Segfault ethical hacking week 7

 

Error Based SQL Injection

1) If the SQL query results are directly displayed on the screen → Union SQLi

2) If an error message is output → Error-Based SQLi

        : Utilizing error messages to extract data:

            (1) Logic Error

            (2) SQL Error

1) Syntax Error vs. Logic Error

• Compilation Process: When executing code, a compilation process occurs.
• Syntax Error: If a syntax error occurs, the code will not execute.
• SQL Syntax Error: Generally not useful for extracting data.
• Data Extraction: The SELECT statement must be used to retrieve data.

2) Logic Error

• SQL Error: Errors occurring due to incorrect SQL syntax can be exploited using Error-Based SQLi.
• Error Message Injection: The goal is to manipulate the error message so that it displays a SELECT query result.

Tips for Inducing Logic Errors

• Server behavior varies, requiring individual research for effective exploitation.

Extractvalue Function

Extractvalue('XML text', 'XML expression')

Example injection:

___' and extractvalue('1', concat(0x3a, (select '____'))) and '1'='1

• Replace ____ with the desired SELECT statement to extract its result.
• Special symbols must be included to trigger an error.

Concat Function

• Usage: Combines strings together.

concat('hello', 'test') -> hellotest concat(0x3a, 'test') -> :test

• Hexadecimal Representation:

• 0x3a represents :

Extractvalue Function Characteristics

• Requires special characters like : to cause an error and display data.

This method takes advantage of error messages to extract sensitive information from the database by carefully crafting SQL queries. If you're looking for further explanations or practical examples, let me know!

Error-Based SQL Injection Steps

1. Identify SQL Injection Point
• Check if SQL errors are displayed on the screen.
2. Error Output Function
• Use extractvalue to trigger an error and extract data.
3. Construct Attack Format

___' and extractvalue('1', concat(0x3a, (select '____'))) and '1'='1

Insert the desired query in place of ____ to retrieve data.

4. Retrieve Database Name
   Insert: select database()
5. Retrieve Table Name

select table_name from information_schema.tables where table_schema = '_________' limit 1,1

6. Retrieve Column Name

select column_name from information_schema.columns where table_name='____'

7. Retrieve name Column from game_table

        select name from game limit 0,1

Segfault ethical hacking week 6

 

1. Review

SQL Injection 1

Login page

You must create it yourself to understand how it works internally during login.
It’s essential to know what happens after identification/authentication and what results are returned when a SELECT statement is executed.
Only then can you study various approaches.
Make sure to build it, test it, practice with it, and research it thoroughly.

When problems occur

1) Identify the root cause

- Many times, problems can’t be solved because the root cause isn’t identified.

- It’s important to build and run it yourself to see where and why the issue occurs.

2) After that, you will be able to find a solution.

Prepared Statment 

SQL Injection is not possible.

Segfault ethical hacking week 5

 

Web System Structure Overview

 Web (Static Resource Server)

• Delivers static files to the client (e.g., HTML, CSS, JS, images)
• Web Server Role: Responds to client requests with files(e.g., Apache, Nginx)

WAS (Web Application Server)

• Handles dynamic processing (e.g., login, user interaction, DB access)
• Languages used: ASP, JSP, PHP, Python, etc.
• Executes business logic

DB (Database)

• Stores data persistently (e.g., user info, posts)

• Language used to interact with DB: SQL

Relationship Between Client and Server

Client (Web Browser: Edge, Chrome, etc.)
    ↔ Web Server (Static files)
        ↔ WAS (Dynamic logic)
            ↔ DB (Data storage)
Front-End (FE): Visible UI — HTML, CSS, JavaScript

• Back-End (BE): Business logic (e.g., verifying login credentials)

Login and Session Concepts

    Requesting from Web Server

• Like sending a letter asking for a file

• Since the server doesn’t know who is requesting, it uses cookies in the header to identify the user

    Cookie (Client-side storage)

• Stored on the client 
• Issue: Vulnerable to theft or hijacking (can lead to unauthorized access

    

    Session (Server-side storage)

• Server creates a session ID to identify each user

• Session data is stored on the server; only session ID is passed via cookie
• Safer than using only cookies




Burp Suite (Web Proxy Tool)

• Intercepts communication between the client and web server
• Allows you to view and modify HTTP requests/responses
• Useful for testing vulnerabilities and simulating attacks

    SQL Injection

• SQL: Language used to communicate with the database
• Injection: To insert malicious code
• SQL Injection: An attack that injects malicious SQL queries into input fields to manipulate or steal data from the DB