WebGoat实战: Injection
SQL Injection (intro)
What is SQL?
SQL is a standardized (ANSI in 1986, ISO in 1987) programming language which is used for managing relational databases and performing various operations on the data in them.
A database is a collection of data. Data is organized into rows, columns and tables, and it is indexed to make it easier to find relevant information.
Example SQL table with employees, the name of the table is ‘employees’:
Employees Table
userid | first_name | last_name | department | salary | auth_tan |
---|---|---|---|---|---|
32147 | Paulina | Travers | Accounting | $46.000 | P45JSI |
89762 | Tobi | Barnett | Development | $77.000 | TA9LL1 |
96134 | Bob | Franco | Marketing | $83.700 | LO9S2V |
34477 | Abraham | Holman | Development | $50.000 | UU2ALK |
37648 | John | Smith | Marketing | $64.350 | 3SL99A |
A company saves the following information of an employee in their databases: a unique employee number, the lastnname, the firstname, the department of the employee, the salary and an auth_tan.
One row represents one employee of the company.
By using SQL queries you can modify a database table and its index structures, add, update and delete rows of data.
There are three types of SQL commands in the SQL database language: Each type of command carries the danger of violating different protection goals if an intruder attacks your database system.
The 3 main protection goals in information security are confidentiality, integrity, and availability are considered the three most crucial components of information security. Go ahead to the next pages to get some details on the different types of commands and protections goals.
If you are still struggling with SQL and need more information or practice you can visit http://www.sqlcourse.com/ for an interactive and free online training.
Data Manipulation Language (DML)
As the name says data manipulation language deals with the manipulation of data and includes the most common SQL statements such as SELECT, INSERT, UPDATE, DELETE, etc., and it is used for requesting a result set of records from database tables (select), adding (insert), deleting and modifying (update) data in a database.
If an attacker uses SQL injection of the DML type to manipulate your database, he will violate the following of the three protection goals in information security: confidentiality (…) & integrity (update) (Only people authorized to read the data can do so).
- DML commands are used for storing, retrieving, modifying, and deleting data.
- SELECT - retrieve data from a database
- INSERT - insert data into a table
- UPDATE - updates existing data within a table
- DELETE - Delete all records from a database table
Data Definition Language (DDL)
Data definition language includes commands for defining data structures, especially database schemas which tell how the data should reside in the database.
If an attacker uses SQL injection of the DDL type to manipulate your database, he will violate the following of the three protection goals in information security: integrity (alter) & availability (drop). (Only people authorized to change/delete the data can do so.)
- DDL commands are used for creating, modifying, and dropping the structure of database objects.
- CREATE - to create a database and its objects like (table, views, …)
- ALTER - alters the structure of the existing database
- DROP - delete objects from the database
- Example:
- CREATE TABLE employees(
userid varchar(6) not null primary key,
first_name varchar(20),
last_name varchar(20),
department varchar(20),
salary varchar(10),
auth_tan varchar(6)
);
- CREATE TABLE employees(
Data Control Language (DCL)
Data control language is used to create privileges to allow users to access and manipulate the database.
If an attacker uses SQL injection of the DCL type to manipulate your database, he will violate the following of the three protection goals in information security: confidentiality (grant) & availability (revoke) (Unwanted people could grand themselves admin privileges or revoke the admin rights from an administrator)
- DCL commands are used for providing security to database objects.
- GRANT - allow users access privileges to the database
- REVOKE - withdraw users access privileges given by using the GRANT command
What is SQL injection?
SQL injections are the most common web hacking techniques. A SQL injection attack consists of insertion or “injection” of malicious code via the SQL query input from the client to the application. If not dealt with correctly, such an injection of code into the application can have an serious impact on e.g. data integrity and security.
SQL injections can occur, when unfiltered data from the client, e.g. the input of a search field, gets into the SQL interpreter of the application itself. If the input from the client does not get checked for containing SQL commands, hackers can easily manipulate the underlying SQL statement to their advantage.
1 |
|
Here are some examples of what a hacker could supply to the input field to perform actions on the database that go further than just reading the data of a single user:
Smith’ OR '1' = '1
results inSELECT * FROM users WHERE name = 'Smith' OR TRUE;
and that way will return all entries from the users tableSmith’ OR 1 = 1; --
results inSELECT * FROM users WHERE name = 'Smith' OR TRUE;--';
and that way will return all entries from the users tableSmith’; DROP TABLE users; TRUNCATE audit_log; --
chains multiple SQL-Commands and deletes the USERS table as well as entries from the audit_log
Consequences of SQL injection
A successful SQL injection exploit can:
- Read and modify sensitive data from the database
- Execute administration operations on the database
- Shutdown auditing or the DBMS
- Truncate tables and logs
- Add users
- Recover the content of a given file present on the DBMS file system
- Issue commands to the operating system
SQL injection attacks allow attackers to
- Spoof identity
- Tamper with existing data
- Cause repudiation issues such as voiding transactions or changing balances
- Allow the complete disclosure of all data on the system
- Destroy the data or make it otherwise unavailable
- Become administrator of the database server
Severity of SQL injection
The severity of SQL injection attacks is limited by
- Attacker’s skill and imagination
- Defense in depth countermeasures
- Input validation
- Least privilege
- Database technology
Not all databases support command chaining
- Microsoft Access
- MySQL Connector/J and C
- Oracle
SQL injection is more common in PHP, Classic ASP, Cold Fusion and older languages
- Languages that do not provide parameterized query support
- Parameterized queries have been added to newer versions
- Early adopters of web technology (i.e. Old Code)
Not all databases are equal (SQL Server)
- Command shell:
master.dbo.xp_cmdshell 'cmd.exe dir c:'
- Registry commands:
xp_regread
,xp_regdeletekey
, …
update';drop table access_log
讲道理这突然绿了我是没想到的。没想到吧?应该还有个引号没处理。
SQL Injection (advanced)
Special Characters
1 |
|
Special Statements
Union
The Union operator is used, to combine the results of two or more SELECT Statements.
Rules to keep in mind, when working with a UNION:
- The number of columns selected in each statement must be the same.
- The datatype of the first column in the first SELECT statement, must match the datatype of the first column in the second (third, fourth, …) SELECT Statement. The Same applies to all other columns.
1 |
|
The UNION ALL Syntax also allows duplicate Values.
Joins
The Join operator is used to combine rows from two ore more tables, based on a related column
1 |
|
Blind SQL injection 盲注
Blind SQL injection is a type of SQL injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.
Difference
Let us first start with the difference between a normal SQL injection and a blind SQL injection. In a normal SQL injection the error messages from the database are displayed and gives enough information to find out how the query is working. Or in the case of an UNION based SQL injection the application does not reflect the information directly on the web page. So in the case where nothing is displayed you will need to start asking the database questions based on a true or false statement. That is why a blind SQL injection is much more difficult to exploit.
There are several different types of blind SQL injections: content-based and time-based SQL injections.
Example
In this case we are trying to ask the database a boolean question based on for example an unique id, for example suppose we have the following url: https://my-shop.com?article=4
On the server side this query will be translated as follows:
1 |
|
When we want to exploit this we change the url into: https://shop.example.com?article=4 AND 1=1
This will be translated to:
1 |
|
If the browser will return the same page as it used to when using https://shop.example.com?article=4
you know the website is vulnerable for a blind SQL injection. If the browser responds with a page not found or something else you know a blind SQL injection might not work. You can now change the SQL query and test for example: https://shop.example.com?article=4 AND 1=2
which will not return anything because the query returns false.
So but how do we actually take advantage of this? Above we only asked the database for trivial question but you can for example also use the following url: https://shop.example.com?article=4 AND substring(database_version(),1,1) = 2
Most of the time you start by finding which type of database is used, based on the type of database you can find the system tables of the database you can enumerate all the tables present in the database. With this information you can start getting information from all the tables and you are able to dump the database. Be aware that this approach might not work if the privileges of the database are setup correctly (meaning the system tables cannot be queried with the user used to connect from the web application to the database).
Another way is called a time-based SQL injection, in this case you will ask the database to wait before returning the result. You might need to use this if you are totally blind so there is no difference between the response you can use for example:
1 |
|
这道题的暗坑是最后需要用tom
登陆而不是Tom
,首字母大写的用户名Tom
甚至能直接注册。
两份参考思路:
利用BurpSuite:WebGoat之路-2-Injection
使用python脚本:历史最全 WebGoat 8.0 通关攻略
猜测用户密码存储在password
字段,tom' or password='123
没有返回错误 :D
第一次使用burpsuite
,随便找了份文档BurpSuite系列(五)----Intruder模块(暴力破解)
当猜测密码长度与实际密码长度相同时,注册失败,返回提示"User {0} already exists please try to register with a different username."
因此进行如下尝试:
卑微社区版用户只能手动打标记or2
start attack
后,可知密码长度为23:
burpsuite社区版爆破实在太慢了,朋友说能改线程数,我没能找到,大概是被阉割了。参考了原本放弃的python脚本版解法,发现并不难理解,稍作修改,跑出密码thisisasecretfortomonly
。
最后多的两个符号有点奇怪?
1 |
|
SQL Injection (mitigation)
Immutable Queries
These are the best defense against SQL injection. They either do not have data that could get interpreted or they treat the data as a single entity that is bound to a column without interpretation.
Static Queries
1 |
|
Parameterized Queries
1 |
|
Parameterized Queries - Java Snippet
1 |
|
Parameterized Queries - Java Example
1 |
|
Parameterized Queries - .NET
1 |
|
Stored Procedures
Only if stored procedure does not generate dynamic SQL
Safe Stored Procedure (Microsoft SQL Server)
1 |
|
Injectable Stored Procedure (Microsoft SQL Server)
1 |
|
有一个比较头疼的问题,我当初java学得一般,目前已经忘得差不多了,看看代码尚可,写就。。。建议参考之前的两篇文章or2
啊他们写得真好啊.jpg
我的webgoat系列只是复制粘贴lesson内容罢了,只为了以后想看时不用打开虚拟机docker,可是又有什么意义呢?像极了浪费时间。
还有二十天期末考试,有些焦虑。sql注入部分结束后先准备考试吧w