SQL injection remains one of web applications’ most severe and widespread security vulnerabilities. This threat arises when an attacker exploits a web application’s ability to execute arbitrary SQL queries, leading to unauthorised access to the database, data exfiltration, data manipulation, or even complete control over the application. In this room, we will understand advanced SQL injection techniques, providing a comprehensive understanding of sophisticated attack vectors and mitigation strategies.
Terminal
thm@machine$ nmap -A -T4 -p 3306,3389,445,139,135 MACHINE_IP
Starting Nmap 7.60 ( https://nmap.org ) at 2024-05-25 12:03 BST
Nmap scan report for MACHINE_IP
Host is up (0.00034s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=SQLi
| Not valid before: 2024-05-23T04:08:44
|_Not valid after: 2024-11-22T04:08:44
|_ssl-date: 2024-05-25T11:03:33+00:00; 0s from scanner time.
MAC Address: 02:87:BD:21:12:33 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized
Running (JUST GUESSING): AVtech embedded (87%)
Aggressive OS guesses: AVtech Room Alert 26W environmental monitor (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.67 seconds
SQL Injection
TryHackMe’s Advanced SQL Injection lab expands your SQL injection skillset by delving into advanced techniques that bypass common web application defenses. Whereas the fundamental SQL Injection Lab focused on core concepts, this room dives deeper into methods that attackers leverage in real-world scenarios.
Answers for this room:
Task 1:
1)What is the port on which MySQL service is running?
Ans: 3306
Task 2:
2) What type of SQL injection uses the same communication channel for both the injection and data retrieval?
Ans: In-band
3)In out-of-band SQL injection, which protocol is usually used to send query results to the attacker’s server?
Ans: HTTP
Task 3:
4)What is the flag value after updating the title of all books to “compromised”?
Ans: THM{SO_HACKED}
5)What is the flag value once you drop the table hello from the database?
Ans: THM{Table_Dropped}
Task 4:
6)What is the MySQL error code once an invalid query is entered with bad characters?
Ans: 1064
7)What is the name of the book where book ID=6?
Ans: Animal Series
Task 5:
8)What is the password for the username “attacker”?
Ans: tesla
9)Which of the following can be used if the SELECT keyword is banned? Write the correct option only.
Ans: c
Task 6:
10)What is the output of the @@version on the MySQL server?
Ans: 10.4.24-MariaDB
11)What is the value of @@basedir variable?
Ans: C:/xampp/mysql
Task 7:
12)What is the value of the flag field in the books table where book_id =1?
Ans: THM{HELLO}
13)What field is detected on the server side when extracting the user agent?
Ans: User-Agent
Task 8:
14)Does the dynamic nature of SQL queries assist a pentester in identifying SQL injection (yea/nay)?
Ans: nay
Task 9:
15)What command does MSSQL support to execute system commands?
Ans: xp_cmdshell
Task 10:
16)I have successfully completed the room.
Ans: No Answer needed
Thanks again for your time. I look forward to our next Blog.
Stay Connected – Audit Mania