Exploiting basic SQL vulnerability.

3 years ago 180
BOOK THIS SPACE FOR AD
ARTICLE AD

Sanduni Fernando

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. It allows an attacker to manipulate (insert, update, delete) data that is not normally permitted or even carry out administrative operations on the database(shutdown the DBMS).

PortSwigger SQL Injection Lab is used for the demo purpose. The scenario is as follows,

It’s a shopping application that displays products in different categories (released and unreleased). In order to control the visibility of the products that are released or not released, the application uses a restriction field set to 1 or 0.

When the user clicks on the Gifts category, their browser requests the URL:

https://<id>.web-security-academy.net/filter?category=Gifts

This causes the application to make an SQL query to retrieve details of the relevant products from the database:

SELECT * FROM products WHERE category = ‘Gifts’ AND released = 1

Once the query is executed, the database checks every row within the products table,extracts each record where the category column has the value Gifts and released has the value 1 and returns the resulting records. The application then processes this record set and presents it to the user within a HTML page.

You can use Burp Suite to intercept the GET request and observe the different results for different test cases.

The restriction released = 1 is being used to hide products that are not released. Therefore,

Application displays only 3 products.

Since the application doesn’t implement any defenses against SQL injection, you can construct an attack as follows.

https://<id>.web-security-academy.net/filter?category=Gifts’--

This causes the application to perform the following SQL query

SELECT * FROM products WHERE category = ‘Gifts’--‘ AND released = 1

This effectively removes the remainder of the query, so it no longer includes AND released = 1. This means that all products are displayed, including unreleased products. Therefore,

Application displays 4 products including one unreleased product.

The double hyphen(- -) in your input is a meaningful expression in SQL that tells the query interpreter that the remainder of the line is a comment and should be ignored. This trick is extremely useful in some SQL injection attacks, because it enables you to ignore the remainder of the query created by the application developer.

The application encapsulates the user-supplied string in single quotation marks. Because the attacker has terminated the string he controls, he needs to handle the trailing quotation mark to avoid a syntax error. He achieves this by adding a double hyphen, causing the remainder of the query to be treated as a comment.

Furthermore an attacker can cause the application to display all the products regardless of the category and the restriction released as follows:

https://<id>.web-security-academy.net/filter?category=Gifts’ OR 1= 1--

Use ctrl+U to URL encode the input you provided

NOTE

A common mistake when probing an application against sql injection is to forget that certain characters have special meaning within HTTP requests. If you want to include those characters within your attack payloads, you must URL encode them to ensure that they are behave in the way you intended.

& and = are used to join name/value pairs to create the query string and the block of POST data. You should encode them using %26 and %3d,respectively.Literal spaces are not allowed in the query string. If they are submitted, they will effectively terminate the entire string. You should encode them using + or %20.Because + is used to encode spaces, if you want to include an actual + in your string, you must encode it using %2b.The semicolon is used to separate cookie fields and should be encoded using %3b.

These encodings are necessary whether you are editing the parameter’s value directly from your browser, with an intercepting proxy, or through any other means. If you fail to encode problem characters correctly, you may invalidate the entire request or submit data you did not intend to.

This causes the application to perform the following SQL query:

SELECT * FROM products WHERE category = ‘Gifts’ OR 1=1 — ‘ AND released = 1

This modifies the WHERE clause of the developer’s query to add a second condition. The database checks every row in the products table and extracts each record where the category column has the value Gifts OR where 1 is equal to 1. Because 1 always equals 1, the database returns every record in the products table.

The original query also controlled access to only released products,using the restriction released=1. By injecting the comment sequence, the attacker has gained unauthorized access to the database and retrieve all products, released or otherwise.

Application displays 20 products regardless of the category and restriction condition.

This exercise shows how application logic can be bypassed, allowing an access control flaw in which the attacker can view all products, not just products match-ing the allowed filter (showing released products).

References

The Web Application Hacker’s Handbook

Read Entire Article