ref:Manual SQL injection discovery tips
ref:https://gerbenjavado.com/manual-sql-injection-discovery-tips/
Manual SQL injection discovery tips
August 26, 2017
According to bugbountyforum.com's AMA format one of the most popular questions is How do you test for Server Side vulnerabilities such as SQLi?
. Up until recently I was struggling with this question (especially towards SQLi) as well. The SQLi's I did find were often discovered and exploited by sqlmap after I found that the server responded weirdly to a single quote. However in the last 2 months I was forced to dive deeper into manual SQLi discovery since my target has a strong firewall making sqlmap useless (and yes, I looked into --tamper). In these two months I was able to find over 10 SQLi which I learned a ton from. This blog will focus on sharing my process and knowledge as well as showing real world examples. I will divide the blog in two parts: discovery and exploitation, since both are needed for a good report. Finally, this blog assumes MySQL is used since it holds over half of the market share.
Discovery
The first part of finding a valid SQLi is the discovery of the vulnerability. Here the most important thing is to know in which SQL context your input can end up. Here some basic examples:
SELECT user_input FROM tournament ORDER BY region;
INSERT INTO tbl_name (col1,col2) VALUES (15,user_input);
DELETE FROM somelog WHERE texts = 'user_input'
Here we can see our user_input
ending up in range of different contexts: between ()
, between '
or without any delimiters. What these commands all have in common is that they will all turn invalid once a '
is injected as input. The first two don't even have delimiters and will also give an error if a non-existing system variable is used, like: @@versionz
(instead of @@version
).
Once you are able to make the server return an error (mostly HTTP 500 status) you have to confirm it is the SQL command that is causing the error and not something like a date parser. To do this you can use a range of tricks:
- If a
'
is causing the error try to see if\'
will result in success message (since the backslash cancels out the single quote in MySQL). - You can also try if commenting out the
'
results in a success message like:%23'
or--'
. This is because you tell MySQL to explicitly ignore everything after the comment include the extra'
. - If a
'
is not allowed you can use comparisons between valid and invalid system variables like@@versionz
vs@@version
or invalid vs valid functionsSLEP(5)
vsSLEEP(5)
. - Sometimes your input will end up between
()
make sure you testinput)%23
as well to see if you can break out of these and exploit Union SQLi for example (input) order by 5%23
). - If the normal input is just an integer you can try to subtract some amount of it and see if that subtraction works (
id=460-5
). - Try to see if an even amount of quotes results in a success message (for example
460''
or460-''
) and an uneven amount results in an error (for example460'
or460-'''
).
Example
To make this more clear we have the following URL:
https://www.example.com/php/sales_dash_poc_handle.php?action=month-breakdown&type_of_report=billing&city=all&month=8&year=2017&poc=35141008
This basic URL returns a 200 status code. The input poc=35141008'
returns a 500 error and poc=35141008'%23
does as well, but poc=35141008''
returns a 200 status. This hints that the parameter is likely not using any delimiters, thus I tried poc=35141008%23'
which would return a 200 status code. Now we know that we can inject simply between 35141008
and %23
. After this I tried a simple 35141008 OR 2 LIKE 2%23
which worked while 35141008 OR 2 LIKE 1%23
returned a 500 error, proving that boolean SQLi was possible here. It isn't however always this easy and this example doesn't show much impact, this is were the next section comes in, proving data retrieval.
Exploitation
After you have found a SQLi you always have to try to proof at least a difference in output (for boolean and sleep based) or sensitive data in the output (for error and union based). Unfortunately this is not always straightforward especially with firewalls and blacklisting in the way. This section is to help you get around those.
Firewall
The first thing you should try when dealing with a firewall is see if you can find a misconfiguration in the setup. For most of these firewalls and CDN's you can access the unprotected website by visiting the original IP (which the firewall is standing in front of) and then using the original domain name as host value. The first step here is to find the original IP of the website, this is often not too hard using services that keep track of the IP's a website has used (http://viewdns.info/iphistory/). Often the one used before the firewall IP comes in is the one they still use (basically the one after it says cloudflare or akamai). Shodan can also be really usefull when it comes to finding an original IP.
After you have found the original IP address try to access the website with the original Host header. In cURL this works like this (adding a header also works in sqlmap):
$ curl --header 'Host: www.example.com' 'https://54.165.170.2/' -v -k
On my target this was unfortunately forbidden, thus I had to be creative. Here I found that by adding a dot to the host (www.example.com.
) wouldn't be restricted and still allowed me to browse the direct IP. Adding:
54.165.170.2 www.example.com
in your /etc/hosts file will allow you to browse www.example.com in the browser without any firewall in between. From here any restrictions should be gone and SQLi exploitation should be fairly easy.
Bypassing the blacklist
Sometimes you can't bypass the firewall which will require you to bypass the (likely) blacklist that is in place. Here my biggest tip is that Google is your friend. Find niche functions with powerful capabilities that require you to somehow extract data. However here are some of the common tips:
- Using comments in your query as spaces to break a firewall regex or word combination. For example:
2/*dhab bc*/OR/*dahdshka*/2/*sd*/LIKE/*da*/"2"/**/%23
translates to:2 OR 2=2%23
. - Use LIKE instead of =, 2 instead of 1 and " instead of ' as the example shows above. Many people are lazy and so are firewalls, walking the path less traveled will catch many firewalls off guard.
- Like I said above use Google to find niche functions. I found for example that
MID()
works the same asSUBSTRING()
, however the latter was banned the first one wasn't. Same goes for variablesCURRENT_USER()
is banned andCURRENT_USER
wasn't.
Putting it all together
Out of the SQL injections found this was probably my favorite since the exploitation was fairly hard. So I'll describe it in detail and hope that you guys can learn something from it.
I came across this URL:
https://www.example.com/php/analyticsExcel.php?action=res_unique_analytics&resid=2100935&start_date=2016-07-11 00:00:00&end_date=2017-08-11 23:59:59&action=res_unique_analytics&entity_type=restaurant
Here I have legitimate access to 2100935 and requesting 2100934 would result in an unauthenticated error. The weird thing was that adding a single quote after 2100935 would result in a 500 status error and adding two would make the URL work again. Here to make exploitation easier I used my www.example.com.
bypass (described in the Firewall section to get rid of the Akamai WAF). From there I tried to find a place to inject my own SQL commands in the input, however I didn't manage to inject a comment in the string, thus I concluded the query was quite complex. Seeing this I decided to focus on a simpler OR statement which can be injected almost anywhere. Here I noticed that ' OR 1='1
would return a 200 status, ' OR 1='2
would be exactly the same, ' AND 1='1
the same, ' AND 1='2
the same and finally none of the sleep() commands seem to have any effect.
Super weird I can basically confirm the syntax I injected is correct but none of the techniques allowed to extract data. Here I tried ' OR @@version=5
which resulted in a 200 status and ' OR @@versionz=5
resulted in a 500 error. This at least confirmed I was working with MySQL and showed that the injection was really there. This pointed me towards the MySQL IF function. My thought was that if I was able to return an invalid function based on whether the if statement was true or false I could proof data extraction. This didn't go quite as planned since MySQL seems to validate command before executing the IF statement, but the IF statement ended up being part of the solution. Feeding a valid SLEEP command in the IF statement with a positive integer would result in the server timing out, while return a simple integer from the IF statement would return in a fast 200 status code. From here I developed the following POC:
TRUE: if @@version starts with a 5:2100935' OR IF(MID(@@version,1,1)='5',sleep(1),1)='2
Response:
HTTP/1.1 500 Internal Server Error
False: if @@version starts with a 4:2100935' OR IF(MID(@@version,1,1)='4',sleep(1),1)='2
Response:
HTTP/1.1 200 OK
Summary
If injecting a single quote leads to different output in the response try the different techniques outlined in this blog to see if you are dealing with a SQLi. After you have determined in which SQL context you are working develop a POC that either shows sensitive data (error and union based) or shows a difference in output depending on whether the question asked is true or false (boolean and time based).
ref:Manual SQL injection discovery tips的更多相关文章
- mybatis 一次执行多条SQL MySql+Mybatis+Druid之SqlException:sql injection violation, multi-statement not allow
如果用JDBC jdbc.jdbcUrl=jdbc:mysql://127.0.0.1:3306/database?useUnicode=true&characterEncoding=utf8 ...
- How to prevent SQL injection attacks?
In our earlier tutorial on SQL Injection, one way to have prevented the SQL injection attack was by ...
- SQL injection
SQL injection is a code injection technique, used to attack data-driven applications, in which malic ...
- 防sql注入之参数绑定 SQL Injection Attacks and Defense
http://php.net/manual/zh/pdo.prepared-statements.php 预处理语句与存储过程 很多更成熟的数据库都支持预处理语句的概念.什么是预处理语句?可以把它看作 ...
- 防sql注入之参数绑定 SQL Injection Attacks and Defense 预处理语句与存储过程
http://php.net/manual/zh/pdo.prepared-statements.php 预处理语句与存储过程 很多更成熟的数据库都支持预处理语句的概念.什么是预处理语句?可以把它看作 ...
- druid sql黑名单 报异常 sql injection violation, part alway true condition not allow
最近使用druid,发现阿里这个连接池 真的很好用,可以监控到连接池活跃连接数 开辟到多少个连接数 关闭了多少个,对于我在项目中查看错误 问题,很有帮助, 但是最近发现里面 有条sql语句 被拦截了, ...
- PHP+MYSQL网站SQL Injection攻防
程序员们写代码的时候讲究TDD(测试驱动开发):在实现一个功能前,会先写一个测试用例,然后再编写代码使之运行通过.其实当黑客SQL Injection时,同样是一个TDD的过程:他们会先尝试着让程序报 ...
- SQL Injection(SQL注入漏洞)
审计前准备: 1.安�php程序(推荐phpStudy) 2.高亮编辑器(推荐 Sublimetext Notepad++) 3.新建一个文本,复制以下变量,这些变量是审计中需要在源码中寻找的 ### ...
- HP+MYSQL网站SQL Injection攻防
WebjxCom提示:程序员们写代码的时候讲究TDD(测试驱动开发):在实现一个功能前,会先写一个测试用例,然后再编写代码使之运行通过.其实当黑客SQL Injection时,同样是一个TDD的过程: ...
随机推荐
- 下载外部jar包后,链接源码和javadoc.jar
今天下载了一个Apache Common的一个jar包,对于引入源码和JavaDoc有了新的认识,在这里记录一下. Binaries是指二进制文件,包含使用的jar包.Source是指源码. xxx. ...
- NOIP2013 提高组 Day1
https://www.luogu.org/problem/lists?name=&orderitem=pid&tag=83%7C30 期望得分:100+100+100=300 实际得 ...
- 解决Ubuntu终端里面显示路径名称太长
方法/步骤 找到配置文件先进行备份: cp ~/.bashrc ~/.bashrc-bak 找到配置文件修改: vi ~/.bashrc 备份是为了防止配置修改出错,可以还原: 下面是我的/h ...
- bzoj 2741 可持久化trie
首先我们设si为前i个数的xor和,那么对于询问区间[i,j]的xor和,就相当于si-1^sj,那么对于这道题的询问我们可以处理处si,然后对于询问[l,r],可以表示为在区间[l-1,r]里找两个 ...
- Unity 添加鼠标右键事件
把此类放到 Editor下使用就OK using UnityEngine; using System.Collections; using System.Collections.Generic; us ...
- python基本数据类型list,tuple,set,dict用法以及遍历方法
1.list类型 类似于java的list类型,数据集合,可以追加元素与删除元素. 遍历list可以用下标进行遍历,也可以用迭代器遍历list集合 建立list的时候用[]括号 import sys ...
- 33 - 并发编程-线程同步-Event-lock
目录 1 线程同步 1.1 Event 1.1.1 什么是Flag? 1.1.2 Event原理 1.1.3 吃包子 1.2 Lock 1.2.1 lock方法 1.2.2 计数器 1.2.3 非阻塞 ...
- route add提示: "SIOCADDRT: No such process
解决方法如下: 原因: There are multiple known causes for this error: - You attempted to set a route specific ...
- 【并行计算】用MPI进行分布式内存编程(二)
通过上一篇中,知道了基本的MPI编写并行程序,最后的例子中,让使用0号进程做全局的求和的所有工作,而其他的进程却都不工作,这种方式也许是某种特定情况下的方案,但明显不是最好的方案.举个例子,如果我们让 ...
- NEERC2012
NEERC2012 A - Addictive Bubbles 题目描述:有一个\(n \times m\)的棋盘,还有不同颜色的棋子若干个,每次可以消去一个同种颜色的联通块,得到的分数为联通块中的棋 ...