11

I am using Security Shepherd as a training tool and I am now in the challenge, SQL Injection Escaping Challenge.

The Challenge:

OWASP Security Shepherd - SQL Injection Escaping Challenge

When I make a query just like the one above (just with different table names) in a local database in MySQL it works just fine (I am making the assumption that Shepherd uses MySQL in this challenge since it is the only type of DBMS I have faced until now).

Any idea why the above query might not work as a SQL injection?

The query being used by the backend as mentioned in the hint of the challenge is: 

SELECT * FROM customers WHERE customerId="1" OR "1"="1";

The application is escaping any ' by making it \'as a protection against SQL injection. It does not change the ".

bruntime
  • 103
  • 4
J.Doo
  • 111
  • 1
  • 1
  • 4
  • Hi, J.Doo Are you using Security Shepherd in OWASP BWA? If so, what is default username and password for this and all other vulnerable web apps? I mean I downloaded it but don't know what is default username and password. – daya Jan 17 '19 at 15:14

4 Answers4

1

Short answer: Abuse how their escape works. Try \' OR 1=1; --.

Long answer:

Their escaping function works by replacing every ' with \'. All of them, including ones already preceded by backslashes. That means that if they see \', that'll end up becoming \\' -- an escaped backslash, followed by an unescaped single quote.

After that, it's standard SQL injection. OR 1=1 gets every row in the database, ; terminates the statement, and -- comments the rest out, so that their close quote, end of statement, other conditions, etc. get ignored.

Nic
  • 1,806
  • 14
  • 22
0

I just found that if someone changes in admin profile the module layout to Tournament Mode then a new tab cheat comes up. So the answer to the above is: \'or"1"="1"; --.

J.Doo
  • 111
  • 1
  • 1
  • 4
  • Although shouldn't the Sql query in the first place be `SELECT * FROM customers WHERE customerId='1' OR "1"="1";` instead of the one mentioned in the original question? – J.Doo Oct 29 '16 at 19:17
0

These answers are incorrect. The correct answer to this problem is:

" or ""="

Reason: A smart hacker might get access to user names and passwords in a database by simply inserting " or ""=" into the user name or password text box. The result SQL is valid. It will return all rows from the table customers, since WHERE ""="" is always true.

Troy Zuroske
  • 101
  • 2
0

The above answers are correct as they all successfully perform an injection, as a smart hacker is looking for an injection that works. Once a hacker finds an injection that works, they won't keep poking around with other possible queries but rather extend on the one that works. You can also do calculation logic to get the same result, such as: " OR "1+1

LampShade
  • 31
  • 3