Our community has moved to Discord. Join us there!
Cybr.com/Discord
These forums are still up for historical purposes.

Home Page Forums Course Discussions Introduction to Application Security (AppSec) Understanding the SQL injection used in the demo lesson

  • Understanding the SQL injection used in the demo lesson

    Posted by Christophe on June 14, 2020 at 7:49 pm

    In this lesson, we performed a SQL injection against the Damn Vulnerable Web Application in order to extract usernames and passwords from the database.

    This is the injection we used:

    %' and 1=0 union select null, concat(user,';',password) from users #

    Here’s an explanation of how it works:

    • We might expect the query to look something like this:
    SELECT * FROM users WHERE id ='%' and 1=0 
    union 
    SELECT null, concat(user,';',password) from users #
    • % Represents zero or more characters, so it can be useful for pattern matching. ie: if we had cy%, it could match cybr; cyclone; etc
    • The UNION operator is used to combine the result set of two or more SELECT statements
    • SELECT null is used because UNION requires the same columns, data types, and number of columns to be pulled so that it can match it all up. But since we may not know what those exact columns are in the 1st select statement (since the app constructed it, not us), we use null.
    • We then use the concat() command to separate the username and passwords from one another in the return statement, like this: user;password
    • Since we can cheat, though, by looking at the source code, we can see what the exact query looks like:
    SELECT first_name, last_name FROM users WHERE user_id = '$id';

    We can also see what is being outputted:

    $html .= "ID: {$id} First name: {$first} Surname: {$last}";

    So the reason we are seeing our injection returned in the ID output is because the application is simply spitting out the $id variable it grabbed from our input in the form.

    The reason we see the extracted data in the Surname and not the First name is because the SELECT null matches up with SELECT first_name, and the SELECT concat() matches up with SELECT last_name.

    One more challenge for you…not all options added in that SQL injection are needed for a successful extraction, at least not in the ‘low’ security setting of the DVWA. Try to see what causes this injection to stop working, and try to figure out why!

    • This discussion was modified 3 years, 9 months ago by  Christophe.
    Christophe replied 3 years, 6 months ago 2 Members · 2 Replies
  • 2 Replies
  • issam

    Member
    September 20, 2020 at 2:42 pm

    great explanation thank you

    • Christophe

      Administrator
      September 20, 2020 at 3:50 pm

      Glad it helps!

Log in to reply.