Lets learn "What is client-Side SQL Injection?"

-

 


Welcome Back !..

Now in this tutorial we will study about the Client-Side SQL Injection . If you have not read about our previous tutorial on INTRODUCTION TO WEB APPLICATION SECURITY , I recommend to go through it first - Introduction to web application security .

Here we will study :-

  • What is SQL Injection
  • How to detect SQL Injection (using burpsuite intercept feature)
  • How to solve SQL Injection 
So...... WAITING FOR WHAT ?
LETS Start ....


WHAT IS SQL INJECTION ?

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

A wide range of damaging attacks can often be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and taking control of the database server.

SQL injection is the basic but most vulnerable vulnerability in web applications .

Consider the most basic example to understand the sql injection .
Suppost we have an SQL query
$query = "SELECT * FROM `users` WHERE username = '$username' AND password = '$password' ";
where $username and $password are the post variables in php . This query simply checks wheather a row with given username($username) and password($password) is there in database or not . If it is there that username and password is valid , otherwise not .

Now ...
if i provide $username = admin(say) and password = abc' OR '1' = '1

Replace the variable with its values in above query .
$query = "SELECT * FROM `users` WHERE username= 'admin' AND password = 'abc' OR '1' = '1' ";
Now the query contains two parts first(in blue) and second(in red) . And it can be seen that second part is always true . Hence even without knowing the username and password we logged in to the web application and able to access the resources .

And if you want to test sql injection you can visit here . Here sql vulnerability is there in sign in web app .


HOW TO DETECT SQL INJECTION ?

To detect sql injection we'll use intercept feature of burpsuite . If you don't know about burpsuite you can first read about it here and come back here again .
Hope now u are at the position to use burpsuite .
Launch and configure the burpsuite with your browser .

Let's do this by an example ..
1. Open http://www.altoromutual.com in your browser configured with burpsuite .
2. Click on the sign in button on top right of the web page.
3. Here you will be asked to enter username and password .
4. Enter any username and password (do not submit just enter the details) .
5. Open the burpsuite and go to Proxy->Intercept tab and turn ON the intercept button .

6. Currently if it shows any request intercepted , just drop it by clicking on drop button .
7.Now go to your browser and click submit button . The request sent will be intercepted by burpsuite .(if in case other request get intercepted , just forward/drop that request by just clicking on Forward/Drop Button . )



8. As you can see the login request get intercepted by burpsuite (i.e /bank/login.aspx) . The browser will keep on loading until you forward the intercepted request or drop it . Now go to the Params tab to see the parameters passed as shown below .
In this case parameters contains cookies (ASP_NET_Sessionid and amSessionid) and other parameters like username password .



9. Now to check sql injection we will try to replace the parameters value (Not cookies) with the sql payloads as in this case i am using ( abc' OR '1' = '1) as sql payload .


10. After setting the payload , just forward the request and see what you get in your browser .



11. Ta naaaa... you are able to login without knowing the actual password . As page is showing " Hello Admin User ".


So...............
In this tutorial we understand how to detect sql injection using burpsuite . (you can do like this for any web application where you want to check sql injection ).


So stay tuned for tutorials related to other web application vulnerabilities ....

Until then
HAPPY HACKING!!!!

For any problems or queries, please Comment Below .

Comments

Post a Comment

Popular posts from this blog

Lets learn "About kube proxy in iptables mode"

-
Image
In this tutorial, we'll learn about the Kube-proxy in iptables mode. Basically, we'll see how Kube-proxy create iptables that help in load balancing and service discovery. If you are not familiar with Linux IPTables I would recommend to check out my tutorial on IPTables here  first and then come back to read this tutorial. Kube-proxy Kube-proxy when running in iptables mode basically watch kube-apiserver for new endpoints and create corresponding iptables rules and iptables are fully responsible for service discover and proper routing of traffic to corresponding pods. Kube-proxy needs to run on all k8s worker nodes. Below is a small video describing the working of kube-proxy in iptables mode.  src:  https://www.slideshare.net/CJCullen/kubernetes-networking-55835829 Now that we know what Kube-proxy is and how it Kube-proxy works, let deep dive into the types of iptables Kube-proxy adds to the firewall. Kube-proxy added IPTables To learn this let's consider an example. Cons...
Read more

Lets learn "System design for paste bin (or any text sharing website)"

-
Image
  In this tutorial, we'll learn about the system design for PasteBin. If you don't know what Pastebin is here goes its definition. Pastebin is a type of online content hosting service where users can store texts to share with others over the internet.  Pastebin system design requirements  Functional Basic - User should be able to paste the text, generate the link and share the link with other users. There should be the max size of the text that our system will support (say 10Mb) Users should be able to provide the custom URL path for the link created. Like if a user wants to create the links  www.pb.com/letlearn, he can give this URL and pastebin should create a link using this URL to share with others. The link or paste expiry feature should be there for each stored text. There can be default expiry time say 1 year but this should be configurable. Personalization means the user should be able to login to track all the pastes created by him and manage them. Non-Funct...
Read more

Lets learn "What is CDN?"

-
Image
  In this tutorial, we'll learn about What is CDN ( Content delivery network ) and how it works. Introduction Whenever you access any website on your mobile phone or laptop or any other device using the internet connection, you must have seen for some of the websites the pages load quickly, and for others, it takes considerably more time. Why is that?  Basically loading any website requires the data needs to be downloaded from the server where that particular website is hosted. For e.g, if you are accessing a website in Canada which is hosted on a server in India, it will take some time due to the latency but if that website is hosted on servers in Canada itself it will take less time to load due to low latency. So internet experience can be bad for some of the websites when clients and servers are separated by a long distance. One could argue that why not host the website on servers in all regions but that would increase the cost a lot. The better solution is to use CDN. Let'...
Read more