English Original: Databasetube, translation: Open source China
In vulnerability assessment and penetration testing, it is the first step to determine the input vectors of the target application. This article explains how someone else is using an HTTP header to inject SQL into your database, and discusses which vulnerability scanner to test for SQL injection.
Yasser Aboukir, InfoSec Institute
In vulnerability assessment and penetration testing, it is the first step to determine the input vectors of the target application. Sometimes, as a Web application test, test cases for SQL injection vulnerabilities are typically limited to special input vector get and post variables. What about the other HTTP header parameters? Aren't they the underlying SQL injection attack input vectors? How do we test these HTTP parameters, and what vulnerability scanners are used to find out the vulnerabilities of these applications?
Coverage of input parameters in the Web application scanner
By comparing 60 commercial and open source black box Web application vulnerability scanners, an article was published: "Scan Legion: Scan accuracy Assessment & feature comparison". The standard used primarily to test URLs for commercial and open source software has been released by security researcher Shay Chen in 2011.
For the scanner that tests the Web application to support input parameter overrides, we've summarized it in the chart below. These main inputs are:
- HTTP Query character parameter (GET): input parameter sent via URL
- http body parameter (POST): input parameters are sent via HTTP body
- http Cookie parameters: input parameters are sent via HTTP cookie
- HTTP Headers:http the header used by the submission application
It is evident in this diagram that 75% of the Web application scanners do not discover the vulnerability associated with the HTTP headers parameter. In addition, 70% of these scanners also incorrectly check for HTTP cookie vulnerabilities. These ratios fully illustrate the ability of these scanners to scan input vectors, not just simple explanations. Scoring for Get and post is reasonable, and some automated test tools can cause unsatisfactory results when processing HTTP headers as a SQL injection input vector.
In fact, HTTP headers and cookies are not being taken seriously. Therefore, these two vectors should be taken into account in the test case. Also, when we use a vulnerability scanner that does not support these features, we should consider manually testing these parameters.
Potential HTTP Header SQL injection
HTTP header fields
The HTTP header field is part of the request and response information in the Hypertext Transfer Protocol (HTTP), which defines the operation parameters of the HTTP transport.
For example: the requested HTTP
get/http/1.1
Connection:keep-alive
keep-alive:300
accept:*/*
Host:host
Accept-language:en-us
Accept-encoding:gzip, deflate
user-agent:mozilla/5.0 (Windows; U Windows NT 5.1; En-us;
rv:1.9.2.16) gecko/20110319 firefox/3.6.16 (. NET CLR 3.5.30729;. NET4.0E)
cookie:guest_id=v1%3a1328019064; pid=v1%3a1328839311134
When we keep the session ID in the database, we should first test the HTTP cookies as the primary potential HTTP variables. In the following we will see an instance of SQL injection using cookies. There are other HTTP header information associated with the application.
X-forwarded-for
X-forwarded-for is a field of HTTP headers. It is considered a standard for a client to obtain a source IP address through an HTTP proxy or a load balancer connected to the Web server.
Let's look at an example of a form-submission vulnerability.
$req = mysql_query ("Select User,password from admins WHERE user= '". Sanitize ($_post[' user ']). "' and password= ' ". MD5 ($_post[' password ')." ' and Ip_adr= ' ". Ip_adr ()." ' ");
The sanitize () method controls the correctness of the login variable.
function sanitize ($param) {if (Is_numeric ($param)) {return $param;} else {return mysql_real_escape_string ($param);}}
Let's examine the variable IP, which uses the Ip_addr () method to get the output value.
function Ip_adr () {if
(Isset ($_server[' http_x_forwarded_for ')) {$ip _adr = $_server[' http_x_forwarded_for ');} else {$ip _adr = $_server["REMOTE_ADDR"];} if (Preg_match ("#^[0-9]{1,3}\.[ 0-9]{1,3}\. [0-9] {1,3}\. [0-9] {1,3}# ", $ip _addr)) {return $ip _adr;} else {return $_server[" REMOTE_ADDR "];}}
Obviously, the IP address gets the return value via HTTP header x_forwarded_for . After that, the Preg_match method is used to verify that there is at least one legitimate IP address. In fact, the http_x_forwarded_for environment variables are not sufficiently filtered before using SQL queries, which results in the ability to inject arbitrary SQL code through this field when SQL queries are made.
This header field can be easily modified as follows:
get/index.php http/1.1
Host: [Host]
X_forwarded_for:127.0.0.1′or 1=1#
Such modifications will result in bypassing security authentication.
User-agent
The user agent is the HTTP header field that records the client information of the software program and can be used to count targets and violation protocols. It should be included in the HTTP header, the first space in the field preceded by the product name of the software, followed by an optional slash and version number.
Not all applications are getting access to user-agent information, but some applications use it to store some information (such as a shopping cart). In this case, it is necessary to study the problem of the user-agent head.
HTTP Query instance:
get/index.php http/1.1
Host: [Host]
User-agent:aaa ' or 1/*
Referer
Referer is another HTTP header that is prone to SQL injection when the application does not filter the storage to the database. It is an optional header field that allows the client to specify, through which we can get to the server where the request URI is submitted. It allows the server to generate a series of fallback link documents, such as content of interest, logs, etc. It also allows tracking of those bad links for maintenance.
For example:
get/index.php http/1.1
Host: [Host]
User-agent:aaa ' or 1/*
Referer:http://www.yaboukir.com
Attackers ' purpose?
As we all know, the injection of vulnerability ranked OWASP Top ten Web Application Security risk first. Attackers are increasingly looking for your database read and write permissions, whether the injection point is a vector input type, Get,post,cookie or other HTTP headers, and what is important for attackers is to find at least one injection point that allows them to take advantage of.
Manual Test Cookie Vulnerability
In this section, we will cover several methods for checking HTTP cookie variables.
Using the browser plugin
Cookie manager+ allows you to view, edit and create new cookies, it also provides some additional information to display cookies, supports simultaneous modification of multiple cookies, and we can back up/restore these cookies.
After installation, select the cookie manager+ in the Tools menu and select a variable that is relevant to the target application.
Let's edit the variable under language_id , in order to determine if there is a SQL injection vulnerability, we add "'" after the field.
language_id content is as follows:
Then refresh the page, or click on another link inside the application, submit the edited HTTP cookie request, and return the result with a SQL error:
This database error reminds us of a vulnerability that could easily generate SQL injection.
The manager+ advantage of cookies is that he is very easy to use and we can manipulate cookies directly and save previously modified cookies.
Below we will try to use another Firefox plugin to detect the number of columns of the target.
Tamper Data:
Tamper Data is a very powerful plugin under Firefox that can display and modify HTTP/HTTPS headers as well as post parameters.
After installation, select Tamper Data from the toolbar menu, click the button start tamper to start modifying the HTTP request.
When the target application sends any request, Tamper data pops up a dialog box asking if we want to intervene in the current HTTP request.
When you click Tamper, a tamper detail window pops up:
As shown: Add order by 4 to the HTTP cookie variable. The response returned from the application is normal.
We continue to add: order by 5. The response to this injection is as follows:
So, we can infer that the number of out-of-order is 4.
Now, in order to inject in more queries, we try to find the affected columns. Therefore, we need to add the following query to the HTTP cookie variable language_id :
-1+union+all+select+1,2,3,4
This approach may need to take advantage of some advanced SQL injection techniques.
Using the automated Penetration Test scanning Tool
Taking Sqlmap as an example
Sqlmap is a popular open source automated penetration testing tool. This program can test and exploit SQL injection defects, and can take over the database service.
Sqlmap supports the HTTP cookie feature, so it can be used in two ways:
- Cookies-based security verification when web applications are needed.
- The detection and utilization of SQL injection in the header value.
Sqlmap tests all the get parameters and post parameters by default. When the-level parameter value is set to 2 or greater, it tests the HTTP Cookie header value. When this value is set to 3 or greater, the test also contains the HTTP user_agent and HTTP Referer header values. You can also test the parameters that you want to test with sqlmap, separating them with commas, which bypasses the dependency on-level.
Tested HTTP parameter |
Level in Sqlmap |
GET |
1 (Default) |
POST |
1 (Default) |
HTTP Cookie |
2? |
HTTP user-agent |
3? |
HTTP Referer |
3? |
For example, to test the get parameter ID and HTTP user-agent, simply provide the-P id,user-agent parameter.
The following example shows a test called Security in the HTTP cookie for DVWA (Damn vulnerable Web application).
./sqlmap.py-u ' http://127.0.0.1/vulnerabilities/sqli/?id=1&Submit=Submit# '
–cookie= ' phpsessid=0e4jfbrgd8190ig3uba7rvsip1; Security=low '
–string= ' first name ' –dbs–level 3-p PHPSESSID
The-string flag compares valid pages and invalid pages when injected. On the other hand,-dbs is used to enumerate database management systems. Finally, the-p flag is used to indicate the mandatory test PHPSESSID variable.
Tools for testing SQL injection: Select by precision or vector coverage?
To answer this question, we used the standard test results provided by the Sectoolmarket.com Web site, and we first assumed that the test accuracy and vector coverage of the candidate scanners were of the same importance. We will get. Post,http cookies and HTTP headers as input vectors that should be supported. When all parameters are supported, the ratio of coverage for this scanner is 100% (4/4).
We recommend using the following arithmetic equation, which means that the vulnerability scanner scores an average.
We then list the Top 14 scanners from the percentage of the resulting detection accuracy rate:
Rank |
Vulnerability Scanner |
Vendor |
Detection Rate |
Input Vector Coverage |
Average Score |
1 |
Arachni |
Tasos Laskos |
100% |
100% |
100% |
2 |
Sqlmap |
Sqlmap Developers |
97.06% |
100% |
98,53% |
3 |
IBM AppScan |
IBM Security Sys Division |
93.38% |
100% |
96,69% |
4 |
Acunetix WVS |
Acunetix |
89.71% |
100% |
94,85% |
5 |
Ntospider |
NT Objectives |
85.29% |
100% |
92,64% |
6 |
Nessus |
Tenable Network Security |
82.35% |
100% |
91,17% |
7 |
WebInspect |
HP Apps Security Center |
75.74% |
100% |
87,87% |
8 |
Burp Suite Pro |
Portswigger |
72.06% |
100% |
86,03% |
9 |
Cenzic Pro |
Cenzic |
63.24% |
100% |
81,62% |
10 |
Skipfish |
Michal Zalewski–google |
50.74% |
100% |
75,37% |
11 |
Wapiti |
OWASP |
100% |
50% |
75% |
12 |
Netsparker |
Mavituna Security |
98% |
50% |
74% |
13 |
Paros Pro |
Milescan Technologies |
93.38% |
50% |
71,69% |
14 |
ZAP |
OWASP |
77,21% |
50% |
63,60% |
We can make the following chart by the accuracy of the scanner's scanning vulnerability and the average of the vector coverage.
What do you do next?
For developers
The developer should treat the cookies as well as other saved HTTP avatar forms, and pass the usual verification.
For testers
The Operation request information for HTTP headers, especially Refere and user-agent, is important for verifying that an application has a SQL injection vulnerability or other defect (XSS), and it is best to define and describe each operation situation when using the application. These data may be stored, extracted and processed, like cookie,http-headers (like Http_user_agent), Form-variables (Show and Hide), ajax-, jqusery-,xml-requests.
Yasser Aboukir is a security researcher at the InfoSec institution. INFOSEC Institute is an organization that provides CEH certification and CCNA training training.
Reference documents
[1] penetration testing with improved Input Vector identification, William g.j. Halfond, Shauvik Roy Choudhary, a nd Alessandro Orso College of Computing Georgia Institute of Technology
[2] Security Tools benchmarking–a blog dedicated to aiding Pen-testers in choosing Tools it make A difference. by Shay-chen http://sectooladdict.blogspot.com/2011/08/commercial-web-application-scanner.html
[3] Https://en.wikipedia.org/wiki/X-Forwarded-For
[4] http://www.techbrunch.fr/securite/blind-sql-injection-header-http/
[5] Http://www.w3.org/Protocols/HTTP/HTRQ_Headers.html#user-agent
[6] Http://www.w3.org/Protocols/HTTP/HTRQ_Headers.html#z14
[7] https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/
[8] https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
[9] Http://sqlmap.sourceforge.net/doc/README.html
[Ten] Http://msdn.microsoft.com/en-us/library/ms161953.aspx
http://blog.jobbole.com/35764/
SQL injection via HTTP header (GO)