At some point you will need to attack the vast world of Command Injection. SQL Injection is a massive subject with some very interesting methods for obtaining information.
WebGoat by OWASP is a great platform for learning about Web Application Penetration Testing, with an added bonus of you being tested on what you have learned.
Numeric SQL Injection: WebGoat
On selecting the Numeric SQL Injection link in WebGoat, you are given a task. Outline can be seen in the image below.
The task is to display all of the weather from all of the stations. Lets see what happens when we just hit ‘Go’
The result shows us some information. The station column is of particular interest as it gives us an identifier for ‘Columbia’.
We don’t have anywhere to enter any SQL Injection commands, however, we can intercept the traffic using Tamper Data for FireFox and resend information to the Web Server.
You will need to install the Tamper Data Plugin, however, if you already have it installed, you will find it under Tools in FireFox. Open Tamper Data, and hit ‘Start Tamper’
Hit ‘Go!’ on the Web Application and Tamper Data will ask you if you want to Tamper with the Data. Hit ‘Yes’ and you will see the box below.
We can see from the result that Post Parameter ‘station’ has a value of ‘101’ This is our identifier for ‘Columbia’. What would happen if we appended some code to the Post Parameter value?
As you can see, we added OR 1=1.
This is essentially saying. Give me the records for station 101 OR any other record in the table. Submitting this through Tamper Data produces the result below.
By adding a simple ‘OR 1=1’ to the end of a value can be very useful or very bad, depending on your point of view.
It is important to understand the underlying basics of how a script calls a database for information. Not all Web Applications are created equal.