SQL Injection

Press this button to ready your machine for the SQL attack. If your machine is reset or you reboot then you may have to press this button again.

A number of database tables and scripts have been installed on your kali machine. These are very simple scripts, but should allow you to explore some of the features you were looking at in the lectures.

In order to run the scripts, use your own computer's browser, and from the linuxzoo "connect" tab in the control panel click on the "VM Web" link. This will open a browser window onto your own Kali apache2 server. Edit the address line by adding the following to the end of the URL:

/cgi-bin/stock.pl

What is the HTTP method used to get the price of eggs? PUT POST GET INDEX OPTIONS COOKIE
What is the form variable name used in generating the eggs information? variable name:

On the address line modify the variable to inject

' OR 1=1 --

How many different items are stored in the database?
number of items:
What is the name of the item with the highest code number?
item name:

This stock.pl script must have an SQL query in it, returning a number of columns.

Use the UNION SELECT NULL technique and identify how many columns are actually being queried in this SQL query you are injecting into.

Number of columns that it confirms in the SQL query:
Column number:

Find out the name of the table being queried using fuzzing.

Combine your previous SQL injection with a "from TABLENAME", where the TABLENAME needs to be guessed. As this is all about stock and inventory, try one of the following tablename candidates:

stock
stocklist
stockinfo
items
inventory
stockinventory
iteminventory
investorylist

Name of the table:
stock stocklist stockinfo items inventory stockinventory iteminventory inventorylist

Find out the name of the columns in this table using fuzzing.

Combine your previous SQL injection and replace one of the NULL entries with a guess as to the item codes column name. Try the following candidates:

code
item
id
barcode
itemid
codeid
barid
idcode

Name of the barcode column:
code item id barcde itemid codeid barid idcode

Find out the name of the missing columns in this table using fuzzing.

Combine your previous SQL injection and replace another one of the NULL entries with a guess as to the item codes column name. As this is about stock it seems plausable that the missing column is about how much stock is available. Try the following candidates:

stockno
stocknumber
itemsinstock
instock
totalstock
totalitems
total
available
itemsavailable

Name of the stock count column:
stockno stocknumber itemsinstock instock totalstock totalitems total available itemsavailable

How much milk is in stock?

in stock:

Explore the metadata of the database using your UNION SELECT hack, making use of the first NULL to run some additional functions.

Use the first attribute and find out the username of the database user being hacked. This is in the form of "thename@machinename". This is done using a mysql function.

database user:

Use the first attribute and find out the version of the mysql database being hacked. This is done using a mysql variable. The output with have numbers, dots, minus signs, and potentially extra information after a plus character.

database version:

Use the first attribute and find out the name of the database (i.e. the schema name) which we are using. This is a mysql function.

database schema name:

With the database name and your SQL injection, select the "table_name" from "information_schema.tables", restricting your query to those which have the "table_schema" set to the database name identified above.

Number of tables:
Likely table name of the application users:

Using "information_schema.columns", what are the column names of the table which you suspect of being the user information table in this database schema? In your query restrict the injected query to only the correct table_schema and table_name.

Column 1:
Column 2:

Now extend your original SQL injection, using the name of the application user's table and the newly discovered column names to access the application's user table information.

What is the password for user "clever"?
password:

Again extending your original SQL injection, make use of the LOAD_FILE function to access /etc/passwd. The password file has the following repeating format:

username:x:userid:groupid:/home:/bin/bash

Using this information, what is the first username seen in /etc/passwd using this injection?
username:

The output of the above is a little messy to read. Use the CONCAT command and concat the output of LOAD_FILE between the html strings "<pre>" and "</pre>" Repeat your experiment with this new formatting...

Using this information, what is the groupid for the username ntp?
NTP group id:

Consider the script /cgi-bin/card.pl

Although this is technically using the POST method, the script takes information via the GET method too, as this makes life a lot nicer for us!

Look at the html source for the form. What is the name of the text box?

text box form name:

Try looking at "tony", using a GET request. His credit card details are obscured...

Inject SQL to negate the test restricting the checks to "tony".

How many credit cards are stored in the database?

How many columns are used in the SQL query related to this injection attack in card.pl?

Number of columns that it confirms in the SQL query:
Column number:

Which of the columns is the one related to the credit card number? Inject the card "9999-9999-9999-9999" into each column and see which appears in the output.

Column number of the card column (numbered from 1).
Column number:

On the basis that the credit card information is held in a table called "ccards", and the username field is "uname" and the credit card number in "code", use substring to access characters 1-4 of the credit card number associated with "tony".

BE WARNED. The format of the credit card number has to be groups of 4 with hyphens or the script will block the display.

Digits 1-4 of tony's card
First 4 codes:

Continue that technique and build tony's complete credit card number.

Tony's complete card in the form XXXX-XXXX-XXXX-XXXX.
Card Codes:

Not you have seen the weaknesses that exist in the two target scripts, and exploited those manually... now experience the power of the automated tools!

Use sqlmap from a Kali terminal window to fingerprint the target. Use

http://127.0.0.1/cgi-bin/stock.pl?code=

sqlmap -u http://127.0.0.1/cgi-bin/stock.pl?code= -f -b -v 2 --dbs --current-user --current-db

Now keep the same injection point, but this time use only "--tables" and "--columns" using only "-D hack". Use this information to discover the maximum VARCHAR length of "uname" in the "ccards" table.

uname length:

Now keep the same injection point and database, but this time "dump" the "table" ccards. Use the man page to discover how to "dump" and how to select a "T"able. Use this information to view the whole of the ccard table data.

When does Tony's card expire? Use the format 12/99 expiry:

Again using sqlmap, with the same injection point and database, use the "--sql-shell" flag to open a SQL interface to the database via the injection point.

Use that to run the SQL command:

select * from theusers;