Ref:manual SQL Injection Discovery Tips

ref:https://gerbenjavado.com/manual-sql-injection-discovery-tips/

Manual SQL Injection Discovery Tips

August 26, 2017

According to Bugbountyforum.com's AMA format one of the most popular questions are How do you test for Server Side vulnerabilities such as SQLi? . Up until recently I is struggling with this question (especially towards SQLi) as well. The SQLi ' s I did find were often discovered and exploited by Sqlmap after I found that the server responded weirdly to a s Ingle quote. However in the last 2 months I is forced to dive deeper into manual SQLi discovery since my target have a strong firewall Making Sqlmap useless (and yes, I looked into--tamper). In these II months I was able to find over the SQLi which I learned a ton from. This blog would focus on sharing my process and knowledge as well as the showing real world examples. I'll divide the blog in the Parts:discovery and exploitation, since both is needed for a good report. Finally, this blog assumes MySQL are used since it holds over half of the market share.

Discovery

The first part of finding a valid SQLi is the discovery of the vulnerability. Here the most important thing are to know in which SQL context your input can end up. Here some basic examples:

• SELECT user_input FROM tournament ORDER BY region;

• INSERT INTO tbl_name (col1,col2) VALUES (15,user_input);

• DELETE FROM somelog WHERE texts = ‘user_input‘

Here we can see our user_input ending on range of different Contexts:between () , between ‘ or without any delimiters . What these commands all has in common are that they would all turn invalid once A is ‘ injected as input. The first and even have delimiters and would also give an error if a non-existing system variable are used, like: (instead of @@version ).

Once you be able to make the server return an error (mostly HTTP-status) you had to confirm it was the SQL command th At are causing the error and not something like a date parser. To does this you can use a range of tricks:

• If a is ‘ causing the error try to see if would result in \‘ success message (since the backslash cancels out the SI Ngle quote in MySQL).
• can also try if commenting out of the ‘ results in a success message like: %23‘ or --‘ . This is because your tell MySQL to explicitly ignore everything after the comment include the extra ‘ .
• If A isn't ‘ allowed you can use comparisons between valid and invalid system variables like @@versionz vs @@version or Invali D vs Valid functions SLEP(5) vs SLEEP(5) .
• Sometimes your input would end up between make sure your test as well to see if you can break out of () input)%23 these and E Xploit Union SQLi For example ( input) order by 5%23 ).
• If the normal input is just a integer you can try to subtract some amount of it and see if that subtraction works ( id=460-5 ).
• Try to see if the even amount of quotes results in a success message (for example 460‘‘ or 460-‘‘ ) and an uneven amount resu LTS in a error (for example 460‘ or 460-‘‘‘ ).

Example

To do this + clear we have the following URL:
https://www.example.com/php/sales_dash_poc_handle.php?action=month-breakdown&type_of_report=billing& city=all&month=8&year=2017&poc=35141008

This basic URL returns a, status code. The input poc=35141008‘ returns a poc=35141008‘%23 of error and does as well, but poc=35141008‘‘ returns a status. This hints the parameter are likely not using any delimiters, thus I tried which would poc=35141008%23‘ return a, status code. Now we know that we can inject simply between 35141008 and %23 . After the I tried a simple 35141008 OR 2 LIKE 2%23 which worked 35141008 OR 2 LIKE 1%23 while returned a error, proving the Boolean SQLi was possible he Re. It isn ' t however always this easy and this example doesn ' t show much impact, this is were the next sections comes in, provi NG data retrieval.

Exploitation

After you had found a SQLi you always had to try to proof at least a difference in output (for Boolean and sleep based) or sensitive data in the output (for error and Union based). Unfortunately this isn't always straightforward especially with firewalls and blacklisting in the. This is the to help you get around those.

Firewall

The first thing you should try to dealing with a firewall are see if your can find a misconfiguration in the setup. For most of these firewalls and CDN's you can access the unprotected website by visiting the original IP (which the Firewa ll is standing in front of) and then using the original domain name as host value. The first step here's to find the original IP of the website, this is often not too hard using services that keep track O f The IP ' s a website has used (http://viewdns.info/iphistory/). Often the one used before the firewall IP comes in are the one they still use (basically the one after it says CloudFlare O R Akamai). Shodan can also is really usefull when it comes to finding an original IP.

After you has found the original IP address try to access the website with the original Host header. In CURL the This works like this (adding a header also works in Sqlmap):

$ curl --header ‘Host: www.example.com‘ ‘https://54.165.170.2/‘ -v -k

On my target this is unfortunately forbidden, thus I had to be creative. Here I found this by adding a dot to the host ( www.example.com. ) wouldn ' t is restricted and still allowed me to browse the direct IP. Adding:

54.165.170.2www.example.com

In your/etc/hosts file would allow you to browse for www.example.com in the browser without any firewall in between. Restrictions should be gone and SQLi exploitation should is fairly easy.

Bypassing The Blacklist

The

Sometimes you can ' t bypass the firewall which would require you to bypass the (likely) blacklist, that's in place. Here's my biggest tip is the Google is your friend. Find niche functions with powerful capabilities this require you to somehow extract data. However here is some of the common tips:

• Using comments in your query as spaces to break a firewall regex or word combination. For example: 2/*dhab bc*/OR/*dahdshka*/2/*sd*/LIKE/*da*/"2"/**/%23 translates to: 2 OR 2=2%23 .
• Use like instead of =, 2 instead of 1 and "instead of" as the example shows above. Many people is lazy and so is firewalls, walking the path less traveled would catch many firewalls off guard.
• Like I said above the use of Google to find niche functions. I found MID() SUBSTRING() For example that works the same as, however the latter is banned the first one wasn ' t. Same goes for Variables is CURRENT_USER() banned and CURRENT_USER wasn ' t.

Putting it all together

Out of the SQL injections found this is probably my favorite since the exploitation is fairly hard. So I'll describe it in detail and hope that's guys can learn something from it.

I came across this URL:
Https://www.example.com/php/analyticsExcel.php?action=res_unique_analytics&resid=2100935&start_date= 2016-07-11 00:00:00&end_date=2017-08-11 23:59:59&action=res_unique_analytics&entity_type=restaurant

The

Here I has legitimate access to 2100935 and requesting 2100934 would the result in an unauthenticated error. The weird thing was, adding a, quote after 2100935, result in a, status error and would, adding make The URL work again. Here to make exploitation easier I used my  www.example.com.  bypass (described in the Firewall sections to get rid of the Akamai WAF). From there I tried to find a place to inject my own SQL commands in the input, however I didn ' t manage to inject a comment In the string, thus I concluded the query was quite complex. Seeing this I decided to the focus on a simpler OR statement which can be injected almost anywhere. Here I noticed that  ' or 1= ' 1  would return a status, , ' or 1= ' 2 would be exactl Y the same,  ' and 1= ' 1  the same,  ' and 1= ' 2  the Same and finally none of the Sleep () commands seem to has any effect.

Super Weird I can basically confirm the syntax I injected is correct but none of the techniques allowed to extract data . Here I tried , ' or @ @version =5  which resulted in a @ and  ' or @ @versionz =5 resulted in a error. This at least confirmed I is working with MySQL and showed, the injection was really there. This pointed me towards the mysql if function. My thought was if I am able to return a invalid function based on whether the IF statement is true or false I Coul d Proof data extraction. This didn ' t go quite as planned since MySQL seems to validate command before executing the IF statement, but the IF Statem Ent ended up being part of the solution. Feeding a valid SLEEP command in the IF statement with a positive integer would result in the server timing out, while RET Urn A simple integer from the IF statement would return in a fast $ status code. From here I developed the following POC:

True:if @ @version starts with a 5:
2100935‘ OR IF(MID(@@version,1,1)=‘5‘,sleep(1),1)=‘2
Response:
http/1.1 Internal Server Error

False:if @ @version starts with a 4:
2100935‘ OR IF(MID(@@version,1,1)=‘4‘,sleep(1),1)=‘2
Response:
http/1.1 OK

Summary

If injecting a single quote leads to different output in the response try the different techniques outlined in this blog T o See if is dealing with a SQLi. After your determined in which SQL context is working develop a POC that either shows sensitive data (Error and U Nion based) or shows a difference in output depending on whether the question asked is True or False (Boolean and time Bas ED).

Ref:manual SQL Injection Discovery Tips