sqli extract user info low security
web app: mutillidaebrowser: iceweasel
In this post we will attempt to extract user data from a database using sql injection
to test for a sqli vulnerability i simply add a single quote into the Name field
this result in information leakage which aids my attack and also exposes many other vulnerabilities however we are solely concerned with obtaining user info. heres the error message
This tells my the database is MySQL it also crucially tells me the ACTUAL SQL query performed. This alone tells me that the paramemter/field Name is likely vulnerable to sql injection now we simply need to complete the sql statement to give us what we want
so we add some comments to our single quote, we add
OR 1=1
now 1 ALWAYS is equal to 1 therefore we are making the statement true
--
we dont have the password there fore using -- comments out the password request so now our full sqli payload is
' OR 1=1 -- <space after comments>
to achieve this we simply type the sql command in the name field
and as shown in the video all USERNAMES & PASSWORDS have been retrieved
