Any type of SQL Query that is executed in the background is vulnerable to SQL Injection. In this LAB, we will therefore attempt to exploit the Category filter in order to obtain the credentials necessary to proceed to the next level.
Consequently, the screenshot of the lab that we will work on is provided below.
In order to obtain the credentials for our target username, “Hornoxe,” we must use the category filter that is visible in the screenshot above.
Let’s now begin to solve the lab.
Therefore, after clicking the 1 in, we can see in the screenshot below that it is making a GET request. At this point, we must exploit the vulnerable parameter.
So let’s see how the application is acting as our next goal is to create a payload that will be executed concurrently with the current query in the background.
Let’s test some payloads now.
1‘ or 1=1– -
1“ or 1=1– -
1; or 1=1– -
1 or 1=1– -
1’ AND 1=1– -
1 AND 1=1– -
1 AND 1=2– -In this manner, we will attempt to execute various payloads to exploit it, and if one of the payloads is successful in doing so without error, we can infer that our payload is being executed as a SQL query. Therefore, we can also execute our malicious payload in this manner.
Our first payload is executed, as seen in the screenshot up top, informing us that “This category does not exist!“
Therefore, our payload is not properly executed.
Thus, we execute all the payloads in this manner, and the screenshot below demonstrates that some of them were successfully executed without making any errors.
Because cat 1 is present in the database and 1=1 is also true, we can see in the screenshot above that it was executed and gave us an output.
The screenshot up top that says “This category does not exist” illustrates this. It is false because cat 1 exists but 1 does not equal 2, so there is a “AND” between them. Thus, both should be true for the output to be true.
Therefore, the next task is to determine how many columns the backed query is returning.
So we can use “ORDER BY” and “UNION SELECT” to determine the number of columns.
Thus, “ORDER BY” is being used here.
therefore, the payload would
1 ORDER BY 1– -
1 ORDER BY 2– -
1 ORDER BY 3– -
1 ORDER BY 4– -
1 ORDER BY 5– -Tutorial of ORDER BY >> https://www.tutorialspoint.com/sql/sql-order-by.htm
In essence, it uses a specific column to order the rows returned by the query.
I have thus executed the aforementioned payloads up until the error. As shown in the screenshots below
So in the above screenshot, you can see that instead of the data returned by the query it is displaying the “This category does not exist!” So what it is indicating? So it is indicating that the number of columns returned by the query is 4 not 5
So now we know the table name and also the username
table _name >> level1_users
Username >> “Hornoxe”Finding the level1_users table columns that contain username and password is our next task.
Let’s try that, then.
First, we determine the version to determine which database is currently in use.
We can therefore infer that MYSQL Database is in use from the above screenshot.
Let’s search for the columns in the “information_schema.columns” table in the MySQL database since it contains the metadata for the columns.
therefore, the payload would
1 union select 1,2,3,column_name FROM information_schema.columns WHERE table_name=level1_users-- -
As you can see in the screenshot up top, “Some things are disabled!!!” is displayed. Therefore, we must now find a different method to identify column names.
So Since we already know that we can choose columns for any select query’s output from the table, let’s apply this idea.
As you can see, I am choosing the “unknown” column in the screenshot below even though it is likely not present in the “level1_users” table.
So let’s try the names of the other columns, such as username and password.
Let’s create the payloads now.
1 UNION SELECT 1,2,username,password FROM level1_users-- -
Therefore, we can see in the screenshot above that we correctly predicted the names of the columns as well as the login information that we desired.
As a result, “thatwaseasy” is the “Hornoxe” password.
Let’s use the credentials to log in.
As you can see, we have the key to the subsequent level.
Thank you I hope you got to learn something out of it.