Hello, in this blog post will discuss about a scenario in which web application was vulnerable to SQL Injection but user input was getting filter by code to remove characters such as ' " ( ) % etc.
Technology/back-end used by Web application
- PHP
- MySQL
Scenario:
The PHP code was accepting the user input through HTTP GET parameter "param1". The value was passing it to a custom data filtering function "input-filter".
The function "input-filter" is meant to perform filtering of some special characters which can lead to SQL Injection.
After performing input sensitization, function pass the data to SQL query in PHP code.
In SQL query, user data ($user_input) was getting passed as "Column name" in "select" statement as follow:
Web application code was just processing the SQL query output and no output was shown on web interface. Due to this fact, union based SQL injection was not possible.
Web application code was not using "mysqli_error()" to show SQL server error messages which killed the chance to perform error based SQL Injection.
The only possibility was Blind SQL Injection. To perform blind SQL injection, there was limitation as web application "input-filter" function stripping out characters which are mentioned below:
When we use basic boolean based blind injection payload such as:
After passing through user input filter function, payload was changing to the below mentioned one:
URL encoded payload processing:
Web application user input filter function was stripping out % character as well which was making payload of no use.
Let's consider, URL encoding has been used for character ( and ), and payload is like this:
Exploitation:
In this case, my way to perform exploitation was blind injection. To avoid stripping of payload characters, in combination of where condition, I used "like" clause with hex representation.Like Clause and hex encoded wildcard search pattern:
Let's have a look on like clause functionality.
'Like' clause is such operator which has functionality to perform search in SQL database using wildcard search pattern.
For example, if user want to perform search for text in a column which has string 'user' in it anywhere, SQL query will be:
The above-mentioned SQL query will retrieve the data from column which has string 'user' anywhere in it.
Like clause not just only take input in single quotes but also in hex form
Means, we can use SQL query with "like" clause and "hex encoded wildcard value" like this:
Extracting tables and columns name
To perform exploitation in this scenario, I followed below mentioned things:
- There is restriction not to use characters such as ' ( ) < > %
- User input is getting pass to column name field in "select" statement, so used "1 from dual" to complete the "select" statement.
- Use of "like" clause with hex encoded wildcard pattern.
- Guess characters one-by-one
Table name extraction payload:
Consider, we have a table name value "auth".
Payload to look for table name "auth" (which has first character 'a') using like clause:
Payload with hex encoded like clause wildcard value:
In my case, user data is getting pass as column name in SQL query, payload was:
SQL query in application was executing as:
Column name extraction payload:
Consider, we have a column name value "username" for table "auth".
Payload to look for column name "username" (which has first character 'u') using like clause of table "admin":
Payload with hex encoded like clause wildcard value:
Data extraction payload:
To extract the data from column "username" of table "auth", use like clause with hex encoded wildcard apttern.
Payload to look for username "ace" in column "username" of table "auth" using like clause:
Payload with hex encoded like clause wildcard value:
Conclusion:
Remediation:
Thanks for reading :)
Special thanks to Sean Metcalf, OJ, hacker fantastic, A K Reddy,Vincent Yiu, Andrew Robbins, will, Benjamin Delpy, Marcello, Andrew van der Stock, g0tmi1k, Alvaro Muñoz, b33f, pancake, m3g9tr0n, Anurag Srivastava, James Kettle, vivek chauhan
--==[[ With Love from Team IndiShell ]]==--
--==[[ Greetz To ]]==--
############################################################################################
#zero cool, code breaker ica, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba
#Silent poison India, Magnum sniper, ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad
#Hackuin,Alicks,mike waals, Dinelson Amine, cyber gladiator, Cyber Ace, Golden boy INDIA
#Ketan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji, Hacking queen, lovetherisk, Bikash Dash, D3
#############################################################################################
--==[[Love to]]==--
#
My Father ,my Ex Teacher, cold fire hacker, Mannu, ViKi,Ashu bhai
ji, Soldier Of God, Bhuppi, Anurag, Cyber Warrior, Vivek Sir
#Mohit, Ffe, Ashish, Shardhanand, Budhaoo,Incredible, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)
0 comments