SQLi - Some Tips

SQLi - Some Tips

Hüseyin KAVUNCU Hüseyin KAVUNCU

Hüseyin KAVUNCU

eMAPT | eWAPTXv2 | OSWP | TSE | Application Security Engineer

发布日期: 2020年12月4日
+ 关注

Hello everyone. In this article, I would like to tell you about my work on SQLi (Structured Query Language Injection) and to share some basic information with you. At the end of my article I shared some tips that I think are more important than the solution.

First of all, I would like to explain why I do not prefer to use tools such as sqlmap, some vulnerabilities that I manually exploited but that sqlmap could not detect, and explain why such an event occurred.

Bu resim i?in metin sa?lanmad?

As it seems, sqlmap could not find any injection in "filter[user_id]" and warned us that it does not seem to be injectiable. Well, let's do a little review right now. For this URL, which consists of two parts, Key and Value, it searched for SQL injection in the value part and automatically tried some basic techniques with a request and gave the warning that it does not seem to be injectiable. However, as you can see in this example, there may not be any injection in Value section. This still does not indicate that the system is not injectiable. We can also find injection on the key part. Yes, I agree sqlmap is a tool that gives good results in general and provides great convenience, but I want to know the fundamentals of the system and technique.

As in every article, I want to start with what SQL is at the basic level. SQL means structured query language. It is used to read, delete, change data from the database or add a new data. It has a specific syntax like software languages. Nowadays, when we consider the frequency of use of databases and the value of the data, the importance of SQL emerges.

Sample SQL query;

SELECT * FrOm users Where user_id = 1 or user_name like “% a%” Order BY login_date;

As seen in the example, SQL queries actually have some parts and not case sensitive. The first section is the section where the data to be taken is selected. The second part is where the conditions are written to determine what data to fetch.

SQL injection is to add a second SQL query into this written query for our purposes. I compare HTML injection and SQL injection very much. Although they have different uses and techniques, both injection methods are actually based on the same foundations. Using some writing techniques in the certain language in which they are written to be used for different purposes.

After this part of my article, I will continue my article practically. I will continue on a virtual machine with SQL vulnerability.

Bu resim i?in metin sa?lanmad?

The URL part immediately catches our attention. /cat.php?id=1 where a parameter is sent to the server. We're making some changes to the URL immediately.

Bu resim i?in metin sa?lanmad?

When we put a single quote (‘), we immediately encountered an error message. Error in your SQL syntax. The error is also giving us MySQL server information. By adding a single quote to the query, we have made it become an invalid SQL query.

Bu resim i?in metin sa?lanmad?

We have found the number of columns found by using order by. Now we can start collecting information with the union select command. Union command is a SQL command that allows us to extract data from a second table with a single query.

Bu resim i?in metin sa?lanmad?

When we write the union select 1,2,3,4 command, we can see that we get the second value as output. Then let's write the information we want over the second value one by one. First of all, we do not know the name of the database.

Bu resim i?in metin sa?lanmad?

We learned that the website is connected to a database called photoblog. Here we used the database() function. This function is a function that returns the name of the database to which we are connected. In fact, many pentesters skip this step, but I prefer not to. I'll explain why I didn't skip it later in my article. Yes, when we learned about the database, there is a table name due to the structure of the database.

Bu resim i?in metin sa?lanmad?

We retrieved the data in the table_name column from the information_schema table. Information_schema is a system table where schema information is stored. This table contains some basic information of other tables. Thus, we can access the table names. Among the tables, the "users" table immediately catches our attention. Let's learn the column names of the users table.

Bu resim i?in metin sa?lanmad?

We wanted to get column_name data from the information_schema table, but this time we used a filter. Where table_name = 'users'. Thus, we have prevented data pollution by seeing only the data of the users table.

Bu resim i?in metin sa?lanmad?

Yes, here we got the login column data from the users table and we saw that there is a user named admin. What about password? Let's take a look at it.

Bu resim i?in metin sa?lanmad?

Here we have accessed the password encrypted with MD5. We received the login and password information and after that it goes into the scenario. I don't want to stick with the machine solution.

From here on, I want to tell about some tips and intricacies of SQL.

Actually, there is a difference in the last two steps. I want to draw your attention here. Our link is connected to the photoblog database and we perform queries on this database. However, this database might not contain user information. In other words, user information could not be included here, but could be included in another database. In this case, the queries we wrote here would not have any meaning as they would not access the other database. However, the query for which we have received login information is not connected to this database, it is a global query. The way of using DB.Table enables the global query writing, data extraction and processing from other databases as long as the connection is authorized. I want to say that I have encountered such web systems personally.

At first we used a single quote. In fact, most software developers filter the basic characters. This includes single quotes and double quotes. You can use some methods to bypass this situation. The simplest and most effective for some basic reasons are the special characters in the special character table. To give an example, there are four different characters for a single quote and they all function the same in SQL.

Another filter bypass method is ascii table. Do not do this through the browser, because our browsers make some corrections for the fast access of the system and request it that way. One of these fixes is to converte ascii codes. That's why you can use curl or BurpSuite.

Platforms like TOMCAT convert and process ascii codes into characters. Therefore, the acsii code we have written can be catched to the filter as a character. To bypass this, we can use nested script, a method used for xss. Thus, when the first ascii character is converted, an ascii code appears again and the filter is bypassed.

I hope it has been a efficient post for anyone interested.

要查看或添加评论,请登录

Hüseyin KAVUNCU的更多文章

  • SIZMA TESTLER?NDE NELERLE M? KAR?ILA?IYORUZ?
    2021年11月8日

    SIZMA TESTLER?NDE NELERLE M? KAR?ILA?IYORUZ?

    Herkese Merhaba. Biraz fark?ndal?k yaratmak biraz da edindi?im tecrübeleri sizlerle payla?mak istiyorum.

  • Browserlar?m?z Bizi Koruyor mu?
    2020年12月18日

    Browserlar?m?z Bizi Koruyor mu?

    Merhabalar. XSS web uygulamalar? hakk?nda en ?ok duydu?umuz ve art?k duymaya al??t???m?z bir zafiyet türü haline gelmi?…

  • JWT Fake Authentication
    2020年12月2日

    JWT Fake Authentication

    Hello everyone. We will examine JSON Web Token.

  • JSON Web Token Sahte Kimlik Do?rulama
    2020年12月2日

    JSON Web Token Sahte Kimlik Do?rulama

    Merhabalar. JSON Web Token üzerinde inceleme yapaca??z.

    2 条评论

社区洞察

其他会员也浏览了