Red Hot Cyber
Cyber security, cybercrime, hack news, and more
Menu
Davide Cavallini : 26 July 2023 23:27
Good morning everyone. I am Davide Cavallini, a Senior Laravel Developer and Penetration Tester.
Today, I will talk to you about injections. There are various types, but what does it conceptually mean to perform an injection?
After some thought, I believe I have a “universal” answer.
Supporta Red Hot Cyber attraverso
Let’s take a simple example. We have a request to make to the county’s office, to obtain a certificate.
The request form is as follows:
The undersigned __________________________ requests the certificate of residence from the office of “Random County”.
Normally, the form should be filled out by writing our “name” in the appropriate space.
In computer terms, the “name” is defined as a “parameter”, as it is indeed a variable parameter that varies the request based on our needs.
By inserting the parameter “Davide”, we will request the certificate of Davide to the office.
But what if the parameter itself were to alter the structure of the request?
Let’s try to write the following highlighted sentence in the empty space:
The undersigned Antonio, together with the undersigned Davide requests the certificate of residence from the office of “Random County”.
At this point, the county’s office, receiving this request and assuming it has an employee without reasoning ability, just like computers do not have, would deliver us two documents, both that of Antonio and Davide.
The unfiltered fill-in space, in this case by the employee, would thus reveal a vulnerability to easy requests that we would not be entitled to.
The same phrase “Antonio together with” would be defined in “computer” language as a “Payload”.
The same thing can happen in databases, but let’s stay in the abstract world for now. If we had a database that fetches the addresses of a user in a table, based on the id, passed as a parameter, the request would be of this type:
GET THE USER DATA FROM THE “USERS” TABLE WHERE THE ID IS EQUAL TO THE RECENTLY PASSED ID PARAMETER
If the ID parameter was “1”, the data of the user with ID 1 would be extracted from the table.
But what if we modified the id that we pass to the request in this way?
GET THE USER DATA FROM THE “USERS” TABLE WHERE THE ID IS EQUAL TO ANY ID
In this case, the page might show us the data of all the users contained within the database.
In a real situation, the Sql request could be:
SELECT * FROM users where id=$_GET[‘id’];
As long as the $_GET[‘id’] parameter is equal to a number, there is no problem, because the query would be the following: In the example we will pass: $_GET[‘id’] = 1
SELECT * FROM users WHERE id=1;
But what if $_GET[‘id’] was equal to id (always true condition)? In this case we would get back all the user data
In fact, writing the query:
SELECT * FROM users WHERE id=id;
we would get back all the user results.
At this point it would seem that apart from the users we could not get other data from the database, but THAT’S NOT THE CASE.
There are other SQL commands that can allow us to extract other data, knowing how many fields are extracted from the table on which the original query is made.
A simple way to verify how many columns can be extracted is to do a “UNION SELECT” by trying to insert an increasing number of columns.
Example:
$_GET[‘id’]=1 union select 1 – –
$_GET[‘id’]=1 union select 91827364,91827364 – –
$_GET[‘id’]=1 union select 91827364,91827364,91827364 – –
$_GET[‘id’]=1 union select 91827364,91827364,91827364,91827364 – –
$_GET[‘id’]=1 union select 91827364,91827364,91827364,91827364,91827364 – –
In the case the first select (from users) had 5 columns, once we get to this last union select, the number 91827364 will appear somewhere on the page.
At this point we could, for example, replace the number 91827364 with the version() function, and see the database version, or make a subselect to see data from other tables, such as:
1 union select 1,2,3,4,(select password from secret);
OR EVEN
1 union select 1,2,3,4,(select concat(username,999,password) from secret);
In the worst cases, the hacker can even truncate the table (delete it all), insert and modify data or create remote shells in the server, where to execute arbitrary code.
Database injections are a very serious problem for companies, and are still very present in websites, or in general software, which do not properly filter user inputs.
The impact of successful injection attacks can range from data breaches, data loss, to complete system compromise, depending on the nature and security level of the database and the system that houses it.
To prevent this, the best practice is to employ robust input validation and sanitization, use parameterized queries, and adopt the principle of least privilege when assigning user roles in a database system. This means users should only be given the minimum levels of access necessary to complete their tasks.
Security should be a top priority in the development phase, not an afterthought. A solid knowledge of how injection attacks work and how to prevent them is absolutely essential for developers and system administrators to maintain the security and integrity of their systems.
There are several tools available that can help detect and prevent SQL injection attacks. Some of the popular ones include:
URL: https://github.com/sqlmapproject/sqlmap
URL: https://github.com/dade1987/JavaScream
URL: https://portswigger.net/burp
By using these tools, developers and system administrators can proactively detect and prevent SQL injection attacks before they can cause any damage to their systems. However, it is important to note that these tools should not be used to attack or exploit vulnerable systems without prior authorization.
If you’re interested in learning more about how to prevent SQL injection and other types of injection attacks, here are some resources:
Remember, understanding the threats and vulnerabilities that exist in the digital world is the first step in defending against them. Stay safe, keep learning, and let’s build a more secure web together.”
Davide Cavallini
