# SQL Injection Lab ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf0DkFFJ-XKrrAgxGQC%2F-Mf0DpoDM9vsEz_VY2pS%2Fimage.png?alt=media\&token=e5b76630-921e-4bde-a5cc-4eb9de2b6cc0) ## Introduction ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf0E9pTCO54yQoJ-3qn%2F-Mf0F5XHRp1GXmWp8Qz0%2Fimage.png?alt=media\&token=e9f6f0ac-fbd7-4807-b790-3e97f7b29826) ## Introduction to SQL Injection: Part 1 ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf0E9pTCO54yQoJ-3qn%2F-Mf0GiXVKUW0-23oorDI%2Fimage.png?alt=media\&token=977fa30b-6c8e-4309-9f26-95e89b4b6cea) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf0E9pTCO54yQoJ-3qn%2F-Mf0GulE7Rytg3Tfk3Jd%2Fimage.png?alt=media\&token=5684fce0-0d5b-49af-896b-96d2fb2de20b) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf0E9pTCO54yQoJ-3qn%2F-Mf0HCJAw8k8A2kGCYu7%2Fimage.png?alt=media\&token=f7c27d4a-4688-4494-9cef-8b11948cc0df) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf0E9pTCO54yQoJ-3qn%2F-Mf0HLuIE26zcTpSGNFM%2Fimage.png?alt=media\&token=83391f4a-e9a9-4106-a969-f9ca5d85e713) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf0E9pTCO54yQoJ-3qn%2F-Mf0H_A8LtVn5-JLnPeN%2Fimage.png?alt=media\&token=bb15c7d0-9bff-477e-a1bf-7e635c7fe772) Lets check the webpage ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf0E9pTCO54yQoJ-3qn%2F-Mf0HsjojpVmp9bw_6fv%2Fimage.png?alt=media\&token=63cc9bdf-4b37-471d-8d99-ff3cc21ddd44) ### Challenge 1 Lets click on the first challenge ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf0E9pTCO54yQoJ-3qn%2F-Mf0Hxo28VLTDfS9tWtM%2Fimage.png?alt=media\&token=257635bb-7b94-4ac3-80d7-2566290902bb) Lets use `1 or 1=1--` as the ProfileID and pass as the Password ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf0E9pTCO54yQoJ-3qn%2F-Mf0IExSfTj3aDjD-Oi4%2Fimage.png?alt=media\&token=f2049a40-b3ab-448f-ba1a-f097c0dd2e9c) Lets hit login ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf0E9pTCO54yQoJ-3qn%2F-Mf0IL81FTztgqQShq0J%2Fimage.png?alt=media\&token=b61964ca-0188-40b4-bfe0-b3a968f986ed) We have the flag, lets go to the second challenge ### Challenge 2 ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf0E9pTCO54yQoJ-3qn%2F-Mf0IYkMByz7EBmojR6m%2Fimage.png?alt=media\&token=f69d8282-05d5-4252-8dc0-7ff570736b50) This form only accepts strings, so lets use strings `1' or '1'='1'-- -` in the username and pass in the password. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf0E9pTCO54yQoJ-3qn%2F-Mf0IrCrmXim3Aefigmx%2Fimage.png?alt=media\&token=ae57ec3b-a29e-4aef-b4f7-62763df62b26) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf0E9pTCO54yQoJ-3qn%2F-Mf0J-fcoRycS577EA2B%2Fimage.png?alt=media\&token=ce2895db-45bb-43d2-a1ac-b641a372c8d2) We have the flag, lets go to the next challenge ### Challenge 3 ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf0E9pTCO54yQoJ-3qn%2F-Mf0JEantlkYkGgxXqJ3%2Fimage.png?alt=media\&token=10dfcd2c-ea24-4002-ac2e-85404ec35f35) The login form is being checked, so exploit the URL and we can do that by going to this URL (add it in the end of the current URL) ``` login?profileID=-1' or 1=1-- -&password=a ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf0E9pTCO54yQoJ-3qn%2F-Mf0JmyURuSCWHp8ERHs%2Fimage.png?alt=media\&token=7a30d5aa-12f8-4266-88d4-858cc1d4216e) Now lets go to this URL ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf0E9pTCO54yQoJ-3qn%2F-Mf0JtRXMd9YAkNLm-d6%2Fimage.png?alt=media\&token=b0589489-0d9f-458d-8e55-1c3bbb525e99) We have the flag, lets go to the next challenge ### Challenge 4 ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf0E9pTCO54yQoJ-3qn%2F-Mf0K2oFdk75JwT-vUGA%2Fimage.png?alt=media\&token=023e8b62-ab43-45c2-973a-112db7c4d1d4) Lets use burp to capture the login request with random credentials ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf0E9pTCO54yQoJ-3qn%2F-Mf0KN6hvC9OGiXqI1Oq%2Fimage.png?alt=media\&token=83946f4d-e7b2-4add-8f5d-5f0fc5070ce1) Now lets change the `profileID` parameter. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf0E9pTCO54yQoJ-3qn%2F-Mf0K_G_ZGGLtqGSMPPB%2Fimage.png?alt=media\&token=217abfec-1e64-41e0-8966-3f01f99aafbe) Now lets forward the request ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf0E9pTCO54yQoJ-3qn%2F-Mf0Kg3dSt40VkaaWCZt%2Fimage.png?alt=media\&token=87c2090f-ea47-4eb3-8987-baf1ca05fdb0) We have the flag. ## Introduction to SQL Injection: Part 2 ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf5ZvlWorWszxXSamfG%2F-Mf5_BKKRFHKuCVI-lWF%2Fimage.png?alt=media\&token=89513d1e-af62-43e7-a824-bb45251b8bef) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf5ZvlWorWszxXSamfG%2F-Mf5_RDu4iwuHpN3Uucm%2Fimage.png?alt=media\&token=31cc3918-43ac-49d2-83c6-acb428995fd4) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf5ZvlWorWszxXSamfG%2F-Mf5_Y4K8KFgIbOBHyr5%2Fimage.png?alt=media\&token=7ab60fa6-5586-4dd5-919f-23cd0b82f377) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf5ZvlWorWszxXSamfG%2F-Mf5_brgnmWM4olCZBB0%2Fimage.png?alt=media\&token=af9fab1a-5726-4ca9-b2c5-f9717de409c6) Lets check the webpage ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf5ZvlWorWszxXSamfG%2F-Mf5_kRZfsUg0JDPrwqm%2Fimage.png?alt=media\&token=05309e06-f59b-4b23-804b-b8b9d0931690) Lets login with the given credentials ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf5ZvlWorWszxXSamfG%2F-Mf5aZQslSgj2_OMbzLx%2Fimage.png?alt=media\&token=2fa06cc0-413e-4b5d-bcae-d0b9bfbf9552) Lets go to the Edit Profile page ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf5ZvlWorWszxXSamfG%2F-Mf5aeoLMBtYKK0_AZVD%2Fimage.png?alt=media\&token=bf49e797-0ab3-44ec-b0e3-62e8de9a90d7) Lets use this sql query to exploit this form ``` ',nickName=(SELECT group_concat(id || "," || author|| "," || secret|| ":") from secrets),email=' ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf5ZvlWorWszxXSamfG%2F-Mf5bP8KWpQAVWSXqZ9e%2Fimage.png?alt=media\&token=48ca6663-fe54-4c1f-ab9b-c830331769fd) Lets click Change ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf5ZvlWorWszxXSamfG%2F-Mf5bV4pwa_ddbF7CgeF%2Fimage.png?alt=media\&token=748dc961-40a9-4916-a978-26513b781e11) We have the flag