SQLi - Opty-Forks/SSof GitHub Wiki

SQL Injection Lab (SQLi)

The goal for this lab is to learn the basics of SQLi attacks.

What is SQLi

SQL Injection (SQLi) is a vulnerability that may exist in applications that access databases. This vulnerability is present whenever the input provided by an attacker in not verified. This may lead to situations where the input is included in query strings and as a consequence the attacker may perform queries in the database. This code is usually written in the form of small (partial) SQL sentences.

Although simple, this vulnerability is very powerful as an attacker may dump all the information in a database.

To demonstrate these attacks we will use a purposely ill-developed blog application hosted in our website.

Remember, you should run these challenges inside a VM and you must be in the IST VPN in order to be able to play these challenges.

Problem 1

This problem is running at http://mustard.stt.rnl.tecnico.ulisboa.pt:12101

We will start with a simple problem of direct access to the database and will then move to more complex form of attacks.

Task 1.1. Look at the website's functionality. Can you find a SQLi vulnerability?

Whenever looking for a SQLi we should first find the fields that are injectable.

  • Can you find them?
  • Ok, can you now login as the admin and read his profile? Look for vulnerabilities in the login form.

Task 1.2. And why not become rich?


We heard that there is a lottery going on that might make you rich. Do you want to be rich? Get the JACKPOT! It is a different one for every player.

  • But how come as your tokens are readonly?... It would be so much easier if we could just get more tokens...
  • Oh, and by the way we know that you usually comment out the rest of the lines with -- to bypass some checks. Don't try it here. We are covered on this.

Task 1.3. And now for some really cool stuff

Are there any other interesting informations in this website? We have heard that there is a juicy secret blogpost yet to be released. Can you find it?

  • Are there any other vulnerable input fields? Look for a place where you haven't tried to inject into yet.
  • Oh, and it might be useful to have a look at sqlite_master. Someone mentioned tbl_name and sql but we have no clue of what this is.

Problem 2

This problem is running at http://mustard.stt.rnl.tecnico.ulisboa.pt:12102

Task 2.1. Sometimes we are just temporarily blind

The admin was in a hurry but he managed to fix the login and update profile problems! He just lacked the time to fix the search bar injection... but to prevent it from being exploited the admin just stopped showing the blog posts.

  • Can you still exploit it?
  • Is there any other information that can be extracted from the database?
  • requests package for Python might be useful for this challenge as you might need to do some scripting. Look at an example below and some more templates here
import requests


params = {'search' : 'lorem'}
headers = {'user-agent': 'my-app/0.0.1', 'Content-Type': 'application/json'}

r = requests.get(SERVER, params=params, headers=headers)

print 'status     : ', r.status_code
print 'headers    : ', r.headers
print 'cookies    : ', r.cookies
print 'html       : ', r.text

Task 2.2. Sometimes we are just temporarily blind. CASE-SENSITIVE version.

This Task is just the case-sensitive version fo Task 2.1.