SQL Get/Search Injection Exploitation on bWAPP

Cambria Kinkelaar
2 min readMar 27, 2024

--

In this post, I will be exploiting the SQL Injection (Get/Search) section on the Buggy Web Application. This instance of bWAPP was hosted on an Docker container on an Ubuntu VM and will be exploited from a different Kali Linux VM. This aspect of bWAPP will be exploited on the low setting.

Upon selecting the SQL Injection (Get/Search) setting, this is what the user will see.

SQL Get/Search page on bWAPP

Note that there are php commands in the URL. This will be used to perform the SQL injection. Below shows an analysis of searching for a movie in the Burp website.

Burp Site analysis of an HTTP GET request

This provides some extra information about the GET request. Next, I will begin the SQL injection. Using the title parameter, inputting the string “1' -- -” results in a “No Movies Found!” response from the website. Since this was not marked as invalid syntax, this means that the site has accepted this string as valid command.

The database accepts this vulnerability as valid

Next, the vulnerability will be exploited with a payload. Before attempting to use an actual command, I will populate the text boxes with numbers. These numbers will be inputted after the apostrophe, and before the dashes.

Result of inputting a payload into the SQL injection.

Now that we know what box corresponds to what number, we can use this information to expose some vulnerable information about web server. In this case, I will find out what operating system and version that the web server has using the version() call. We will populate this in box 5.

Result of the version() call

As shown, we were able to get some sensitive information from the server by using an SQL injection, successfully exploiting this page of bWAPP.

--

--