2020-09-06

SQL Injection filter bypass to perform blind SQL Injection

Hello, in this blog post will discuss about a scenario in which web application was vulnerable to SQL Injection but user input was getting filter by code to remove characters such as ' " ( ) % etc.

Technology/back-end used by Web application 

  1. PHP 
  2. MySQL

Scenario:


The PHP code was accepting the user input through HTTP GET parameter "param1". The value was passing it to a custom data filtering function "input-filter".

The function "input-filter" is meant to perform filtering of some special characters which can lead to SQL Injection.
 

After performing input sensitization, function pass the data to SQL query in PHP code.
In SQL query, user data ($user_input) was getting passed as "Column name" in "select" statement as follow:


 

Web application code was just processing the SQL query output and no output was shown on web interface. Due to this fact, union based SQL injection was not possible.

Web application code was not using "mysqli_error()" to show SQL server error messages which killed the chance to perform error based SQL Injection.

The only possibility was Blind SQL Injection. To perform blind SQL injection, there was limitation as web application "input-filter" function stripping out characters which are mentioned below:


When we use basic boolean based blind injection payload such as:

After passing through user input filter function, payload was changing to the below mentioned one:



URL encoded payload processing:

Web application user input filter function was stripping out % character as well which was making payload of no use.
Let's consider, URL encoding has been used for character ( and ), and payload is like this:


After processing through user input filter function payload was becoming like this:



Exploitation:

In this case, my way to perform exploitation was blind injection. To avoid stripping of payload characters, in combination of where condition, I used "like" clause with hex representation.

Like Clause and hex encoded wildcard search pattern:
Let's have a look on like clause functionality.

'Like' clause is such operator which has functionality to perform search in SQL database using wildcard search pattern.

For example, if user want to perform search for text in a column which has string 'user' in it anywhere, SQL query will be:



The above-mentioned SQL query will retrieve the data from column which has string 'user' anywhere in it.

Like clause not just only take input in single quotes but also in hex form


Means, we can use SQL query with "like" clause and "hex encoded wildcard value" like this:



Extracting tables and columns name

To perform exploitation in this scenario, I followed below mentioned things:

  1. There is restriction not to use characters such as ' ( ) < > %
  2. User input is getting pass to column name field in "select" statement, so used "1 from dual" to complete the "select" statement.
  3. Use of "like" clause with hex encoded wildcard pattern.
  4. Guess characters one-by-one

Table name extraction payload:

Consider, we have a table name value "auth".

Payload to look for table name "auth" (which has first character 'a') using like clause:

Payload with hex encoded like clause wildcard value:

In my case, user data is getting pass as column name in SQL query, payload was: 

SQL query in application was executing as:

 

Column name extraction payload:

Consider, we have a column name value "username" for table "auth".

Payload to look for column name "username" (which has first character 'u') using like clause of table "admin":

Payload with hex encoded like clause wildcard value:

Data extraction payload:

To extract the data from column "username" of table "auth", use like clause with hex encoded wildcard apttern.

Payload to look for username "ace" in column "username" of table "auth" using like clause:

Payload with hex encoded like clause wildcard value:

 

Conclusion:

SQL injection exploitation can be tricky but there may be a way to perform it.

Remediation:

To prevent SQL Injection attack, refer OWASP guide:

Thanks for reading :)

Special thanks to Sean Metcalf, OJ, hacker fantastic, A K Reddy,Vincent Yiu, Andrew Robbins, will, Benjamin Delpy, Marcello, Andrew van der Stock, g0tmi1k, Alvaro Mu├▒oz, b33f, pancake, m3g9tr0nAnurag Srivastava, James Kettle, vivek chauhan


--==[[ With Love from Team IndiShell ]]==--
                             
 --==[[ Greetz To ]]==--
############################################################################################
#zero cool, code breaker ica, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba
#Silent poison India, Magnum sniper, ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad
#Hackuin,Alicks,mike waals, Dinelson Amine, cyber gladiator, Cyber Ace, Golden boy INDIA
#Ketan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji, Hacking queen, lovetherisk, Bikash Dash, D3
#############################################################################################
                             --==[[Love to]]==--
# My Father ,my Ex Teacher, Lovey, cold fire hacker, Mannu, ViKi,Ashu bhai ji, Soldier Of God, Bhuppi, Anurag, Cyber Warrior, Vivek Sir
#Mohit, Ffe, Ashish, Shardhanand, Budhaoo,Incredible, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)
Share this post

0 comments

:) :-) :)) =)) :( :-( :(( :d :-d @-) :p :o :>) (o) [-( :-? (p) :-s (m) 8-) :-t :-b b-( :-# =p~ :-$ (b) (f) x-) (k) (h) (c) cheer

© 2009 Start With Linux | Mannu Linux
Designed by cyb3r.gladiat0r
Posts RSSComments RSS
Back to top