SQL Get/Search Injection Exploitation on bWAPP
In this post, I will be exploiting the SQL Injection (Get/Search) section on the Buggy Web Application. This instance of bWAPP was hosted on an Docker container on an Ubuntu VM and will be exploited from a different Kali Linux VM. This aspect of bWAPP will be exploited on the low setting.
Upon selecting the SQL Injection (Get/Search) setting, this is what the user will see.
Note that there are php commands in the URL. This will be used to perform the SQL injection. Below shows an analysis of searching for a movie in the Burp website.
This provides some extra information about the GET request. Next, I will begin the SQL injection. Using the title parameter, inputting the string “1' -- -” results in a “No Movies Found!” response from the website. Since this was not marked as invalid syntax, this means that the site has accepted this string as valid command.
Next, the vulnerability will be exploited with a payload. Before attempting to use an actual command, I will populate the text boxes with numbers. These numbers will be inputted after the apostrophe, and before the dashes.
Now that we know what box corresponds to what number, we can use this information to expose some vulnerable information about web server. In this case, I will find out what operating system and version that the web server has using the version() call. We will populate this in box 5.
As shown, we were able to get some sensitive information from the server by using an SQL injection, successfully exploiting this page of bWAPP.