Skip to content

Latest commit

 

History

History

exercise-3

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 

README.md

Exercise 3 - SQL Injection

SQL Injection is a vulnerability that allows an attacker to change queries that an application makes to a database. This can be done by interfering with input sent from the user, which can be interpreted by the server as valid SQL.

An attacker can retrieve data they are unauthorized to see, as well as performing destructive actions such as deleting or modifying your data.

sequenceDiagram
    autonumber
    participant A as Attacker
    participant W as Website
    participant D as Database

    A->>W: Sends malicious input containing SQL query
    W->>D: Executes malicious SQL query from input
    D-->>D: Data is potentialy altered or deleted by attacker
    D->>W: Database returns data
    W->>A: Attacker receives data
Loading

Read more about SQL Injection (owasp.org).

Bobby Tables

Go to the login page (log out if you are logged in). This page has a serious sql-injection vulnerability that will allow you to login as any user.

3.1 Exploiting the login form

✏️ Try to find the SQL injection vulnerability and log in with the user account without providing a password.

Hint 1

The underlying database is a Sqlite database. The code for querying the database for the correct user to login looks like this

SELECT id FROM user WHERE username='${username}' AND password='${password}'

See anything suspicious?

Hint 2

Find a way to send in user input that discards any WHERE-clause after the username check, so that only .. WHERE user=<input> is evaluated.

Solution

Set the username field to:

user';--

You should now be able to log in without a password.

Why is this happening? The resulting SQL statement executed in the code will look like this:

SELECT id FROM user WHERE username='user';--' AND password=''

The part of the SQL statment after the -- will be ignored, therefore the password value will be ignored, allowing the login form password to be ignored. The semicolon (;) denotes the end of one query and the start of another. The double hyphen (--) indicates that the rest of the current line is a comment and should be ignored.

✏️ When you are logged in, look around to see if you can find the username of other people. Try to login as someone else.

Hint 1 Look in the comment section. Some usernames are present here.
Hint 2 Look in the voting page source code (right click anywhere on the page and select "View page source"). Something is commented out.

Go to exercise 5 ➡️