💡 Overview
A SQL injection (SQLi) is a type of cybersecurity attack that targets data-driven applications by inserting or "injecting" malicious SQL statements in the input field of a web page. A successful SQLi can allow an attacker to read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database, or even gain root access to the system itself. The SQLi Hacker Challenge is an chance for you to conduct a SQLi attack on a mock database that was designed for this challenge. If successful, you’ll have another opportunity to answer some fun Bonus Questions.
Before we begin, let's go over an example of SQLi attack.
SQLi example
Look at the following example which creates a SELECT statement by adding a variable (user_id) to the end of it. The variable is fetched from the input() function.
user_id = input("User ID: ")
SQL_statement = f"SELECT * FROM Users WHERE user_id = {user_id};"
The purpose of the code is to create a SQL statement to select a user, with a given user_id. If there are no security measures in place then a user can enter erroneous data into the input field such as:
User Id: 776 OR 1=1
This would create the following SQL statement:
SELECT * FROM Users WHERE user_id = 776 OR 1=1;
The above SQL statement is valid and will return ALL rows from the "Users" table, since OR 1=1 is always TRUE. If the "Users" table contains usernames and passwords then a hacker would get access to all the usernames and passwords in a database, by simply inserting 776 OR 1=1 into the input field.
SQLi Hacker Challenge
Now that you have a basic understanding of how a SQLi works, lets try the SQLi Hacker Challenge.
Task
Your task is to execute a successful SQLi attack on a mock database that was designed for this challenge, and to view all contents in.
Database Design
The database consists of one table, and the following three columns:
idusernamepassword
Instructions
Run the following Python script on your local machine, and you will be prompted to "Enter your SQL Injection.". Keep entering input until you successfully achieve a SQLi attack!
#!/usr/bin/env python3
import sqlite3
import requests
# SQL statements:
CREATE_USERS_TABLE = "CREATE TABLE IF NOT EXISTS usernames (id INTEGER PRIMARY KEY, username TEXT, password TEXT);"
INSERT_USER_DATA = "INSERT INTO usernames (username, password) VALUES (?, ?)"
def get_userdata() -> list:
"""Returns username, and password in tuple from online username.dat file."""
# url to username and password file
URL = "https://pastebin.com/raw/ih7szSSv"
raw = [i.strip() for i in requests.get(URL).text.split('\n')]
output = []
for i in raw:
users = i.split(', ')[0].split(',')[0]
passwords = i.split(', ')[0].split(',')[1]
output.append((users, passwords))
return output
# Create database in memory
conn = sqlite3.connect(":memory:")
# Get usernames and passwords
user_data = get_userdata()
# Create table
conn.execute(CREATE_USERS_TABLE)
# Insert username, passwords into database
conn.executemany(INSERT_USER_DATA, user_data)
while True:
INJECTION = input("Enter your SQL Injection:\n> ")
sql = f"SELECT * FROM usernames WHERE id = 776 {INJECTION}"
try:
results = conn.execute(sql).fetchall()
if results:
print(f"\n\033[92m" + "Good job, you did it!" + "\033[0m")
with conn:
for row in results:
print(row)
conn.close()
break
except sqlite3.OperationalError as e:
print("\n\033[91m" + "Nope, try again!" + "\033[0m")
pass
Bonus Questions
After dumping the database, try solving the following Bonus Questions.
- Decrypt the administrator's password. Hint: MD(
101) - What 1995
"crime/action/romance"movie did theseusersplay in? Hint: Solve the first bonus question.
Conclusion
The main purpose of this tutorial was to teach basic techniques on how to conduct a SQLi attack. Hopefully you were able to successfully execute a SQLi attack, and solve all of the Bonus Questions. If you want a better SQLi graphic user interface then check out the SQL Injection Lab hosted on Hacksplaining. Please leave your questions, concerns or comments below. Thanks for reading this post ~ Good luck and have fun!
Code available at GitHub
Top comments (0)