In a nutshell SQL injection allows unauthorized people to use SQL syntax to query the web server database backend, it is called injection because the SQL syntax is inserted into web application variables.
The purpose for this post is to raise awareness of what is SQL injection and how serious it is if injection problem is not mitigated. This post also serves as a repository for myself to refer to.
This lab uses DVWA – Damned Vulnerable Web Application to demonstrate the injection techniques.
This page has SQL injection vulnerability.
The attacker tests the variable "id" to see if this variable is vulnerable to sql injection attack. If it is vulnerable the attacker will see sql error as shown above. The error also shows the SQL backend is MySQL.
It appears using a' or 1=1; syntax cannot get any useful result because of the single quotes in the php code. To bypass this the attacker uses null byte to nullify the sub-ceding single quotes.
The null byte - %00 inserted by the attacker nullifies everything that sub-cedes the sql syntax. This makes the syntax correct and the backend sql server responds to attacker's query. Here is the original syntax a' or 1=1;%00. The entire URL looks like this 192.168.20.20/vulnerabilities/sqli/?id=a' or 1=1;%00&Submit=Submit#
Because 1=1 is always true the SQL query is successful and the usernames and passwords were enumerated.
To know the number of columns in the database
Use the ORDER BY syntax. ORDER BY syntax is used to sort information in a table, using ORDER BY syntax by the attacker can query the available columns in a table.
From the SQL error the attacker knows that the table contains column that is less than 4. The syntax is ORDER BY 4. Injection syntax: a' order by 4;%00&Submit=Submit#
The column is less than 3.
There are 2 columns in the table. The attacker knows this because there is no SQL error and the page redirects back to the original referral page. Injection syntax: a' order by 2;%00
Know the MySQL version
The MySQL version is 5.1.41. Syntax: a' union all select @@version,null;%00. The UNION ALL SELECT must select the number of available columns of a table, since the attacker knows there are only 2 columns in the table, the first column the attacker inserted @@version the second column the attacker inserted null.
Generate strings without quotes
Convert a string into hexadecimal, this can be done using Burp Suite.
Burp Suite has a decoder tool which the attacker can use to encode and decode characters. For this instance the attacker wants to generate "anything" and insert on two columns. To encode "anything" click on encode as then select ascii hex.
“anything” hexadecimal representation is 616e797468696e67. The attacker uses concat() function to insert the hexadecimal string 0x616e797468696e67 into second column.
"anything" is shown on 2nd column. Injection syntax: a' union all select null,concat(0x616e797468696e67);%00
Load a file from native system
Encode ../../../etc/passwd to hexadecimal.
SQL syntax is valid, however passwd file content was not shown, this means that the attacker has attempted to load the file at the wrong path. So the attacker will escalate the path ../../../../etc/passwd
2e2e2f2e2e2f2e2e2f2e2e2f6574632f706173737764 is the hexadecimal representation of ../../../../etc/passwd
The path is correct hence the contents of passwd file is spilled. Injection syntax: a' union all select load_file(0x2e2e2f2e2e2f2e2e2f2e2e2f6574632f706173737764),null;%00
To find out the location of database directory
@@datadir is to locate the db directory. The attacker used this injection syntax: a' union all select @@datadir,null;%00
To find out the hostname
@@hostname displays the webserver hostname. Injection syntax: a' union all select @@hostname,null;%00
This lab demonstrates the possibility of sql injection, the target web server is a Linux vm, I tried sys_eval, sys_exec function however these functions do not exist on dvwa. Due to the user rights command execution is very difficult through sql injection against Linux server, I have known Windows SQL provides a native xp_cmd shell function however I have not tried before.
The attacker who did the sql injection does not necessary to be a SQL expert nor knowing how to create database with SQL, the attacker only needs to know enough to fulfill his objective.