old notes

websec

#websec #appsec #sql #portswigger #selfstudy #burpsuite

Burp Usages

  • repeater to resend requests easily with different params: check http history, right click, send to repeater
  • intentionally bad input to trigger error message response

SQLi: allows attacker to interfere with db queries from app

Follow-Up Question:

  • DB structure/version == DB schema?

Impact:

  • potentially view or modify data, can cause persistent damage to app's contents or behaviours
  • access to passwords, CC, Personal info
  • obtain a persistent backdoor
  • long-term compromise that can go unnoticed

Types of SQL Injection Examples:

  • Retrieving Hidden Data: modify an SQL query to return additional values
  • Subverting application logic: change a query to interfere with app logic
  • UNION attacks: retrieve data from different db tables
  • Examining the DB: extract info about version/structure of DB (is this the same as saying DB schema?)
  • Blind SQL injection: results of query you control are not returned in app's responses

SQL Syntax Notes:

-- is a comment indicator so using it in an SQL query means that the rest of the query will not be interpreted

Inferring the Database Type

  • query the version details for version details of the database and for what database tables exist

Blind SQL injection vulnerabilities

  • application does not return the results of SQL query or details of any db errors within its responses
  • techniques that can be used to exploit blind SQL injection vulnerabilities:

Union Attack: retrieve data from other tables within the database

two key requirements must be met: (1) individual queries must return the same number of columns (2) data types in each column must be compatible between the individual queries

This generally involves figuring out: – How many columns are being returned from the original query? – Which columns returned from the original query are of a suitable data type to hold the results from the injected query?

On determining number of columns required in SQL injection UNION attack:

Using ORDER BYORDER BY command sorts the result set in ascending order – use ORDER BY to increment specified column index until error occurs – example: if injection point is a quoted string within the WHERE clause of original query, you would submit: ' ORDER BY 1-- ' ORDER BY 2-- ' ORDER BY 3-- etc. – check error message: might return db error, might return generic error, infer how many columns

Using UNION SELECT ' UNION SELECT NULL-- ' UNION SELECT NULL,NULL-- ' UNION SELECT NULL,NULL,NULL-- – check error message