Name: User Credentials
Description: Retrieve a list of all user credentials via SQL Injection.
Difficulty: 4 star
Expanded Description: https://pwning.owasp-juice.shop/part2/injection.html
In the expanded description for this challenge it is made fairly obvious that this challenge will be very similar to the Database Schema challenge, for which a special SQL injection payload had to be crafted. As this time around the target is only the user credential table, it’s handy to have an idea of what the table entries look like. To gather that information, you can either complete the Database Schema or Administration Section challenges. The Admin Section challenge requires a few additional steps in terms of using the browser’s developer tools to track down the authentication-details.json file. The end result, however, is that the below set of information is what the database tracks about each user.
Knowing this, it’s just a matter of crafting an SQL query and utilizing the injection syntax (“q=word’)) … query … –“) we used in the Database Schema challenge on the same vulnerable url. Knowing from the Database Schema challenge that the query we craft must seek nine data columns from the User table, and also that there are more than nine columns in that particular table, the query we’ll use to complete this challenge is somewhat customizable in terms of what data you’re looking to extract from the database. In my case, I chose ID, email, password, role, isActive, username, createdAt, deletedAt, and totpSecret. My query was “none’)) UNION SELECT id, email, password, role, isActive, username, createdAt, deletedAt, totpSecret FROM Users–“. I then added that query string to the /rest/products/search?q= url and hit enter.
Prevention and Mitigation Strategies:
Lessons Learned and Things Worth Mentioning:
I’m slowly getting better at SQL queries. Despite earning an A in my Databases class, and having planned, diagrammed, and implemented a MySQL database using PHP, injection attacks felt awkward for a long time. It’s nice to see that progress.