pirate.moo's gitbook
  • 🏴‍☠️pirate.moo's gitbook
  • WEB
    • OWASP TOP 10
    • Notes
    • Lab Write-Ups
      • SQLi in WHERE clause
  • PENTESTING
    • CHECKLIST
    • REPORTING
    • SCRIPTS
  • EXPLOITATION
    • reverse shells
    • dns/subdomain
    • ssl
    • Handy cmds
    • VULNERABILITIES
      • Log4Shell
      • Dirty Pipe
      • Pwnkit
  • CTF
    • CTF Tools
  • CERTIFICATIONS
    • PNPT
    • CPTS
      • 1. Process
      • 2. Getting Started
      • 3. NMAP
      • 4. Footprinting
        • FTP
        • SNMP
        • SMB
        • NFS
        • MySQL/MSSQL
        • Oracle TNS
    • CPTS Machines
      • Nibbles
    • OSCP
    • ISC2-cc
      • 1. Security Principles
      • 2. Incident Response
      • 3. Access Control
      • 4. Network Security
      • 5. Security Operations
  • MOBILE
    • History
    • Forensics
  • MOOSINT
Powered by GitBook
On this page

Was this helpful?

Notes

SQL injection: A vulnerability where the attacker disrupts SQL queries executed by an application on a DB. Example: Using 'admin'-- to gain access to an authentication page, where the query would be select * from users where username = 'admin' -- and password = '';

If the app properly validates things, the DB will search for a matching 'admin' -- and not find it, but if it doesn't validate user input or use parameterized queries any characters become part of it. So, the ' would close the str of the original statement and the query would look like select * from users where username = admin instead and the DB would pull the profile allowing login.

Same channel used to launch/receive attacks (easier since results seen)

  • Manipulating queries to extract/modify data directly

  • Retrieved data presented in app

  1. Error-Based: DB is forced to generate errors from queries that give up information about it

    • Errors are generated so possible to refine

    • www.random.com/app.php?id=' (outputs error)

  2. Union-Based: Uses UNION: Combines results of diff queries to gather from other tables

    • www.random.com/app.php?id=' UNION SELECT username, password FROM users --

    • (outputs something like carlos, password123, administrator, 37894327hdj3204)

No actual transfer data between attacker/app, but behavior (longer to exploit).

  • Doesn't output data to app/page

  • Just as dangerous: Attackers can reconstruct info by sending requests/observing

  1. Boolean: True/false questions

    1. Content-based blind: You can infer whether something is true/false

    2. moo[.]com/app.php?id=1 (force a true or false payload)

    3. True payload: select title from product where id =1

      • If id 1 is valid, then it will provide the title

      • moo[.]com/app.php?id=1 and 1=2

    4. False payload: select title from product where id =1 and 1=2

      • and indicates both statements must be true

      • moo[.]com/app.php?id=1 and 1=1

    5. True payload: select title from product where id =1 and 1=1

      • both statements are true, so payload is true

      • Payload: moo[.]com/app.php?id=1 and SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1,1) = 's'

        • SUBSTRING: Extracts some chars from str, while 1 is the start position for extraction, and 1 is the number of chars to extract

          • Is s = the first character outputted?

  2. Time: Causing DB to pause for a time

    • TRUE/FALSE is based on response time

      • Example: pgsleep 10 (if it takes 10 seconds it's vuln)

Unlike in-band/classic, attacker isn't able to use the same channel

  • Triggering out-of-band network connection to a system you control

  • Might be able to directly exfiltrate data, unlike Boolean/time based injections

  1. Map the app: Visit URL, pages, input vectors that talk to backend

    • Understand logic and how it functions

    • Enumerate directories/subdomains

    • Most vulnerabilities logic flaws, or embedded in pages a scanner can't crawl

  2. Fuzz: Add special chars and seeing if app responds unusually

    • Submitting SQL specific characters like ', ", -, --, ;

    • Refine payloads as you work

  3. Enable server/DB logging: Look at logs:

    • See how the backend responds/generated errors help you

  4. Code review: Follow code path for all input vectors to help feel things

Data Store: Manages data processed: Core logic holds accts, perms, configs, etc...

  • Common priv lvl for access to data store for processing the user data

  • If attacker interacts with this to make/retrieve data, they can usually bypass controls

  • Most common data stores: SQL DBs, XML-repositories, LDAP directories

  • Accessing data stores is the same, irrespective of user-role

  • Webapps function as an access control to the data store

  • A successful injection modifies a query, not just the data within it

If app logic is controlled by results of a query, modifying the query can alter logic

Compiled lang: Code converted to machine instructions/executed by processor running it

  • Injection doesn't leverage syntactic features of lang used

  • Injection payloads contain machine code, not instructions written in that language

Interpreted lang: Execution uses runtime component: Interprets and carries instructions

  • Many core langs for webapps implement an interpreter: SQL, LDAP, Perl, PHP

Code injection: Class of vulns exist because of how interpreted languages execute

  • Code processed mixes instructions from coder/data supplied

  • Crafted inputs with special syntax can break data context

PreviousOWASP TOP 10NextLab Write-Ups

Last updated 8 months ago

Page cover image