-
sql injection on endpoint that returnes data (UNION attack)
-
identify the product search as vulnerable for sql injection (enter a single quote as search term and get sql error as response)
-
forge sql query that has matching columns with a UNION on anything of interest (like table schemata or specific tables)
-
in this case 5 columns (fill with 1's if less information is requested, like only table names, or username and password)
-
easier solution: use
sqlmap on the requested page http://glocken.hacking-lab.com/12001/inputval_case3/inputval3/controller?words=searchterm&send=suchen&action=search
-
this simplifies the generation of the sql queries, as the tool does the heavy lifting of merging and separating the retrieved data into useful tables
-
see
2310a_out for exemplary output of sqlmap -u "http://glocken.hacking-lab.com/12001/inputval_case3/inputval3/controller?words=foo&send=suchen&action=search" --cookie=ACookie=12345 --dump -D glocken_emil -T customers
-
escape (sanitize) the user input
-
use prepared statements