{"id":392,"date":"2022-08-29T19:27:49","date_gmt":"2022-08-29T19:27:49","guid":{"rendered":"https:\/\/codecrypt76.com\/?p=392"},"modified":"2022-11-25T16:52:45","modified_gmt":"2022-11-25T16:52:45","slug":"sql-injection-attack-hacker-challenge","status":"publish","type":"post","link":"https:\/\/codecrypt76.com\/index.php\/2022\/08\/29\/sql-injection-attack-hacker-challenge\/","title":{"rendered":"SQL Injection Attack &#8211; Hacker Challenge"},"content":{"rendered":"\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" width=\"1024\" height=\"576\" src=\"https:\/\/codecrypt76.com\/wp-content\/uploads\/2022\/08\/Cover-1024x576.png\" alt=\"SQL Injection\" class=\"wp-image-412\" srcset=\"https:\/\/codecrypt76.com\/wp-content\/uploads\/2022\/08\/Cover-1024x576.png 1024w, https:\/\/codecrypt76.com\/wp-content\/uploads\/2022\/08\/Cover-300x169.png 300w, https:\/\/codecrypt76.com\/wp-content\/uploads\/2022\/08\/Cover-768x432.png 768w, https:\/\/codecrypt76.com\/wp-content\/uploads\/2022\/08\/Cover-1536x864.png 1536w, https:\/\/codecrypt76.com\/wp-content\/uploads\/2022\/08\/Cover.png 1920w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n\n<h2>Overview<\/h2>\n\n\n\n<p>A <a href=\"https:\/\/owasp.org\/www-community\/attacks\/SQL_Injection\" target=\"_blank\" rel=\"noopener\" title=\"SQL injection\">SQL injection<\/a> (<code>SQLi<\/code>) is a type of cybersecurity attack that targets data-driven applications by inserting or &#8220;<em>injecting<\/em>&#8221; malicious <code>SQL<\/code> statements in the input field of a web page. <strong>Structured Query Language<\/strong> (SQL) is is <em>a standardized programming language<\/em> that is used to communicate with databases.  A successful <code>SQLi<\/code> can allow an attacker to <code>read <\/code>sensitive data from the database, <code>modify <\/code>database data (Insert\/Update\/Delete), <code>execute <\/code>administration operations on the database, or even gain root access to the system itself.  <strong>The SQLi Hacker Challenge<\/strong> is  an chance for you to conduct a SQLi attack<strong> <\/strong>on a mock database that was designed for this challenge.  If successful, you&#8217;ll have an opportunity to answer some fun <a href=\"#bonus\">Bonus Questions<\/a>. <\/p>\n\n\n\n<p>Before we begin, let&#8217;s go over an example of <code>SQLi<\/code> attack.<\/p>\n\n\n\n<h2>SQL Injection example <\/h2>\n\n\n\n<p>Look at the following example which creates a <code>SELECT<\/code> statement by adding a variable (<code>user_id<\/code>) to the end of it. The variable is fetched from the <code>input()<\/code> function.  <\/p>\n\n\n\n<div class=\"hcb_wrap\"><pre class=\"prism line-numbers lang-python\" data-file=\"example.py\" data-lang=\"Python\"><code>user_id = input(&quot;User ID: &quot;)\nSQL_statement = f&quot;SELECT * FROM Users WHERE user_id = {user_id};&quot;<\/code><\/pre><\/div>\n\n\n\n<p>The purpose of the code is to create a <code>SQL <\/code>statement to select a user, with a given <code>user_id<\/code>. If there are no security measures in place then a user can enter erroneous data into the input field such as:<\/p>\n\n\n\n<div class=\"hcb_wrap\"><pre class=\"prism line-numbers lang-bash\" data-lang=\"Bash\"><code>User Id: 76 OR 1=1<\/code><\/pre><\/div>\n\n\n\n<p>This would create the following SQL statement:<\/p>\n\n\n\n<div class=\"hcb_wrap\"><pre class=\"prism line-numbers lang-sql\" data-lang=\"SQL\"><code>SELECT * FROM Users WHERE user_id = 76 OR 1=1;<\/code><\/pre><\/div>\n\n\n\n<p>The above SQL statement is valid and will return <code>ALL <\/code>rows from the &#8220;Users&#8221; table, since <strong>OR 1=1<\/strong> is always TRUE.  If the &#8220;Users&#8221; table contains <code>usernames <\/code>and <code>passwords<\/code> then a hacker would get access to all the usernames and passwords in a database, by simply inserting <strong>OR 1=1<\/strong> into the input field.<\/p>\n\n\n\n<p>Now that you have a basic understanding of how a <code>SQLi <\/code>works, lets try the <strong>SQLi Hacker Challenge.<\/strong><\/p>\n\n\n\n<h2>SQL Injection Lab<\/h2>\n\n\n\n<h3>Task<\/h3>\n\n\n\n<p>Your task is to execute a successful <code>SQLi <\/code>attack on a mock database that was designed for this challenge, and to view all contents in.  <\/p>\n\n\n\n<h3>Database design<\/h3>\n\n\n\n<p>The database consists of one <code>table<\/code>, and the following three <code>columns<\/code>:<\/p>\n\n\n\n<ul><li><code>id<\/code><\/li><li><code>username<\/code><\/li><li><code>password<\/code><\/li><\/ul>\n\n\n\n<h3>Instructions<\/h3>\n\n\n\n<p>Run the following Python script on your local machine, and you will be prompted to &#8220;<em>Enter your SQL Injection<\/em>.&#8221; Keep trying until you successfully achieve a SQLi attack!  <\/p>\n\n\n\n<div class=\"hcb_wrap\"><pre class=\"prism line-numbers lang-python\" data-file=\"sql_injection.py\" data-lang=\"Python\"><code>#!\/usr\/bin\/env python3\nimport sqlite3\nimport requests\n\n# SQL statements:\nCREATE_USERS_TABLE = &quot;CREATE TABLE IF NOT EXISTS usernames (id INTEGER PRIMARY KEY, username TEXT, password TEXT);&quot;\nINSERT_USER_DATA = &quot;INSERT INTO usernames (username, password) VALUES (?, ?)&quot;\n\n\ndef get_userdata() -&gt; list:\n    &quot;&quot;&quot;Returns username, and password in tuple from online username.dat file.&quot;&quot;&quot;\n    # url to username and password file\n    URL = &quot;https:\/\/pastebin.com\/raw\/ih7szSSv&quot;\n    raw = [i.strip() for i in requests.get(URL).text.split(&#39;\\n&#39;)]\n    output = []\n    for i in raw:\n        users = i.split(&#39;, &#39;)[0].split(&#39;,&#39;)[0]\n        passwords = i.split(&#39;, &#39;)[0].split(&#39;,&#39;)[1]\n        output.append((users, passwords))\n    return output\n\n\n# Create database in memory\nconn = sqlite3.connect(&quot;:memory:&quot;)\n# Get usernames and passwords\nuser_data = get_userdata()\n\n# Create table\nconn.execute(CREATE_USERS_TABLE)\n# Insert username, passwords into database\nconn.executemany(INSERT_USER_DATA, user_data)\n\n\nwhile True:\n    INJECTION = input(&quot;Enter your SQL Injection:\\n&gt;  &quot;)\n    sql = f&quot;SELECT * FROM usernames WHERE id = 776 {INJECTION}&quot;\n    try:\n        results = conn.execute(sql).fetchall()\n        if results:\n            print(f&quot;\\n\\033[92m&quot; + &quot;Good job, you did it!&quot; + &quot;\\033[0m&quot;)\n            with conn:\n                for row in results:\n                    print(row)\n            conn.close()\n            break\n    except sqlite3.OperationalError as e:\n        print(&quot;\\n\\033[91m&quot; + &quot;Nope, try again!&quot; + &quot;\\033[0m&quot;)\n        pass\n<\/code><\/pre><\/div>\n\n\n\n<h2>Bonus Questions<\/h2>\n\n\n\n<p>After dumping the database, try solving the following Bonus Questions.<\/p>\n\n\n\n<ol><li>Decrypt the administrator&#8217;s password. Hint: MD(101)<\/li><li>What 1995 <code>\"crime\/action\/romance\"<\/code> movie did these <code>users<\/code> play in? Hint: Solve the first bonus question.<\/li><\/ol>\n\n\n\n<h2>Conclusion<\/h2>\n\n\n\n<p>The main purpose of this tutorial was to teach basic techniques on how to conduct a <code>SQLi<\/code> attack. Hopefully you were able to successfully execute a <code>SQLi<\/code> attack, and solve all of the <em>Bonus Questions<\/em>. If you want a better <code>SQLi<\/code> graphic user interface then check out the <a href=\"https:\/\/www.hacksplaining.com\/exercises\/sql-injection\">SQL Injection Lab hosted on Hacksplaining<\/a>. Please leave your questions, concerns or comments below. Thanks for reading this post ~ Good luck and have fun!<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<p>Code available at <a href=\"https:\/\/github.com\/seraph776\/sql-injection-attack-challenege\">GitHub<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Learn about SQL Injection attacks, and conduct a SQL attack challenge on a mock database.<\/p>\n","protected":false},"author":1,"featured_media":412,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[17,54,57,4],"tags":[38,62,11,46,12],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/codecrypt76.com\/index.php\/wp-json\/wp\/v2\/posts\/392"}],"collection":[{"href":"https:\/\/codecrypt76.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/codecrypt76.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/codecrypt76.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/codecrypt76.com\/index.php\/wp-json\/wp\/v2\/comments?post=392"}],"version-history":[{"count":22,"href":"https:\/\/codecrypt76.com\/index.php\/wp-json\/wp\/v2\/posts\/392\/revisions"}],"predecessor-version":[{"id":423,"href":"https:\/\/codecrypt76.com\/index.php\/wp-json\/wp\/v2\/posts\/392\/revisions\/423"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/codecrypt76.com\/index.php\/wp-json\/wp\/v2\/media\/412"}],"wp:attachment":[{"href":"https:\/\/codecrypt76.com\/index.php\/wp-json\/wp\/v2\/media?parent=392"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/codecrypt76.com\/index.php\/wp-json\/wp\/v2\/categories?post=392"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/codecrypt76.com\/index.php\/wp-json\/wp\/v2\/tags?post=392"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}