The goals of this lab are to:
- Build intuition surrounding SQL injection in web applications
- Develop a PoC exploit for a blind SQL injection vulnerability
In order to gain deeper insight into how even one-bit database leakages can be exploited, you will develop a blind injection exploit for a vulnerable web application. Upon navigating to the application, you will be presented with a simple login page for an online bank. You will need to exploit the injection-based information leak contained in the following server-side code:
@app.route("/authenticate", methods=["POST"]) def authenticate(): username = request.form["username"] password = request.form["password"] db = get_database() cur = db.cursor() cur.execute(auth_query(username)) rv = cur.fetchone() cur.close() try: if rv: try: authenticated = argon2.verify(password, rv) except: authenticated = False if not authenticated: return render_template("login.html", error="Invalid credential.") session["username"] = rv flash("You're logged in!") return redirect(url_for("index")) raise Exception("uh oh") except: return render_template("login.html", error="Invalid credentials.")
Once you have identified the leakage, you will need to build SQL queries to extract information from the database. As the database used here is sqlite, you will need to begin by extracting values from sqlite’s system tables. For instance, to collect table names you might issue queries along the lines of:
SELECT * FROM SQLITE_MASTER WHERE type='table'
However, keep in mind that you will not be able to execute this query as-is! Rather, you must formulate this query in terms of bit or byte-level queries against individual values in the table in a way that is compatible with the information leakage you have discovered. You will also find it necessary to inject WHERE clause constraints in order to select individual rows of the table.
Once you have extracted the application tables and each table’s columns, you can continue the attack by extracting values from each table row and column.
- Identify the SQL injection vulnerability
- Develop a SQL injection exploit to leak the contents of the database
- Discover a secret value contained in the database
Submit a gzipped tar archive containing the source code of your exploit as well as a README containing the secret value.