old notes

#websec #appsec #sql #portswigger #selfstudy #burpsuite

Burp Usages

• repeater to resend requests easily with different params: check http history, right click, send to repeater
• intentionally bad input to trigger error message response

SQLi: allows attacker to interfere with db queries from app

Follow-Up Question:

• DB structure/version == DB schema?

Impact:

• potentially view or modify data, can cause persistent damage to app's contents or behaviours
• access to passwords, CC, Personal info
• obtain a persistent backdoor
• long-term compromise that can go unnoticed

Types of SQL Injection Examples:

• Retrieving Hidden Data: modify an SQL query to return additional values
• Subverting application logic: change a query to interfere with app logic
• UNION attacks: retrieve data from different db tables
• Examining the DB: extract info about version/structure of DB (is this the same as saying DB schema?)
• Blind SQL injection: results of query you control are not returned in app's responses

SQL Syntax Notes:

-- is a comment indicator so using it in an SQL query means that the rest of the query will not be interpreted

Inferring the Database Type

• query the version details for version details of the database and for what database tables exist

Blind SQL injection vulnerabilities

• application does not return the results of SQL query or details of any db errors within its responses
• techniques that can be used to exploit blind SQL injection vulnerabilities:

Union Attack: retrieve data from other tables within the database

two key requirements must be met:
(1) individual queries must return the same number of columns
(2) data types in each column must be compatible between the individual queries

This generally involves figuring out:
– How many columns are being returned from the original query?
– Which columns returned from the original query are of a suitable data type to hold the results from the injected query?

On determining number of columns required in SQL injection UNION attack:

Using ORDER BY
– ORDER BY command sorts the result set in ascending order
– use ORDER BY to increment specified column index until error occurs
– example: if injection point is a quoted string within the WHERE clause of original query, you would submit:
' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 3--
etc.
– check error message: might return db error, might return generic error, infer how many columns

Using UNION SELECT
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
– check error message