can verify our assumption using a white box approach. The exercise that we did is called a black box testing. Blind SQL injection message 2, our user is created!Ĭonsequently, we can assume that the injection happens in a select statement. To be sure, you can replace 1=1 with 1=2, and you will get your user created, as seen below. What if the SQL query responsible for this error is a SELECT statement which verifies if the user already exists? This would make sense right? If our assumption is correct, our malicious payload always returns true, which tells the back-end server that the user already exists. If we input fields as shown below, we can see a weird error saying that the user already exists! This doesn’t make sense since we know for a fact that the user ‘ or 1=1 – doesn’t exist. The goal is to exploit the Signup feature to gain access as user Tom. We will solve challenge 5 of the SQL injection (advanced) menu. Successful exploitation of SQL injection SQL injection example 2: Blind injection The following screenshot shows the exploitation results. Since the fields in the SQL query are numerical, we don’t need to use any quotes. Such query could look like the following: SELECT * From user_data WHERE Login_Count = 0 and userid= 1 or 1=1 -ĭo you see what should be the value of our payload? Correct! it should be a number in the Login_count input and 1 or 1=1 – in the userid. ![]() ![]() The idea is to build upon the error message which reveals the whole query, and inject a payload in the WHERE statement which always returns true. Now, let’s craft a payload which will get us all users data. The Login_count is protected using a prepared statement. Secondly, the injection happens in the userid column. Firstly, this is an error based SQL injection. If we input a single quote in the Login Count and the User_id fields, we notice an error getting back to us as shown below. It allows a user to see how many times a user has been logged in. Let’s start with WebGoat’s challenge 10 under the SQL injection menu (intro). You also need either OWASP Zap or Burp Suite properly configured with your Web Browser. In order to properly follow along this hands-on tutorial, you need OWASP WebGoat listening on port 8080. However, if you don’t, I highly recommend that you read this blog post where I explain SQL injection in theory with some theoretical SQL injection examples. I’m assuming that you landed on this page because you are already familiar with the theory behind SQL injection. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |