Open in app

Sign in

Write

Sign in

Danny
3 min readSep 6, 2024

Lets Defend Write-up

Possible SQL Injection Payload Detected

In this write-up, we’re going to be going over SOC165 — Possible SQL Injection Payload Detected from LetsDefend. I was asked to go over this one, and I hope this helps those stuck or looking to get more hands on upskilling in.

Name:
EventID: 115 — [SOC165 — Possible SQL Injection Payload Detected]

Spoiler Warning: This write-up will have some answers to the LetsDefend Blue Team Training questions for this challenge. I’ll walk through the exercise without simply giving the answer to aid in your learning.

The Alert itself will give you the details to investigate.

When getting started, you’ll want to create a case

I found this to be a little non-intuitive in the platform, but you’ll need to do this to proceed.

Click Start Playbook

You see SQL activity when you decode the URL in the alert details.

https://172.16.17.18/search/?q=" OR 1 = 1 - -
User-Agent :
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1

You can decode this with CyberChef or another similar tool. The giveaway here was the usage of OR 1 = 1 — -

For context, this is a SQL statement used by attackers where a SQL injection vulnerability exists. Since 1=1 is always true, this will return what comes before OR 1=1 (i.e. dumping of the table) will be returned.

For more on this, see this section of the LetsDefend lesson detail

The decoded URL from the alert details also tells us the OS of the system via the User Agent information.

You can confirm this URL via the logs under “Log Management” when searching the raw logs.

OR 1 = 1 URL encoded

This shows us what was being requested by the attacker.

After these findings, we can say that this was an Unsuccessful attack as there were no commands in command history to indicate success. The HTTP Status codes are 500 Internal Server Error for all 5 SQL command injection attempts.

Unsuccessful attempts shown in the logs

For more information on HTTP Status codes, see this documentation

HTTP response status codes - HTTP | MDN

HTTP response status codes indicate whether a specific HTTP request has been successfully completed. Responses are…

developer.mozilla.org

For the final question on this challenge, we are asked baout the direction of the traffic.

Since, this was Attacker → Target traffic, this would be Internet → Company Network.

For your Analyst Note, you can write something along the lines of
The decoded URL in the alert, indicates SQL injection.
After investigating the attempts from the attacker within the logs, the HTTP Status codes are 500 Internal Server Error. Meaning they were not successful.

Hope this helps!

Cybersecurity
Ctf Writeup
Sql Injection
Danny

Written by Danny

188 Followers

Learnings about Cybersecurity and how to get into tech. Making cybersecurity accessible.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams