Hej, I am at the very beginning of this journey however I like to learn the things in detail as much as I can. Let’s jump in.
There is some information to help us to solve the lab. We have a table called users, their columns are username and password. We will use it later
We need to login as an administrator to solve this lab so our username is administrator.
I intercepted the request and sent it to the repeater. First things first, we need discover where the vulnerability is.
GET /filter?category=Gifts HTTP/1.1 //Let’s focus on categories. I added one quote at the end of the Gift (‘) Gifts’ and examined the request and nothing has changed. Then added one more but nothing has happened.
TrackingId can be vulnerable. After adding one quote, the response has changed. 500 Internal Server Error. I added one more, there is a SQL Injection. If I need to clarify, quote escapes quote.
SELECT * FROM x WHERE y = ‘Gifts’
Time to exploit it
Tried to use: TrackingId=t1IsJioU7lbjwtY5'||pg_sleep(10) — ‘ //500 Internal Error
After take a look the cheat sheat, we can use this payload
SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN to_char(1/0) ELSE NULL END FROM dual — ;
but why? what is case and to_char,NULL. Do we need to use them? In oracle we can use CASE to make conditions,
We can think CASE STATEMENT as an IF STATEMENT,
( our condition) ? (condition_n) : (result) END so if our condition is evaluated to true then condition_n statement is executed, otherwise result is. All we are OK with. But what about to_char, in oracle to_char makes them string. Because we do not know all of the tables, we do not need to conflict with the types of tables. As we remember the UNION BASED SQLi , it is suggested to use null instead of 1,2,3,.. UNION SELECT null,null — ‘ because we want to escape the conflict the types. Jump in to Oracle. I do not have Oracle in my local but I am using apex.oracle.com.
To be sure, TrackingId=x’ UNION SELECT CASE WHEN (username=’administrator’) THEN to_char(1/0) ELSE NULL END FROM dual — ‘; // 500 Internal Server Error, still working now we can use SUBSTRING to find the password of administrator. SUBSTR takes 3 parameters; (xx, initial point, initialition step) Now our payload is:
TrackingId=x’ UNION SELECT CASE WHEN (username=’administrator’
AND
ASCII(SUBSTR(password,1,1))>80)
THEN to_char(1/0) ELSE NULL END FROM users — ‘; // Time to begin binary search, ASCII table will be our guide, It is easy to find it on the internet.We need to increase the number until 500 is appeared.
After find the 20 characters of password. CONGRATULATIONS, YOU SOLVED THE LAB! STAY TUNED.