0xor1day

Command Injection and SQL Injection

7 min read

Command Injection - abuse of an application’s behavior to execute commands on the OS, using the same privileges. RCE - remote code execution - ability to remotely execute code within an application eg. being able to abuse an application to perform the command whoami to list the user account the application is running

Applications use functions in PHP, Python and NodeJS to pass data to make system calls on the machine’s operating system

Exploiting command injection Applications that use user input to populate system commands with data can often be combined in unintended behavior -shell operators ”;”, ”&” and ”&&” will combine two or more system commands and execute them -two ways to detect command injection

  1. Blind command injection: no direct output from app; investigate the app to determine sucess
  2. Verbose command injection: direct feedback from app;

Detecting blind command injection -no output is visible -need to use payloads that will cause some time delay eg ping and sleep(ping - hang app # of pings = seconds) -force an output using redirection operators ”>”, execute a command and redirect to a file, use cat to view file -curl: deliver data to and from an application

Detecting verbose command injection -get feedback from application -ping or whoami - results directly displayed on the web app

Linux commands whoami - what user the application is running under ls - list contents of current directory ping - invoke application to hang sleep - if machine does not have ping installed nc - netcat can be used to spawn a reverse shell onto vulnerable application; navigate target machine;

Windows commands whoami - what user the application is running under dir - list contents of the current directory ping - invoke application to hang timeout - if machine does not have ping installed

Remediating Command Injection Vuln functions in PHP -Exec -Passthru -System Input sanitisation -specifying the formats or types of data that a user can input -filter_input: PHP used to check any data submitted on an input form Bypassing Filters -use of hexadecimal instead of filtered character

SQL Injection SQL - structured query language. SQLi - SQL injection: attack on web application database server that causes malicious queries to be executed. -web app communicates with database using input from user that hasn’t been properly validated -could lead to an attacker to steal, delete or alter private and customer data

Database: electronic storage of data in an organized manner DBMS - database management system - control databases

  1. Relational: mySQL, Microsoft SQL server, Access, PostgreSQL, SQLite: stores information in tables w/ shared information between tables
  2. Non-Relational: NoSQL: MongoDV, Cassandra and ElasticSearch - doesn’t include tables: each row of data can contain different information

Tables: columns and rows, grid Columns: field: unique name per table Auto-increment feature Key field: unique for every row of data used to find exact row in SQL queries Rows: Individual lines of data -add data - row added; delete data - row deleted

Structured Query Langauge - feature-rich language used for querying databases, SQL queries are referred to as statements select, update, insert and delete data

  1. Select select * from {table}; eg: select * from users; -select: retrieve some data -*: receive back all columns from the table -from users: retrieve data from the table named users -; : end of statement
  2. select username,password from users; -retrieve the columns username and password from the table users
  3. select * from users LIMIT 3,1; -retrieve all columns from the table users and limit the skip the first three results and return 1 row of data
  4. where clause. eg: select * from users where username =‘admin’; retrieve all columns from the table users where username equals admin
  5. select * from users where username !=‘admin’; retrieve all columns from the table users where username doesn’t equal admin
  6. select * from users where username=‘admin’ or username=‘jon’; retrieve all columns from the table users where username is admin or jon
  7. select * from users where username=‘admin’ and password=‘password’; retrieve all columns from the table users where username is admin and password is password

like clause - allows to specify data that isn’t an exact match but either starts, contains or ends with certain characters ‘{character}%’ - starts with character ’%{character}’ - ends with character ’%‘{character}%’ - contains character

Union statement - combines the results of two or more select statements to retrieve data from either single or multiple tables statement: SELECT name,address,city,postcode from customers UNION company,address,city,postcode from suppliers

Insert - tells db to insert a new row of data into table insert into users (username, password) values(‘bob’, ‘password123’); insert a row into users table under columns username use bob and under password use password123

Update - tells db to update one or more rows of data within a table update users SET username=‘root’,password=‘passwd’ where username=‘admin’; update the users table the row with username ‘admin’ change username to ‘root’ and password to ‘passwd’

Delete - tells db to delete one or more rows of data delete from users where username=‘mark’; delete a row from the table users with the username ‘mark’ **delete from users (without specification) delete all rows from the users table

SQL Injection(SQLi) -user provided data gets included in SQL query -”;—” end of SQL statement and comment everything afterwards

In-Band SQL Injection -same method of communication being used to exploit the vuln andalso receive the result -discovering SQL injection vuln on page and being able to extract data from the database to the same page

Error-Based SQL Injection -useful for obtaining information about database structure as error messages from db are printed directly to the browser screen -useful for enumerating the whole db

Union-Based SQL Injection -utilizes SQL Union along side Select statement to return additional results to the page. This method is the most common way of extracting large amounts of data via an SQL injection vuln

practical THM

  1. Try to get an error
  2. database() - return name of database eg 0 UNION SELECT 1,2,database()
  3. gather the list of tables with the database name

eg: 0 UNION SELECT 1,2,group_concat(table_name) FROM information_schema.tables WHERE table_schema = ‘sqli_one’

group_concat() - gets specified column from multiple return rows and puts it into one string separated by commas information_schema - contains information about the databases and tables the user has access to 4. get log in credentials from the staff_users section

eg: 0 UNION SELECT 1,2,group_concat(column_name) FROM information_schema.columns WHERE table_name = ‘staff_users’; -go to columns of staff_users table concat those columns

  1. reveal id, password and username eg: 0 UNION SELECT 1,2,group_concat(username,’:‘,password SEPARATOR '
    ') FROM staff_users -concat the username and password columns with a line break from the staff_users table

BLIND SQLi - Authentication Bypass -blind SQLi - little to no feedback to confirm if injected queries were successful or not -injection still works -bypass authentication methods such as login forms

select * from users where username=‘%username%’ and password=‘%password%’ LIMIT 1; -pw field- : ’ OR 1=1;—

BLIND SQLi - Boolean based -two value outcome response (true/false) -confirms if payload was successful or not

BLIND SQLi - Time Based -No visual indicator of queries being wrong or right, indicator of correct query is based on the time the query takes to complete -use built in method SLEEP(x)

OUT-of-Band SQLi -depends on specific features being enabled -make external network call -two different communication channels

  1. to launch attack - web request
  2. to gather results - monitor HTTP/DNS requests steps
  3. attacker makes request to a website vulnerable to SQLi with payload
  4. website make an SQL query to the database which also passes the hacker’s payload
  5. payload contains a request which forces and HTTP request back to the hacker’s machine containing data from the database

Remediation

  1. Prepared statements (with parameterized queries): user inputs added as a parameter afterwards -ensures that SQL code structure doesn’t change and database can distinguish b/n query and data

  2. Input validation: allow list to restrict input - string replacement method

  3. Escaping user input: ’ ” $ \ can cause SQL queries to break and open up to injection attacks. -escaping user input is the method of prepending a backslash to these characters which cause them to be parsed just as regular string and not a special character

Graph View