LAB(2) || SQL Injection

The Islamic University of Gaza Computer & Network Security Lab - 2023 LAB (2) || Common Web Security Vulnerabilities Amal I. Mahfouz **** SQL Injection SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. The vulnerability is present when user’s inputs are not correctly checked within the web applications before being sent to the back end database servers. Many web applications take inputs from users, and then use these inputs to construct SQL queries, so they can get information from the database. Attackers can steal information from the victim’s database or even worse, they may be able to make changes to the database. These are common practices in the development of web applications, causing persistent changes to the application's content or behavior. In some situations, an attacker can escalate a SQL injection attack to compromise the underlying server or other back-end infrastructure. It can also enable them to perform denial-of-service attacks. Example 1: Let's assume you have a website with a login feature that takes a user's input and queries a database to find a user by username and password: > weight: bold;"> > $username = $_POST["user"]; > weight: bold;"> > $password = $_POST["password"]; > weight: bold;"> > $Query = "SELECT * FROM Users WHERE Name = '" + $username + "' AND password= '" + $password +" ' ; " > In this example, if an attacker provides the username value as(' OR 1=1;-- ), it can lead to a destructive SQL injection. the query becomes as : > weight: bold;"> > SELECT * FROM Users WHERE Name = '' OR 1=1;-- password = 'xxxx'; this query might return more than one user. Most applications will process the first user returned, meaning that the attacker can exploit this and log in as the first user the query returned. The double-dash (- -) sequence is a comment indicator in SQL and causes the rest of the query to be commented out. --- Example 2: Let's assume you have a website with a searches for items by name feature that takes a user's input and queries a database to find items to those where the owner matches the user name of the currently-authenticated user: $username = $_POST["Owner"]; $itemname = $_POST["Item"]; $Query = "SELECT * FROM items WHERE owner = '" + $username + "' AND itemname= '" + $itemname +" ' ; " In this example, if an attacker provides the username value as yyy and itemname value as (xxx' OR 'H'='H'), it can lead to a destructive SQL injection. > SELECT * FROM items > WHERE owner = 'yyy' > AND itemname = 'xxx' OR 'H'='H'; Logical Implication: The attacker has cleverly added the condition "OR 'H'='H'" to the query. In SQL, 'H'='H' is always true, so this condition is always satisfied. As a result, the WHERE clause effectively becomes: > WHERE false OR true; Since the condition is always true, the entire WHERE clause becomes true for every row in the "items" table. Consequently, the query simplifies to: > SELECT * FROM items; This means that the attacker, regardless of their actual ownership, can now retrieve all entries from the "items" table, effectively bypassing the intended security restriction that only items owned by the authenticated user should be accessible --- Union Attack & Determining the number of columns When an application is vulnerable to SQL injection and the results of the query are returned within the application's responses, the UNION keyword can be used to retrieve data from other tables within the database. This results in an SQL injection UNION attack. The UNION keyword lets you execute one or more additional SELECT queries and append the results to the original query. a common technique used in SQL injection attacks, where an attacker injects a series of ORDER BY clauses into a SQL query to determine the number of columns in the result set and their data types. This information is valuable to an attacker because it helps them understand the structure of the database and potentially exploit it further. Suppose you have a vulnerable web application with a search feature that allows users to search for products by name. The SQL query for this feature might look like this: > SELECT product_name, description FROM products WHERE product_name = 'UserInput'; Now, an attacker wants to gather information about the underlying database . The attacker enters the following inputs into the search field:( ' ORDER BY 1- -) > SELECT product_name, description FROM products WHERE product_name = '' ORDER BY 1--'; Here, ' ORDER BY 1-- appends an ORDER BY clause to the query, ordering the results by the first column (in this case, product_name). > then try with (' ORDER BY 2- -) The attacker increments the index to 2, ordering the results by the second column (in this case, description). If this index is valid, the query will execute without errors. > then try with: (' ORDER BY 3- -) This time, an error occurs because there are only two columns in the result set, but the attacker is trying to order by the third column, which doesn't exist. The database might return an error message like the one mentioned in your paragraph. The attacker uses these error messages to gather information about the database schema, such as the number of columns and their data types. Once they have this information, they can craft more sophisticated SQL injection attacks to retrieve or manipulate data. Finding columns with a useful data To identify columns with string data, the attacker sends a series of UNION SELECT payloads.Each payload inserts a string value ('a') into one of the columns while keeping the other columns as NULL. This is done to determine which columns successfully accept string data without causing SQL errors. ' UNION SELECT 'a',NULL,NULL-- ' UNION SELECT NULL,'a',NULL-- ' UNION SELECT NULL,NULL,'a'-- --- LABWORK { Enjoy this task :+1: } task 1: http://redtiger.labs.overthewire.org/level1.php sol : (Find the number of columns returned by database using ordered by,Determining the type of the value returned ) ?cat=1 UNION SELECT NULL,NULL,username,password FROM level1_users task 2: jawwal.ps free messages are restricted to 240 characters, but they validate this in the client-side, so if you just remove the validation code using your browser developer tools, you could easily send 250 character! task 3: Cross-site scripting (XSS): if you have a blog that allows users to post stuff (e.g. comments), and you didn’t validate if this user added some HTML in his comment, all the users who view this comment will have this custom new HTML parsed in your browser. try with this game : https://xss-game.appspot.com/level1 sol : ?query=<script> alert("Good Hacker")</script> try with this game: https://xss-game.appspot.com/level2 sol : img src='xxx' onerror="alert('hi hacker')" --- HomeWork : 1. solve level 2 and 3 in this website. http://redtiger.labs.overthewire.org/ 2. solve level 3 in this website. https://xss-game.appspot.com/level1 4. https://tech.io/playgrounds/58859/iug-ecom-5401-lab-02