Posted in Penetration Testing, web app testing

Numeric SQL Injection: WebGoat

At some point you will need to attack the vast world of Command Injection. SQL Injection is a massive subject with some very interesting methods for obtaining information.

WebGoat by OWASP is a great platform for learning about Web Application Penetration Testing, with an added bonus of you being tested on what you have learned.

Numeric SQL Injection: WebGoat

On selecting the Numeric SQL Injection link in WebGoat, you are given a task. Outline can be seen in the image below.

task

The task is to display all of the weather from all of the stations. Lets see what happens when we just hit ‘Go’

columbia

The result shows us some information. The station column is of particular interest as it gives us an identifier for ‘Columbia’.

Tamper Data

We don’t have anywhere to enter any SQL Injection commands, however, we can intercept the traffic using Tamper Data for FireFox and resend information to the Web Server.

You will need to install the Tamper Data Plugin, however, if you already have it installed, you will find it under Tools in FireFox. Open Tamper Data, and hit ‘Start Tamper’

Hit ‘Go!’ on the Web Application and Tamper Data will ask you if you want to Tamper with the Data. Hit ‘Yes’ and you will see the box below.

TamperData

We can see from the result that Post Parameter ‘station’ has a value of ‘101’ This is our identifier for ‘Columbia’. What would happen if we appended some code to the Post Parameter value?

SQLi

As you can see, we added OR 1=1.

This is essentially saying. Give me the records for station 101 OR any other record in the table. Submitting this through Tamper Data produces the result below.

success

By adding a simple ‘OR 1=1’ to the end of a value can be very useful or very bad, depending on your point of view.

It is important to understand the underlying basics of how a script calls a database for information. Not all Web Applications are created equal.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s