PurpleSky - Software Gamer's Playground

在嘗試SQLi for MSSQL的過程中，有時候會遇到無法解析定序衝突的問題： 無法解析 UNION 作業中 "Chinese_Taiwan_Stroke_CI_AI" 與"SQL_Latin1_General_CP1_CI_AS" 之間的定序衝突。 這是因為做UNION的兩個資料庫或資料表或欄位的定序不同，而使得SQL Query無從依循。 最簡單的解決方法便是在對應資料表的欄位上自行設定相同的定序！ UNION ALL SELECT Field1 collate Chinese_Taiwan_Stroke_CI_AI, Field2 collate Chinese_Taiwan_Stroke_CI_AI, FROM TABLE Reference: 定序優先順序 https://docs.microsoft.com/zh-tw/sql/t-sql/statements/collation-precedence-transact-sql?view=sql-server-ver15

Challenge Solution     The challenge ask us to login us administrator. As a first step, let's try admin /  'or'a'>'a';-- - in UserName / Password field -> No luck at this time.      After trying qoute (") and other payload I know, it seems that the application is not vulnerable.      Let's step back to think of the query itself, let's guess the query is [ SELECT * FROM users WHERE username=' UserName(our_input) ' AND password=' Password (our_input) ' ].      What if we use backslash (\) to escape the ending apostrophe (') for username to make the query become =>  [ WHERE username= '   \'   (the ending apos become normal char)  AND password= '   or 1=1 ;-- - ' ]      Cool! We have some progress now!      What we need to do next is to find a way to select administrator . Before extracting administrator, let's see why our ' or 1=1;-- - payload not works. Input admin' or 1=1\ to t

Challenge Solution     First step, let's try to input Mary Martin .     Then, let's try 1'or'1'='1 .     Well, maybe that's because 1 isn't a valid character for Name? Let's try a'or'a'='a .     Not bad, we get the user list. However, our purpose is to get credit card number. We must try to UNION SELECT the credit card number field!     The first thing comes to my mind is how can I get the table name and column names of this application database.     Try ' UNION SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE '1'='1 =>     Try ' UNION SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='customer =>     Now, we are sure that the application doesn't have the privilege to access information_schema... Try to use GROUP BY to guess column name. Input ' group by name having '1'='1   => An error was detected! com.mysql.jdbc.exceptions.jdbc4

Challenge Solution     Once again, let's try the most classic input a'or'1'='1 .     It seems that the application do check if the user input is in certain format. We need to try if we can input something looks like email format, but still trick the SQL server.     Try a@'or'1.com'='1.com => Invalid Email Address was submitted            1@1.1 => There were no results found in your search Now, we know 1@1.1 is a valid format.     Try 1@1.1'or'1'='1 => Invalid Email Address was submitted            1'or'a@a.a => There were no results found in your search Now, we know @ character should be place at the last clause.  By the way, 1'or'1@1.1 will success. I guess that is because @ be recognized as special character and 1 means true.      Try 1'or'1@1.1'='1@1.1 => Invalid Email Address was submitted Now, we know no 2 @ characters are allowed.     Try  a'!=&#

Challenge Solution     It looks like the SQL Query should looks like SELECT * FROM <table_name> WHERE CustomerId = ' <Our Input> ' .     With this guess, let's try to input a'or'1' = '1 .     No luck. However, we should know that both ' and " are valid characters for strings. That's try a"or"1" = "1 .   Great! We completed the challenge.

Challenge Solution     Let's try to click at the Get Gamer Info button without any modification and use BurpSuite for capturing the requests. (If you don't know what is BurpSuite, here is the official website of it: https://portswigger.net/burp )     Don't forget to redirect your browser to BurpSuite for capturing and analysis the requests & responses.     Let's try to manipulate this field by input b' OR '1' = '1 .     No luck, but now we know the application is using MongoDB .     By checking the OWASP Testing Guide: https://www.owasp.org/index.php/Testing_for_NoSQL_injection , we know that we can input some function or special characters for NoSQL. Let's try to input a'; return(true); var a = 'a . Great! We finished the challenge.

What is Injection Vulnerability/Threat?     Injection occur when malicious data is sent to server and server trust the data without proper examination . Under this condition, the malicious data would be treat as normal command and be executed with the privilege of corresponding server side application .     Injection attacks are high severity attacks. An injection vulnerability could lead to confidential data leakage, directory traversal, execute arbitrary file, and even fully controlled by attackers. This kind of attack make your system wide open to attackers, because they could be initiated by anyone who connect to the system through the data they pass to the application. Lesson     Here in this lesson we are ask to practice on a simple SQL Injection: Our purpose is to change the boolean result of the query's WHERE clause to return true for every row in the table. Let's input 1' OR '1' = '1 to see if we could trick the application by leveragi