SQL Injection - Lab #8 SQLi attack, querying the database type and version on MySQL & Microsoft

Rana Khalil

25 Apr 202109:08

Summary

TLDRIn this video from the Web Security Academy series, the presenter demonstrates a union-based SQL injection attack to query the database type and version for MySQL and Microsoft databases. Starting with a vulnerable product category filter, they confirm the SQL injection vulnerability, and through iterative testing, determine the number of columns and which ones accept text. The goal is to retrieve the database version. The presenter successfully exploits the vulnerability, identifying the database version (MySQL 8.0.23) using a union select query. The video also promotes further learning by referencing a detailed version and related content.

Takeaways

😀 The video demonstrates a union-based SQL injection attack to query the database type and version on MySQL and Microsoft databases.
😀 The vulnerable field is the product category filter in the shopping application, where SQL injection can be exploited.
😀 To confirm SQL injection vulnerability, a single quote (`'`) is added to the input field to trigger a syntax error, resulting in an internal server error.
😀 The attacker uses the `ORDER BY` clause to identify the number of columns in the SQL query by testing different column numbers.
😀 An internal server error indicates that the column does not exist, while a 200 response confirms that the column exists.
😀 Once the number of columns is confirmed, the attacker checks which columns accept text values, as the database version is a text string.
😀 The attacker uses a `UNION SELECT` statement to test if both columns accept text by injecting dummy values like 'a'.
😀 The attack proceeds by attempting to retrieve the database version using a database-specific SQL query (e.g., `@@version` for MySQL).
😀 The correct database version query is inserted into the `UNION SELECT` payload and tested for different databases, with the correct result being returned for MySQL.
😀 The successful exploitation of the vulnerability is confirmed when the correct database version string (e.g., `8.0.23`) is displayed on the page.

Q & A

What is the primary vulnerability being exploited in the lab?
-The primary vulnerability is SQL injection in the product category filter, which is used to extract data from the database.
How can SQL injection be confirmed in the application?
-SQL injection can be confirmed by adding a single quote (`'`) to the input field. This triggers a syntax error and results in an internal server error, indicating a vulnerability.
Why is it important to identify the number of columns in the query?
-Identifying the number of columns is important to craft a proper `UNION SELECT` query that aligns with the structure of the vulnerable query, ensuring the injection works without causing errors.
What does the `ORDER BY` clause help with in this scenario?
-The `ORDER BY` clause is used to determine the number of columns in the query. By incrementally testing different column numbers, the attacker can find the correct number of columns being used.
Why was the internal server error encountered when trying to order by the first column?
-The internal server error occurred because the first column did not exist or the input characters used were not accepted by the query. Adjusting the characters resolved the issue.
What was the role of the comment characters (`--` and `#`) in this attack?
-The comment characters were used to terminate the query correctly after the injected part, preventing the original query from being executed or causing errors.
How did the attacker identify which columns accept text values?
-The attacker observed the content displayed in the browser, where the first and second columns contained text values. This indicated that both columns could handle text, so they were used for the payload.
What does the `UNION SELECT` query do in this SQL injection?
-The `UNION SELECT` query is used to combine the attacker’s injected query with the original query, allowing them to extract additional data (like the database version) from the database.
What is the significance of using `SELECT @@version` in the query?
-The `SELECT @@version` command is used to retrieve the database version. It is specific to certain types of databases, and the query is tailored to the database being attacked (in this case, Microsoft).
How did the attacker verify that the database version was correctly retrieved?
-The attacker verified the database version by observing the response from the application, which displayed the version string '8.0.23', confirming that the query was successful.