In this entry we describe the basic process of SQL injection entirely performed manually, without using any software that automates the process as SQLmap. For this, and as an example, we use a challenge of the platform Hackerfire, in it you can find a full CTF if you like this type of “games”.
Specifically, the challenge is level 2 of the Web security part and is called “I can see everything” let’s see if it is true and we can see everything hidden including the flag that allows us to complete the challenge.
The web has this aspect:
Obviosuly the field where we can test, as we will see the parameter is passed by get and therefore we can make the injections directly in the URL without having to use a Web proxy like can be BurpSuite. Therefore we will work without software, without script and without external help, try to understand how SQL injections work from the base with this simple challenge.
When I do the first Test, which almost any mortal, the typical ‘ or ‘ 1 ‘ = ‘ 1…. I finish the article:
I’ve got the flag, it’s been too easy. Let’s try to follow a little more to see what we have out there and learn a little bit the philosophy of SQL injections to understand a bit how they work in a basic way.
For example, it seems because of the table that shows that it has three columns the query:
The comment is missing to ignore the rest of the SQL query that launches the application from behind, so it seems…
We have more information, is an Ubuntu with MySQL 5.5.41
The user running the database is everything, well at least it’s not root.
In the same way that we have done so far we see what is called the database behind it and then continue:
From here we can continue discovering that there is behind, we can investigate the structure of tables, for this we will use the database schema, information schema in mysql
This will be in next post …