|
1. Reset the Database Before Using It |
2. Understanding SQL Database StructureThe database namedsqlol contains the two tables shown below.
|
3. SQL SELECT QueriesSQL uses easily-understood commands like SELECT, UPDATE, and DELETE. Try the queries below to see how SELECT works.
|
Try These SELECT Queries | |
SELECT * FROM sqlol.users | Get all fields from the table "sql.users" |
SELECT * FROM sqlol.ssn | Get all fields from the table "sql.ssn" |
SELECT name FROM sqlol.ssn | Get field "name" from the table "sql.ssn" |
SELECT ssn as name FROM sqlol.ssn | Get field "ssn" from the table "sql.ssn" and change its field name to "name" |
SELECT * FROM sqlol.ssn WHERE name='Herp Derper' | Get all fields from the table "sql.ssn" with the "name" field equal to "Herp Derper" |
SELECT * FROM sqlol.ssn WHERE name='Fred' | Get all fields from the table "sql.ssn" with the "name" field equal to "Fred" |
SELECT * FROM sqlol.users WHERE isadmin=0 | Get all fields from the table "sql.ssn" with the "isadmin" field equal to 0 |
SELECT * FROM sqlol.ssn WHERE name='Fred' OR 'a'='a' | Get all fields from the table "sql.ssn" (the condition is always true) |
SELECT username FROM sqlol.users UNION SELECT ssn AS username FROM sqlol.ssn | Combine data from two tables |
Writing to a File | |
SELECT "Literal text" into outfile '/tmp/test1.htm' | Put literal text into a file (you'll need to change the filename to something that hasn't been used yet) Files will be visible at https://attack.samsclass.info/tmp/test1.htm ty @faisal_hfr |
Reading From a File | |
SELECT load_file('/etc/passwd') FROM sqlol.users | Reads from a local file |
16.1: User Accounts (5 pts.)Find the SQL query in the list above that exposes a list of all the users on the server, including "root".Enter that query into the form below. Use the form below to record your score in Canvas. If you don't have a Canvas account, see the instructions here.
|
4. Search for UsernamesWebsites don't usually let you type in complete SQL queries, but only fields like usernames and passwords.Attackers can sneak SQL commands in by using special characters like apostrophes. Try the usernames below in this form to see how it works.
Performs This Query:
|
Try These UsernamesFind User
Detect Vulnerability
Find Database Names
Find Tables in sqlol Database
Find Columns within ssn Table
Dump Names and SSNs
Upload a PHP Shell
|
16.2: whoami (10 pts.)Put a PHP shell on the server, and use it to execute the Linux command whoamiThis command returns your user name. Enter the result into the form below. Use the form below to record your score in Canvas. If you don't have a Canvas account, see the instructions here.
|
16.3: Find the flag (15 pts. extra credit)There's a flag in the MySQL stored data. Find it and use the form below to record your score in Canvas.If you don't have a Canvas account, see the instructions here.
|
5. Safer Search with Input ValidationThe simplest defense is to encode special characters.This stops many common SQL injection attacks with a single line of code. Try the usernames above in this form:
Performs This Query:
Uses mysql_real_escape_string to Encode Special Characters |
Thanks to@Faisal_HFR for using SELECT "Literal text" into outfile, a much better way to get onto the winners page than I used.@bcrook88 for injecting JavaScript onto the winners page twice, so I added input filtering and more strict apparmor rules to MySQL to stop it. @bcrook88 for uploading a PHP shell that let him execute arbitrary bash commands, inspiring challenge 6. SourcesBased on SQLol from SpiderLabs.SQL Injection Modify / Insert Table Values Hackproofing MySQL (from 2004) Hackproofing MySQL (alternative download link) MySQL SUBSTRING() function MySQL - Concatenation Creating Metasploit Payloads Exploiting PHP Vulnerabilities Useful SQL Injections Getting around "su : must be run from a terminal" |