Detective story about SQL injection, sometimes blind
Good day!
I would not have thought of writing an article about it, because thought that the topic is pretty jaded. But, judging by this article, the audience is interesting. Finally, I was convinced that you need to write this comment .
This story happened to the “acquaintance of a friend of my acquaintance," but, for the sake of brevity, I will write with quotations from his words, using simply "me." It was a week and a half ago. Go.
')
It took me to learn one European language, in the light of a possible move to one European country. And I found a wonderful site on which it was proposed to learn the language with the help of podcasts. The podcasts themselves are distributed free of charge, but you can buy a PDF with lesson recordings and exercises. I don’t really need these notes, but my wife, unlike me, is not an auditory at all, but she also needs to learn the language. Before buying something on the Internet, I carefully study the site of the seller - I do not want my data to be leaked somewhere. And in this case, everything turned out to be more than bad. The desire to buy something immediately disappeared. But to remain without PDF is unsportsmanlike. In the end, I decided to try to use one of the found vulnerabilities. I’ll say right away that I don’t use any automatic vulnerability scanners as a matter of principle and don’t cause any harm to the users of the resource - they are not to blame for the fact that the host of the resource wrote it clumsily. Therefore, my tools are reasoning and theoretical knowledge of the causes of the occurrence and exploitation of vulnerabilities.
First of all, I looked at a few demo examples available for download PDF. First, the user went to:
At this point, it is checked whether the current user has the right to download the specified PDF. If yes - there is a redirect to:
Immediately it turned out that this script gives the specified file without checking anything. Because Available example for lesson â„–1 had the file name 001.pdf I decided to try to get all the files through. If everything was so simple, then there would be nothing to write about. But in this way only the first 100 files were obtained. The rest had in their name the timestamp of creation time and it became impossible to sort through them, because creation time was different for several months.
Pretty soon a banal SQL injection was discovered in the GET parameter:
It seems to be further its use is very simple:
But the problems started from the first point - it was not possible to determine the number of fields in the request. With any number of fields in UNION SELECT and for any number in ORDER BY n, I received the message "You have error in your syntax ..."
In fact, I quite accidentally guessed what the problem was exactly - trying to make GROUP BY 1. To this I received the error “cannot group by cnt”. It turned out that the vulnerable parameter is used twice (well, at least I could not refute this assumption).
First, the number of records with the specified id is selected:
If the number of entries is 0, it is considered that the page was not found and redirects to the main page. If the record is not 0, the information is pulled out:
Now it becomes clear why it was not possible to find out the number of fields in the request - there are 2 of them and one of them will always have the wrong number of fields in UNION. I could not think of a way that would allow to insert a different number of fields in UNION in the first and second request. And at this moment SQL injection became blind. I could not find the name of the table with the paths to the files, but I managed to find the name of the table with user data (MySQL 4.1).
Dear developers, do not make 2 requests, where you can make one! In this case, instead of SELECT count (*), you could check the number of records returned by the SELECT * query.
Now it remains to think of a way to get useful information. I did this:
What we see here:
Thus, using the HTTP header, you can understand whether we have transmitted the correct condition. First, we determine the length of the user name, then by letter by binary search, pull out the name itself (lower (substr (username, 1,1)) in ('a', 'b', 'c')). Then we pull out the password by letter. But it turns out that the password is hashed in md5. And although hashing without salt, I still couldn’t pick up the passwords of the site administrators (there is no rainbow tables, and I didn’t want to bruteforce on a netbook, and it’s unsportsmanlike).
After some thought, it was decided to go the other way. Because In the database there were more than 60,000 users, I assumed that many of them have popular passwords. And then it was necessary only to pull out one by one letters of users whose password hash is md5 ('password') - there were more than 100 of them and among them were people who bought the necessary PDF. And they kindly agreed to share them with me.
All this was done using a very simple script that sent a HEAD request (why do we need the body of the page?) And looked at the response header. If 200 - the condition is true, if 302 - is incorrect.
Why is all this written? To show that you need to know the essence and causes of vulnerabilities, and not to learn how to use them. All the ways of using SQL injection, which I saw on the Internet, suggested determining the number of fields through ORDER BY 5 or UNION SELECT 1,2,3 ... And the person who did not want to think would leave the site with nothing.
In addition, I am slightly proud of my workaround instead of hacking. Well, skepticism was expressed not so long ago about the existence of such vulnerabilities in the modern Internet and about the practical application of blind SQL injection.
PS All coincidences with reality are random. Voices of celebrities imitated, and shabby.
I would not have thought of writing an article about it, because thought that the topic is pretty jaded. But, judging by this article, the audience is interesting. Finally, I was convinced that you need to write this comment .
This story happened to the “acquaintance of a friend of my acquaintance," but, for the sake of brevity, I will write with quotations from his words, using simply "me." It was a week and a half ago. Go.
')
It took me to learn one European language, in the light of a possible move to one European country. And I found a wonderful site on which it was proposed to learn the language with the help of podcasts. The podcasts themselves are distributed free of charge, but you can buy a PDF with lesson recordings and exercises. I don’t really need these notes, but my wife, unlike me, is not an auditory at all, but she also needs to learn the language. Before buying something on the Internet, I carefully study the site of the seller - I do not want my data to be leaked somewhere. And in this case, everything turned out to be more than bad. The desire to buy something immediately disappeared. But to remain without PDF is unsportsmanlike. In the end, I decided to try to use one of the found vulnerabilities. I’ll say right away that I don’t use any automatic vulnerability scanners as a matter of principle and don’t cause any harm to the users of the resource - they are not to blame for the fact that the host of the resource wrote it clumsily. Therefore, my tools are reasoning and theoretical knowledge of the causes of the occurrence and exploitation of vulnerabilities.
Start
First of all, I looked at a few demo examples available for download PDF. First, the user went to:
/guide.php?id=lesson_idAt this point, it is checked whether the current user has the right to download the specified PDF. If yes - there is a redirect to:
/download.php?f=filename.pdfImmediately it turned out that this script gives the specified file without checking anything. Because Available example for lesson â„–1 had the file name 001.pdf I decided to try to get all the files through. If everything was so simple, then there would be nothing to write about. But in this way only the first 100 files were obtained. The rest had in their name the timestamp of creation time and it became impossible to sort through them, because creation time was different for several months.
Spin SQL injection
Pretty soon a banal SQL injection was discovered in the GET parameter:
/some_script.php?id=123It seems to be further its use is very simple:
- Determine the number of parameters in the request
- Find table and field names (in the case of MySQL 5.0 and higher, select them from information_schema)
- Get the right file names
- Download the files themselves
But the problems started from the first point - it was not possible to determine the number of fields in the request. With any number of fields in UNION SELECT and for any number in ORDER BY n, I received the message "You have error in your syntax ..."
In fact, I quite accidentally guessed what the problem was exactly - trying to make GROUP BY 1. To this I received the error “cannot group by cnt”. It turned out that the vulnerable parameter is used twice (well, at least I could not refute this assumption).
First, the number of records with the specified id is selected:
SELECT count(*) FROM table where id=123If the number of entries is 0, it is considered that the page was not found and redirects to the main page. If the record is not 0, the information is pulled out:
SELECT * FROM table where id=123Now it becomes clear why it was not possible to find out the number of fields in the request - there are 2 of them and one of them will always have the wrong number of fields in UNION. I could not think of a way that would allow to insert a different number of fields in UNION in the first and second request. And at this moment SQL injection became blind. I could not find the name of the table with the paths to the files, but I managed to find the name of the table with user data (MySQL 4.1).
Dear developers, do not make 2 requests, where you can make one! In this case, instead of SELECT count (*), you could check the number of records returned by the SELECT * query.
Now it remains to think of a way to get useful information. I did this:
/script.php?id=123 limit 0,0 union all select length(username)>4 from tablename limit 0,1--What we see here:
- 123 limit 0,0 - because count (*) will always return exactly one record to us and we will not know what exactly was returned by our part of the request; we need to remove it from the result
- union all select length (username)> 4 from tablename limit 0,1-- - if the length of the username is greater than 4, then the condition is true, MySQL will return one, and then an error when trying to execute the second query. If the condition is incorrect, it will return 0 and a redirect will occur. Well, '-' for a comment at the end
Thus, using the HTTP header, you can understand whether we have transmitted the correct condition. First, we determine the length of the user name, then by letter by binary search, pull out the name itself (lower (substr (username, 1,1)) in ('a', 'b', 'c')). Then we pull out the password by letter. But it turns out that the password is hashed in md5. And although hashing without salt, I still couldn’t pick up the passwords of the site administrators (there is no rainbow tables, and I didn’t want to bruteforce on a netbook, and it’s unsportsmanlike).
After some thought, it was decided to go the other way. Because In the database there were more than 60,000 users, I assumed that many of them have popular passwords. And then it was necessary only to pull out one by one letters of users whose password hash is md5 ('password') - there were more than 100 of them and among them were people who bought the necessary PDF. And they kindly agreed to share them with me.
All this was done using a very simple script that sent a HEAD request (why do we need the body of the page?) And looked at the response header. If 200 - the condition is true, if 302 - is incorrect.
Conclusion
Why is all this written? To show that you need to know the essence and causes of vulnerabilities, and not to learn how to use them. All the ways of using SQL injection, which I saw on the Internet, suggested determining the number of fields through ORDER BY 5 or UNION SELECT 1,2,3 ... And the person who did not want to think would leave the site with nothing.
In addition, I am slightly proud of my workaround instead of hacking. Well, skepticism was expressed not so long ago about the existence of such vulnerabilities in the modern Internet and about the practical application of blind SQL injection.
PS All coincidences with reality are random. Voices of celebrities imitated, and shabby.
Source: https://habr.com/ru/post/134885/
All Articles