Welcome back to the Methodology Walkthrough at the Cybersec Cafe. Today, we’ll be learning about SQL Injection, one of the older and more well-known vulnerabilities out there.

Objective

Exploit SQLi in the product category filter to display the database version string.

What is SQL Injection?

SQL Injection (SQLi) is a type of security vulnerability that allows an attacker to interfere with the queries an application makes to its database. By injecting malicious SQL queries into input fields or URLs, attackers can bypass authentication, retrieve sensitive data, or even manipulate or destroy database content.

Methodology

The Recon

The lab environment we’re presented with is quite simple - it just contains a filter for a list of categorized text items.

Clicking an item in the list results in a GET request for that specific category.

One thing to note is that the filter is show in the URL.

With some quick manual probing, we can see that we can not only manipulate the query ourselves, but that it reflects in the DOM.

This is great for two reasons:

1. This means SQLi is likely possible because the input is not being sanitized.

2. Since it is reflected, we’ll have an easier time testing our payloads.

Let’s kick off an active scan on the endpoint to confirm our suspicions.

It looks like it’s exactly what we expected - we can see the scans picked up an SQLi vuln.

Let’s send this over to the Repeater for some testing.

- Today’s Sponsor -

Prepare for a career in Cybersecurity, one sip at a time with The Security Sip. Learn a new cybersecurity topic each day in an order that encourages learning and prepares you to be a cybersecurity professional. Free and Paid Plans Available!

Check it out

Testing

To start, try sending the request with just a ‘ appended to the end of the query to see how the application responds.

We can see it returns a 500.

Not great.

Isn’t there supposed to be reflection of the query into the DOM?

Yes there is - but only if the query is still valid, otherwise the application logic breaks.

The most common way we see SQLi utilized is via UNION statements.

This is to append another query on to the current one being used.

Generally, you’ll want to start by probing for the amount of columns returned, as you’ll need the UNION statement to match.

From a look at the app, we should start by testing two columns, since it looks like there is a title and content being returned:

We not only got a 200 response, but we can also see our arbitrary columns reflected in the DOM.

This is the confirmation we need to know we found our SQLi point.

Exploitation

In order to solve this lab, we need to get the application to return the version of the database being used.

Since our SQLi statement is using + statements, we can assume it’s a Microsoft/MySQL server.

However, in many cases you’ll need to test different common query syntaxes to find the correct one.

The PortSwigger SQLi Cheat Sheet is a great resource for that.

Below, you can find a few different ways to query for database version depending on its version:

• Oracle

  • SELECT banner FROM v$version

  • SELECT version FROM v$instance

• Microsoft

  • SELECT @@version

• PostgreSQL

  • SELECT version()

• MySQL

  • SELECT @@version

We can use @@version for our use case.

Make sure to only replace one column so that it still adheres to the two column format that we discovered in the previous step.

Let’s send the request:

And with that, we’ve solved the lab!

What We’ve Learned

Outside of understand the flow of finding the database version being used, which is a necessary first step when conducting any attempt at an SQL Injection, the lab also highlights the importance of always sanitizing user data. Even with as many protections as there are nowadays against SQLi, it is still one of the most devastating attacks that can be performed against an organization, and must be taken seriously.

Want to give the lab a try yourself? You can check it out on PortSwigger’s website here.

Securely Yours,

The Cybersec Cafe

Just a heads up, The Cybersec Cafe's got a pretty cool weekly cadence.

Every week, expect to dive into the hacker’s mindset in our Methodology Walkthroughs or explore Deep Dive articles on various cybersecurity topics.

. . .

Oh, and if you want even more content and updates, hop over to Ryan G. Cox on Twitter/X or my Website. Can't wait to keep sharing and learning together!