2020-04-19

Exploiting SQL Injection in insert query - Second order SQL injection

Today we are going to discuss about SQL Injection exploitation scenario in which there is only one user controlled input parameter and value is getting pass to Insert SQL query.
In this case, the column in which user supplied data is getting save, is the last one and user can not specify the extra column.

Description:

SQL query which is vulnerable to SQL injection, has following attributes:

Table name: exploit_list
Columns name: ID, date and vulnerability

SQL insert query which has been implemented in code:

Here, attacker can control value for the column "vulnerability".

In the above scenario, we have 2 restrictions:
  1. Application code has SQL Injection in "Insert query" but not showing any SQL server error. Due to this type of code implementation,  attacker can not exploit SQL Injection using "Error based SQL Injection" technique.
  2. User controlled data is getting pass to the column name which is specified in the end of SQL query and attacker can not override the columns

Attack outline:

To exploit the SQL Injection, following trick can help:
  1. close the data limiter (single quote)
  2. use concatenation operator (+ in this case because I am performing on MySQL server)
  3. Use substring function to grab the data character-by-character
  4. convert the grabbed character to ASCII form
  5. use concatenation operator (+ in this case because I am performing on MySQL server)
  6. close the data limiter (single quote) 
  7. Access the web page where application showing the user supplied inserted data.

Application working:

Web application has interface which allow user to insert the data to database.
Also, user can view the inserted data via functionality "Vulnerability List".

Here is the source code and database dump file  https://github.com/incredibleindishell/insert_SQLI

1. Extracting the SQL server version

To extract the SQL server version, below mentioned payload will help:



Visit the module which is showing the list of added entries. The column in which user supplied data is getting pass, injected SQL Injection payload has been executed.


2. Extracting the length of the current SQL server username:

To extract the length of the current SQL server user name which is configured in web application, below mentioned payload will help:

 

Now, web application executed the SQL Injection payload and attacker can get the output. In this case, length of current SQL server user name is 14 (root@localhost) 


3. Exacting the SQL server username:

To extract the first character of the SQL server user name, below mentioned payload will help:


Web application executed the payload and showing the ASCII representation (114) of alphabet 'r'.


To extract the second character, we just need to increment the value of second parameter. Payload will be:



Web application executed the SQL Injection payload and showing that the second character of SQL server user name is "111" which is ASCII representation of alphabet "o".


4. Extracting the name of the table in current database:

Before proceeding to extract the table name via web application interface, lets confirm by executing the SQL query in SQL server console.
In current database, we have 3 tables and first table is "exploit_list". during table name extraction, this is the table which will be extracted by out SQL injection payload.


4.1 Payload to extract the first character of the first table name in current database:

The payload to extract the table name first character will be like this:



Now, web application web page is showing the  first character of the table name in ASCII representation. Here, web application showing "101" which is ASCII representation of alphabet "e".


Increment the second parameter value of "substring" function to extract the table name second character:



Web application showing that the second character of table name is "120" which is ASCII representation of alphabet "x".


And to extract the rest of the character of table name, user just need to keep increment the value of substring() second parameter.

5. Extracting the column name for specific table in current database:

In current database, we have table "exploit_list" in which first column is "ID". During column name extraction from table "exploit_list", this is the column which will be extracted by out SQL injection payload.

5.1 Payload to extract the first character of the first column in table "exploit_list":

The payload to extract the column name first character from table "exploit_list" will be like this:

 

SQL injection payload executed successfully and web application showing the output which is "73" (ASCII representation of alphabet "I") 


And to extract the rest of the character of column name, user just need to keep increment the value of substring() second parameter.

Conclusion:

SQL injection exploitation can be tricky but there may be a way to perform it.

Remediation:

To prevent SQL Injection attack, refer OWASP guide:

Thanks for reading :)

Special thanks to Sean Metcalf, OJ, hacker fantastic, A K Reddy,Vincent Yiu, Andrew Robbins, will, Benjamin Delpy, Marcello, Andrew van der Stock, g0tmi1k, Alvaro Muñoz, b33f, pancake, m3g9tr0nAnurag Srivastava, vivek chauhan


--==[[ With Love from Team IndiShell ]]==--
                             
 --==[[ Greetz To ]]==--
############################################################################################
#zero cool, code breaker ica, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba
#Silent poison India, Magnum sniper, ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad
#Hackuin,Alicks,mike waals, Dinelson Amine, cyber gladiator, Cyber Ace, Golden boy INDIA
#Ketan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji, Hacking queen, lovetherisk, Bikash Dash, D3
#############################################################################################
                             --==[[Love to]]==--
# My Father ,my Ex Teacher, cold fire hacker, Mannu, ViKi,Ashu bhai ji, Soldier Of God, Bhuppi, Anurag, Cyber Warrior, Vivek Sir
#Mohit, Ffe, Ashish, Shardhanand, Budhaoo,Incredible, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)



Share this post

0 comments

© 2009 Start With Linux | Mannu Linux
Designed by cyb3r.gladiat0r
Posts RSSComments RSS
Back to top