1. Home
  2. Training Library
  3. Web Penetration Testing with Juice Shop

SQL Injection

Start course
Overview
Difficulty
Intermediate
Duration
2h 6m
Students
4
Description

This course puts into practice a lot of the concepts we've covered so far. We'll be using a vulnerable website called Juice Shop to solve a variety of challenges. This will give us opportunity to practice what we have learned so far, and also learn about new techniques and new vulnerabilities as well, such as XX vulnerabilities.

Transcript

Hi. Within this lecture, we're going to try and log in as administrator user as we have seen in the challenges. So, I'm going to log out. Okay. So, if we come over here to log in, we don't even know the administrator account or username. And in fact, this is email actually. So, most probably it has to do with something with the SQL injection. So, I'm going to open this sqlinjection.txt and this is the file that we have been working on the previous sections as you might remember. So, if you didn't watch the SQL injection sections, I suggest you go back and watch them. Okay. So, we have tried this 123456. So, this is actually a random password and we have tried AND 1=1 to confirm if there is an SQL injection possibility.

Okay. And we can try this for the password here as well. So, I'm going to copy this and paste it over there and I'm going to give my own email. So, I'm going to try and log in and see if that works or not. If this works, then I believe we can inject some code over here. But as you can see, it says that invalid email or password. So, it doesn't even work for us. So, I'm going to come over here to Burp Suite and see what's going on. As you can see in the  Burp Suite, we have a lot of different targets over there. So, in the Target site, there are a lot of websites that we're interacting. So, what I would suggest over here is to come over here to our own Juice Shop section and say 'Add to scope'. Okay.

And it will only add this to the only this website to our scope so that we can filter everything over here and see only our website. Okay. So, what I'm going to do? I'm going to click over to 'Filter' over there on this tab and I'm just going to say Show only in-scope items. It will just filter out every other thing. Okay. Just select this. Let me just revert changes and just select this, and click somewhere over there. And as you can see, we can only see our own website. So, this is only the scope item right now. So, we don't deal with another thing over there. So, I'm going to log in one more time, and see the request over there.

And as you can see, this is the request but this is not the request that we are looking for. So, I believe this is kind of a preliminary thing. I'm going to forward this and just wait until we see the parameters and this one as well. And here you go. Now we see the parameters. So, this is the request that we are looking for. As you can see, I'm just going to send this to Repeater because we're going to test it a couple of times. So, if we send it, we get the response back as Invalid email or password. Now we can just change the parameters over here, and we can see the response immediately if we want, like we can change the parameters, we can say AND or OR or anything that we want.

First of all, let me try something like this. We tried this in password, but I'm going to try it in the email as well. So, maybe this is injectable. Okay. I'm leaving the thing in the Repeater. Okay. I'm just going to try it over there. I'm going to inject this email. And of course, we're going to have to turn the intercept off or just forward this from here. Okay. Let me forward this, forward this, forward this, this one as well until we see the parameters. So, let me come over here and here you go. Now we see the parameters. I'm going to send this to Repeater as well. Since we started with the Repeater, let's finish it with the repeater.

So, as you can see, right now we see it over there, if we send this and here you go. Now we got something interesting. So, even though I believe it didn't work, we got an error message backward. Right now, we have a lot of information over there. So, it says invalid email or password over there, but we didn't even forward it I believe so. Let me try to come over there and see the response. As you can see in the response side, we're getting a lot of error messages and we didn't see that on the HTML side but it's in the response. Okay. So, it didn't get rendered for us. But that's the beauty of the Burp Suite. So, you can see the details of the response and you can see if there is something hidden from you.

So, there is a detailed thing over there like the SQL command. So, I'm going to just copy this, okay, and paste it in my notes. So, let me come below over here and just paste it as you can see. So, it's doing a SELECT * FROM Users and it's filtering the email. And of course, we injected this. Okay. And it's looking for the password. So, password is hashed, which is good. Okay. And there is something over here, deletedAt. So, I believe this is a column as well. And if we delete or if they delete any user, they are looking for if this is deleted or not. So, if this is deleted, then it won't log us in. If this is not deleted, then it will log us in, which is good.

So, this is very good actually. They're doing their job. They're actually encoding the password or something like that, but we eventually have seen this message. If we come over here, we don't see anything over there. We can just see there is some sort of an error, object Object error, but we didn't solve it. So, we know right now I believe this is injectable because we managed to break it somehow with SQL injection, but we couldn't find the way to inject the SQL right now, SQL command right now. So, let's try some variations. If you add a semicolon here, it just happened for us.

If you add a semicolon at the end of this thing, it worked. Rather than the simple command like this, we just added a semicolon. And if it didn't work, then I was just going to try all of these things over here. So, what I did was, let me just write it over there. So, atil@test.com. Okay. And with a single quotation mark like this, I did say OR 1=1 and end it with the semicolon, and then add the # over there. So, it made us actually into this, and we are logged in with the administrator account. Because as you know, it logs in with the default account with the user ID 1, most probably, and we are logged in with the administrator account.

And again if it didn't work, then I was going to try everything that we have seen in bypassing Firewalls and bypassing Filter section like making the upper case, lower case letters, encoding it with the URL encoding, something like that. Okay. But we managed to get into the administrator account. So, we solved this one. So, let's see what else we have here. So, this is the injection clearly. But we injected it and we don't even know the administrator rights right now. So, if we go to the Account, let's see what else we can get here. Since we are logged in as admin, maybe we can get to some panel like administrator panel, and we can change something, and we can solve the other challenges as well.

So, first of all, if you come over here, we can see the administrator email. We don't even know the email right now. So, this is admin at Juice Shop. But as you can see it with the dashes and .op. So, let me just write it over there as a note because it's a little bit complicated. So, let me just take a note over there and say admin@juicesh.op. I believe that's something like that. Let me come back and check it one more time. No, that is not like that. Let me come back and just make it right, juice-sh.op. Okay. So, this is the admin user, admin email actually. And the funny thing is we don't even know the password of administrator right now because we have injected ourselves. We injected our way in. We don't know the password. So, we're going to find it later on.

Let me just come over here to Your Basket and see if we can change anything. Now this is a simple basket. Let's go to 'Order History', and this is the order history of the administrator account. I believe we don't have to do anything over there. Let me go to maybe 'My Payment Options'. We can see the administrator credit card account. We can delete them if we want, but there is nothing funny going on over there. So, let me try to go to 'Digital Wallet'. And as you can see, there is nothing here as well. So, let's go to 'My saved addresses'. We can see the address of the administrator account, but I believe there are not a part of any challenge because nothing is getting sold right now.

So, maybe we can come over here and see what this is. That's data erasure request. We don't have to do this. Come over here to 'Request Data Export'. We don't have to export any data right now. 2FA Configuration. Maybe there's some sort of misconfiguration over here, but we are not interested in that right now as well, and I believe that's it. We couldn't find an administrator panel. So, let me come to the languages as well but there is nothing there as well. So, if you come over here, we see something like Deluxe Membership. So, maybe this kind of a VIP membership option and it says that you are not eligible. Okay. And this is clearly not an administrator panel.

Maybe there's some other way to find administrator panel or administrator dashboard so that we can change anything. But right now, we managed to log in as administrator account. We hacked the administrator account. We solved this one and we gather the information. Maybe we can just focus on this one as you can see. It says that log in with the administrator's user credentials, but without previously changing them or applying SQL injection. So, we have to actually find the administrator password to do that I believe. Okay. We're going to do that in the next lecture, and we're going to see if we can find administrator dashboard later on from this menu or any other menu. We're going to see all of those things in the next lecture starting from here.

About the Author
Students
422
Courses
55
Learning Paths
3

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.