Challenge: Database Schema
Difficulty : 3 Star
Description: Exfiltrate the entire DB schema definition via SQL injection.
Category: Injection
Tools: Burp Suite, sqlmap
Review:
This challenge is relatively easy due to the relation of the previous challenge called DOM XSS. Once you get the idea of how input sanitization works, it will be quite a piece of cake for you. Unlike other challenges, this challenge uses sqlmap tools (unnecessary, it is good too if you wanted to peek at the database information)
Introduction:
SQL Injection is a technique commonly used in scanning the database to retrieve any database information available on the server. A little rusty on using sqlmap, a few documents have been used as a reference in getting a better grasp on understanding the basics of sqlmap. Prior to this challenge, a 1-star challenge called DOM XSS can be one of the clues in checking input sanitization in the web application. Based on the completed DOM XSS challenge, we can see that the input was not properly sanitized in the web application, meaning that it is vulnerable to any SQL injection attack.
Installation:
First and foremost, a few tools are required to solve this challenge:
- sqlmap
- Burp Suite Professional
Unlike Linux, Windows does not provide built-in sqlmap in its operating system. To make sqlmap available in Windows, a few steps must be taken to download the tool. Below are the steps in sqlmap in Windows:
1. Go to https://sqlmap.org/ and click on “Download .zip file” button on the right.
2. Extract to “C:/”
3. Open cmd
4. Go to “C:/” directory and and sqlmap directory
5. Type the following command to run the sqlmap: py sqlmap.py -u <website link> <options>
Steps:
1. Open cmd and run OWASP Juice Shop
2. Make sure the website is up
3. Open another cmd and run sqlmap using py sqlmap.py -u “http://localhost:3000/rest/products/search?q=” –dbs –level=4 –risk=3 –random-agent –no-cast –no-escape –tamper=space2comment –tables
4. It might take a little time depends on the levels that you have set so have a cup of coffee. Observe the sqlmap responds.
5. We can see that the database is vulnerable based in the information retrieved by the sqlmap. In this challenge, it displayed the DBMS type and the amount of tables contained in the database. In this challenge, we can conclude that the server have 9 columns.
6. Based on the database information, craft a UNION SELECT attack in the search bar.
7. Replace the column number with id, email, and password to display the desired information in the browser. And voila! The challenge is solved
Suggestion:
Always to sanitize your input fields when publishing the web application.