.png)
1 year ago
124 BOOK THIS SPACE FOR AD
ARTICLE ADSQL Injection is a weakness that is caused by improper neutralization of special elements used in an SQL query.
Table of Content
1. Description
2. Potential impact
3. Attack patterns
4. Affected software
5. Exploitation Examples
6. Severity and CVSS Scoring
The basic form of SQL injection describes the direct insertion of attacker-controlled data into variables that are used to construct SQL commands. As a result, an attacker can tamper with the original query by permanently terminating the string, appending new commands etc.
An attacker can view, add, delete or modify information stored in the database with privileges of the current database user. In the case of a web application, this weakness often leads to a website deface or a database exfiltration.
Insecure configuration of the database may allow an attacker to write files into arbitrary locations on the system (e.g. SELECT … INTO OUTFILE construction in MySQL), which might lead to system compromise.
Modern SQL injections are being used to spread malware. They can be leveraged to turn innocent websites into drive-by-download sites, which will serve malware to unsuspecting visitors.
An attacker exploits this weakness in software that constructs SQL commands based on user input. According to CAPEC classification, there are the following attack patterns:
❏ CAPEC-7: Blind SQL Injection
❏ CAPEC-66: SQL Injection
❏ CAPEC-108: Command Line Execution through SQL Injection
❏ CAPEC-109: Object Relational Mapping Injection
❏ CAPEC-110: SQL Injection through SOAP Parameter Tampering
❏ CAPEC-470: Expanding Control over the Operating System from the Database
WASC Threat Classification describes SQL injection weakness as an attack technique under WASC-19.
Software that uses a backend database to store or read information is potentially vulnerable to this weakness. The weakness is common for many web applications since all modern content management systems are using the database to store dynamic content.
SQL injection is also possible inside stored procedures or functions within database engines.
We will use as an example of the HTB23101 security advisory (CVE-2012–4034), specifically vulnerability 1.7.
This vulnerability allows the execution of arbitrary SQL commands by modifying HTTP POST parameters. Successful exploitation requires that HTTP Referer belongs to the vulnerable website.
To demonstrate vulnerability exploitation, we will use the Burp Suite. To do so, we will need to configure our browser to use it as a proxy:
Then we will intercept every request to the vulnerable website and change it according to instruction in the advisory:
After PoC was executed on the website, we should check for the existence of the /file.php file:
Successful exploitation of the vulnerability allowed us the creation a file on the file system with arbitrary contents. Instead of phpinfo() function, we can store a web-shell and gain control over the system.
SQL injection influences confidentiality, integrity and availability of the application. It should be scored as C:H/I:H/A:H.
The common CVSS score for SQL injection vulnerabilities in publicly accessible scripts is:
9.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H] — Critical severity.
Credits: https://www.immuniweb.com/
Bengali (Bangladesh) · 
English (United States) ·