Advanced SQL Injection – TryHackMe

SQL injection remains one of web applications’ most severe and widespread security vulnerabilities. This threat arises when an attacker exploits a web application’s ability to execute arbitrary SQL queries, leading to unauthorised access to the database, data exfiltration, data manipulation, or even complete control over the application. In this room, we will understand advanced SQL injection techniques, providing a comprehensive understanding of sophisticated attack vectors and mitigation strategies.

Terminal
thm@machine$ nmap -A -T4 -p 3306,3389,445,139,135 MACHINE_IP

Starting Nmap 7.60 ( https://nmap.org ) at 2024-05-25 12:03 BST
Nmap scan report for MACHINE_IP
Host is up (0.00034s latency).

PORT     STATE    SERVICE       VERSION
135/tcp  open     msrpc
139/tcp  open     netbios-ssn
445/tcp  open     microsoft-ds
3306/tcp open     mysql
3389/tcp open     ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=SQLi
| Not valid before: 2024-05-23T04:08:44
|_Not valid after:  2024-11-22T04:08:44
|_ssl-date: 2024-05-25T11:03:33+00:00; 0s from scanner time.
MAC Address: 02:87:BD:21:12:33 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized
Running (JUST GUESSING): AVtech embedded (87%)
Aggressive OS guesses: AVtech Room Alert 26W environmental monitor (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.67 seconds

SQL Injection

TryHackMe’s Advanced SQL Injection lab expands your SQL injection skillset by delving into advanced techniques that bypass common web application defenses. Whereas the fundamental SQL Injection Lab focused on core concepts, this room dives deeper into methods that attackers leverage in real-world scenarios.

Answers for this room:

Task 1:

1)What is the port on which MySQL service is running?

Ans: 3306

Task 2:

2) What type of SQL injection uses the same communication channel for both the injection and data retrieval?

Ans: In-band

3)In out-of-band SQL injection, which protocol is usually used to send query results to the attacker’s server?

Ans: HTTP

Task 3:

4)What is the flag value after updating the title of all books to “compromised”?

Ans: THM{SO_HACKED}

5)What is the flag value once you drop the table hello from the database?

Ans: THM{Table_Dropped}

Task 4:

6)What is the MySQL error code once an invalid query is entered with bad characters?

Ans: 1064

7)What is the name of the book where book ID=6?

Ans: Animal Series

Task 5:

8)What is the password for the username “attacker”?

Ans: tesla

9)Which of the following can be used if the SELECT keyword is banned? Write the correct option only.

Ans: c

Task 6:

10)What is the output of the @@version on the MySQL server?

Ans: 10.4.24-MariaDB

11)What is the value of @@basedir variable?

Ans: C:/xampp/mysql

Task 7:

12)What is the value of the flag field in the books table where book_id =1?

Ans: THM{HELLO}

13)What field is detected on the server side when extracting the user agent?

Ans: User-Agent

Task 8:

14)Does the dynamic nature of SQL queries assist a pentester in identifying SQL injection (yea/nay)?

Ans: nay

Task 9:

15)What command does MSSQL support to execute system commands?

Ans: xp_cmdshell

Task 10:

16)I have successfully completed the room.

Ans: No Answer needed

Advanced SQL Injection - TryHackMe

Thanks again for your time. I look forward to our next Blog.

Stay Connected Audit Mania

Leave a Comment