Table of Contents
Appointment is a box that contains a web application. Hello everyone I welcome you to the tier 1 series first video, in this video, we will find out how to perform an SQL Injection against an SQL Database enabled web application.
Our target is running a website with search capabilities against a back-end database containing searchable items vulnerable to this type of attack. Not all items in this database should be seen by any user, so different privileges on the website will grant you different search results.
Enumeration
As you can see the target IP address:
First, we perform a Nmap scan to find the open and available ports and their services.
- -sC: Performs a script scan using the default set of scripts. Some of the scripts in this category are considered intrusive and should not be run against a target network without permission
- -sV: enables version detection, which will detect what versions are running on what port
The only open port we detect is port 80 TCP, which is running the Apache httpd server, version 2.4.38. Apache HTTP Server is a free and open-source application that runs web pages on either physical or virtual web servers. It is one of the most popular HTTP servers, and it usually runs on standard HTTP ports such as ports 80 TCP, and 443 TCP, and alternatively on HTTP ports such as 8080 TCP or 8000 TCP. HTTP stands for Hypertext Transfer Protocol, and it is an application-layer protocol used for transmitting hypermedia documents, such as HTML (Hypertext Markup Language).
The Nmap scan provided us with the exact version of the Apache httpd service, which is 2.4.38. Usually, a good idea would be to search the service version on popular vulnerability databases online to see if any vulnerability exists for the specified version. However, in our case, this version does not contain any known vulnerability that we could potentially exploit.
In order to further enumerate the service running on port 80, we can navigate directly to the IP address of the target from our browser.
By typing the IP address of the target into the URL field of our browser, we are faced with a website containing a log-in form.
Log-in forms are used to authenticate users and give them access to restricted parts of the website depending on the privilege level associated with the input username. Since we are not aware of any specific credentials that we could use to log in, we will check if there are any other directories or pages useful for us in the enumeration process. It is always considered good practice to fully enumerate the target before we target a specific vulnerability we are aware of, such as the SQL Injection vulnerability in this case. We need the whole picture to ensure we are not missing anything and falling into a rabbit hole, which could quickly become frustrating.
Think of web directories as "web folders" where other resources and relevant files are stored and organized, such as other pages, log-in forms, administrative log-in forms, images, and configuration file storage such as CSS, JavaScript, PHP, and more. Some of these resources are linked directly from the landing page of the website. Pages we are all accustomed to, such as Home, About, Contact, Register, and Log-in pages, are considered separate web directories. When navigating to these pages, the URL address at the top of our browser window will change depending on our current location.
For example, if we navigate from the Home page to the Contact page of a website, the URL would change as follows:
Home Page:
Contact page:
Some pages might be nested in others, which means that the directory for one page could be found in a bigger directory containing the previous page.
Let us take a Forgot Password page for this example. These are usually found under the Login directory because you can get redirected to it from the log-in form if you forgot your user password.
Forget Password Page:
However, suppose buttons and links to the desired directories are not provided. In that case, because the directories we are looking for either contain sensitive material or simply resources for the website to load images and videos, we can provide the names of those directories or web pages in the same browser URL field to see if they will load anything. Your browser by itself will not block access to these directories simply because there is no link or button on the webpage for them. Website administrators will need to make sure directories containing sensitive information are properly secured so that users can not just simply manually navigate to them.
When navigating through web directories, the HTTP client, which is your browser, communicates with the HTTP server (in our case Apache 2.4.38) using the HTTP protocol by sending an HTTP Request (a GET or POST message) which the server will then process and return with an HTTP Response.
HTTP Responses contain status codes, which detail the interaction status between the client's request and how the server handled it. Some of the more common status codes for the HTTP protocol are shown on Google.
Brute-force the directories and files with the help of gobuster
So, we are going to use the following command: (If you have not yet installed gobuster, then click here)
After checking out the web directories, we have found no helpful information. The results present in our output represent default directories for most websites, and most of the time, they do not contain files that could be exploitable or useful for an attacker in any way. However, it is still worth checking them because sometimes, they could contain non-standard files placed there by mistake.
Foothold
Since Gobuster did not find anything useful, we need to check for any default credentials or bypass the login page somehow. To check for default credentials, we could type the most common combinations in the username and password fields, such as:
After attempting all of those combinations, we have still failed to log in. We could, hypothetically, use a tool to attempt brute-forcing the log-in page. However, that would take much time and might trigger a security measure.
The next sensible tactic would be to test the log-in form for a possible SQL Injection vulnerability. This vector has been described thoroughly in the Introduction section.
According to the wiki,
SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution.
Insert below SQL query:
Where a single quote( ' ) allows the script to search for the admin username. By adding the hashtag (#), we will comment out the rest of the query, which will make searching for a matching password for the specified username. However, since we have skipped the password search part of our query, the script will now only search if any entry exists with the username admin.
So we are going to use any password like admin123 and then click login:
After pressing the log-in button, the exploit code is sent, and as suspected, we are presented with the following page.
We successfully performed a primary SQL Injection and got the flag. Now copy this flag and paste it to the tasks. Before that make sure you answered all the questions.
TASK Solution
TASK 1: What does the acronym SQL stand for?
Ans. Structured Query Language
TASK 2: What is one of the most common types of SQL vulnerabilities?
Ans. SQL injection
TASK 3: What does PII stand for?
Ans. Personally Identifiable Information
TASK 4: What does the OWASP Top 10 list name the classification for this vulnerability?
Ans. A03:2021-Injection
TASK 5: What service and version are running on port 80 of the target?
Ans. Apache httpd 2.4.38 ((Debian))
TASK 6: What is the standard port used for the HTTPS protocol?
Ans. 443TASK 7: What is one luck-based method of exploiting login pages?
Ans. brute-forcing
TASK 8: What is a folder called in web application terminology?
Ans. directory
TASK 9: What response code is given for "Not Found" errors?
Ans. 404
TASK 10: What switch do we use with Gobuster to specify we're looking to discover directories and not subdomains?
Ans. dir
TASK 11: What symbol do we use to comment out parts of the code?
Ans. #
Thank you!
ReplyDelete