EC Council CEH 312-50 V11 – Website Hacking – SQL Injection Vulnerabilities part 3
- Reading & Writing Files On The Server Using SQL Injection Vulnerability
In this lecture I’d like to show you how we can use SQL injections to read any file in this server. So even if the file exists outside the WW root, we’ll be able to read it exactly like a file disclosure vulnerability. And we’ll also see how we can use it to write files and upload them to the system just like a file upload vulnerability. So the first thing we’re going to have a look at is the reason the file. And I’m going to set everything to null here, so I have my statement here and I’m going to set select one, I’m going to need leave number two because I’m going to do stuff in that and we’re going to do another three nulls here. So no, so we have select null something, null, null, no. So five, because we have five records when we did the order by.
And instead of selecting something, remember in the third video we did select database, for example, and it showed us the current database. What I want to do now is I want to do another function and that function is called load file. And in here I’m going to set the file that I want to load and I’m going to use the same file that we had to look on in the file inclusion vulnerability, and it was etc password. So we’re trying to read that file and our statement is union select that file and that’s it. So I’m going to copy this and I’m going to inject it here and I’m going to add my percentage 23, which is my comment. And as you can see, we managed to read all the information, all the content of etc password, even though it’s not in the web root, so it’s stored in etc password.
So we can read anything in the server from other websites, from other files, anywhere in the server. We can read it by specifying the full path of that file. The next thing I’d like to show you is writing to the server. So we’re actually going to write stuff to the server and this is very useful because you’d be able to write any code you want. So for example, you can write the code for a PHP script, you can write a code for a shell, a virus or a PHP code to get a reverse connection to you. So it’ll basically just act like a file upload vulnerability. And to do that I’m going to write the code that I want to do here and I’m going to call that for example, just example. And we’re going to use a function called out file. So we’re going to do into outfile and then we’re going to specify where we want to store that file.
Now in best case scenarios, you’d be able to write to your web route and that will mean that you can access the file through the browser and execute it so you can upload a weebly file and then connect to it and do stuff like that. So let’s try to do that first. So we’re going to do it in VAR, www and that’s our web route. So we’ll be able to access things through it. Or you can put it even via www and then put matildday after it to store it in there. So the command is very simple. Again, union select. Make sure you set everything to null so that nothing gets written to the file except what you put in here. And I put example, example, and it’s going to be stored into a file and via www matilde and we’ll call that example TXT. Let’s try to run this and see if it works.
Now, this didn’t work and if you come down here, you’ll see that MySQL is not allowed to create or write to this directory. So the problem is the permissions that we have don’t allow us to write to this particular location. So just to test this exploit, I’m going to change this location to TMP, which is the Temp. And you’ll see that you can actually write to Temp. So in real life scenarios it depends. You can try it and see if you’re able to write stuff or not. In this, we’re trying to write to Temp now and if we read in Temp, if we clear that and then LS in Temp, you’ll see that we have something called example. And if we try to read that, you’ll see that it contains obviously it contains the content of what we did before, which was the normal selection that you’d see.
So what you see for putting the stuff for admin and then it showed us what’s in there, which is example, example, which is what we wanted to write to the file. Now, you can obviously get rid of the admin and the admin path stuff by just putting our own username and nothing is going to be displayed here. So the only thing that you’ll see is the output, which is example, example. But again, this is only useful if you’re able to write to your web server. So you can access it and then use your shell or use your payload and further exploit the system.
- Discovering SQL Injections & Extracting Data Using SQLmap
In all of the lectures so far, we were exploiting SQL injections manually, so we were injecting the code into the URL or into the text boxes. In this video I’m going to show you a tool called SQL Map, which allows you to do everything we learned so far and even more stuff. This tool can be used against MySQL databases, which the one that we were having the example on, it can also be used against Microsoft, SQL, Oracle and other database types. The tool is very useful and is very handy in many cases. Sometimes the injections aren’t as nice as the one we see, and sometimes you only get one output for each record and you have to loop through all the outputs so the tool can automate that and just do everything for you, much easier and much simpler.
So let’s first of all get the URL that we were using for the injection. So I have that text file here that we were using and I have the URL that we were using before. So it’s the user info PHP username is admin password admin pass. You don’t really need to know the username and password. So I’m actually just going to put anything here. So just to assume that we don’t know the password, so we’re only injecting SQL injections, we don’t really need to know any of this stuff. All I’m going to do is copy this and then I’m going to run SQL map and I’m going to do you to specify the URL and I’ll put my target and I’m going to make sure that I have it between two quotation marks so that it doesn’t ignore anything in any signs in the middle.
So we have some signs and characters in the middle that I want it to all be treated as one URL. So all I did is SQL Map, you my target and I’m going to hit enter and the tool will automatically look through all the parameters. So it’s going to look through the user info, through the username and the password to see if any of them is injectable. And then once it does that, it’s going to store it in its memory so it’s going to know that this is injectable and then we’ll be able to further exploit the target. So as you can see now it’s thinking that our target could be MySQL or postgres SQL.
It’s asking me if it should skip other tests and I’m going to say yes because I know it’s my SQL and now it’s asking me if it should do all the tests for both databases. And I’m going to say yes, assuming that I’m not sure which one it is. I know it’s MySQL, but I’m just going to let it do its thing and we’ll see if it can do it properly or not. So at the moment it’s checking if it’s PostgreSQL and I’m assuming it’s going to know that it’s not. And then it’s going to know that it’s MySQL. It just found out that the username seems to be injectable and sure enough it’s telling us here that the parameter username is vulnerable and we can inject it. So it’s asking me do I want to check the other parameters such as the password and all of them.
I can say yes and then do it. Well I’m going to say no because I don’t mind if it just uses the username for the injection. So it’s all good. Now SQL Mac knows that the target is injectable and it knows that it’s going to use the username parameter to inject stuff. And we can see that it figured out that it’s running Linux Ubuntu and it figured out that it’s using PHP with Apache 2. 28 and it’s using MySQL server as the database server. So let’s run SQL Map help and see what we can do now. Now this tool is really big and it allows you to do a lot of things. So in this video I’m actually just going to show you a quick look on the video and I recommend you spend more time with it and try to see what else you can do with it.
Okay, so let’s try to get the current user and we’re going to try to get the current database. So we’re going to use the same command that we used before and I’m just going to add to it DBMS to get the current databases or DBS, sorry. As you can see we got all the database that we have, so we have Dvwa, we have Information schema, metasploit, MySQL, Oasp Ten, which was the one that we were exploiting before and Tkwiki. Now if we do current user you can see that we are root and if I do current database we’ll see that OS Ten is our current database. So now let’s try to get the tables for OS Ten. So remember when we did select table name from information schema tables where a table schema is equal to OS Ten, we’re going to let SQL Map do all of that for us.
And so the command is going to be we’re going to ask it to get all the tables for us and we’re going to use the D option to specify the database and our database is going to be called our Wasp Ten. And as you can see, it got us all the tables that exist and remember it’s the same. We got accounts, blogs, table, and the credit cards as well. And now if we want to get the columns, then we can use the same command again and we’re going to say get me the columns where the table is called Account and the database is a wasp Ten. And right here we can see that we got the columns, so we have the isadmin, the password and the username and we can get the data using the dump option.
So it’s the same command that we used before. So we’re getting from the table that’s called Accounts and the database that is called OS Ten. I want you to get me all the data. And here we go. We got all the data. We have the admin, it’s password, admin pass. And we have Adrian, and his password is some password. And we got all the data right here. So as I said, the tool is very useful. It can be used to make our life much easier, and it does everything automatically, and it can do everything we did, and it can even do more stuff. You.
- The Right Way To Prevent SQL Injection Vulnerabilities
As you’ve seen so far, SQL injections are very dangerous and also they’re very easy to occur and very easy to find. You’ll find them everywhere. In some really famous websites, people try to prevent these vulnerabilities using filters. Filters can make it look like there is no exploits. But if you actually try harder by using encoding, different types of encoding or using a proxy, then you’ll be able to bypass most of these filters. Some programmers use a blacklist, so for example, they prevent the use of union, they prevent the use of insert and stuff like that. Again, it’s not 100% secure. It can be bypassed using a whitelist, exactly the same issues as the blacklist.
The best way to do it is to program your web application in a way that it does not allow code to be injected into it and then executed. So the best way to do that is to use parameterized statements where the data and the code is separated. And the best way to show you what I mean by that is using an example. I’m keeping the least amount of programming in this example. I don’t want it to be a programming example, there’s actually mistakes in the programming in there, but I’m trying to give you the concept more than how to program it. So the vulnerable code that we were looking at used to do this. So it used to do select star from accounts where username is equal to whatever we put in text box one and then we used to put in text box one.
Let’s just put it here. We used to say admin and then close the quote and then we’re able to do a union select and execute something else. And then once we’re done, we used to add the comment which basically ignores everything that comes in after it. So when you copy this and you paste it in here, you’ll see what’s happening. So it’s selecting now let’s just get rid of this because this is just making the colors not nice. Now I’m actually going to just put a comment on this. So it’s going to do a select star from accounts where username is equal to admin, union, select and execute whatever we want to do.
This is very bad and it’s very hard to protect against. As I said, user filters and stuff will only hide the problem, will not fix it. The best way to do this is using the parameter write statements just like so. So this is the safe way to do it. First of all you prepare your statement. Most languages like PHP and all of them, they actually have a function like that. And you can prepare select star from accounts where username is equal to question mark and then you send the values. So PHP now knows the SQL statement is select star from accounts where username is equal to something and then it’s going to take the value of text box one.
So even if we come in and we use our very sneaky statement right here and paste it in there, the web application will know that the value for this is admin union select. So it will actually try to go and select star from accounts where the username and then it actually it will add its own quotes and they try to find a username with the following username. So this whole thing will be executed like so. It’ll be select star from accounts where username is equal to admin union. Select this hashtag so it will never whatever you put in your text box will be sent as a value and the web application will know that this is a value, it’s not a code, and it’ll never execute it.
Therefore this will protect you against SQL injections. You can use the filters as second line of defense.And I also advise that you use the least privileges possible. So use for each database, use one user with the least amount of privileges they want. So don’t allow the users to do anything that they want. If it’s a simple website that only does selection, then only allow the user to select. If it only needs to select and insert, then only allow them to select an insert. And this is a rule you should keep with everything. Even with Linux systems, make sure the permissions are always as leased as possible. Each user don’t have any extra permissions that they don’t need.