SQL Injection [CWE-89] — The Hacktivists

SQL Injection is a weakness that is caused by improper neutralization of special elements used in an SQL query.

Table of Content
1. Description
2. Potential impact
3. Attack patterns
4.
Affected software
5. Exploitation Examples
6. Severity and CVSS Scoring

1. Description
………………………………

The basic form of SQL injection describes the direct insertion of attacker-controlled data into variables that are used to construct SQL commands. As a result, an attacker can tamper with the original query by permanently terminating the string, appending new commands etc.

2. Potential impact
………………………………

An attacker can view, add, delete or modify information stored in the database with privileges of the current database user. In the case of a web application, this weakness often leads to a website deface or a database exfiltration.

Insecure configuration of the database may allow an attacker to write files into arbitrary locations on the system (e.g. SELECT … INTO OUTFILE construction in MySQL), which might lead to system compromise.

Modern SQL injections are being used to spread malware. They can be leveraged to turn innocent websites into drive-by-download sites, which will serve malware to unsuspecting visitors.

3. Attack patterns
………………………………

An attacker exploits this weakness in software that constructs SQL commands based on user input. According to CAPEC classification, there are the following attack patterns:

CAPEC-7: Blind SQL Injection
CAPEC-66: SQL Injection
CAPEC-108: Command Line Execution through SQL Injection
CAPEC-109: Object Relational Mapping Injection
CAPEC-110: SQL Injection through SOAP Parameter Tampering
CAPEC-470: Expanding Control over the Operating System from the Database

WASC Threat Classification describes SQL injection weakness as an attack technique under WASC-19.

4. Affected software
………………………………

Software that uses a backend database to store or read information is potentially vulnerable to this weakness. The weakness is common for many web applications since all modern content management systems are using the database to store dynamic content.

SQL injection is also possible inside stored procedures or functions within database engines.

5. Exploitation Examples
………………………………

We will use as an example of the HTB23101 security advisory (CVE-2012–4034), specifically vulnerability 1.7.

This vulnerability allows the execution of arbitrary SQL commands by modifying HTTP POST parameters. Successful exploitation requires that HTTP Referer belongs to the vulnerable website.

To demonstrate vulnerability exploitation, we will use the Burp Suite. To do so, we will need to configure our browser to use it as a proxy:

Then we will intercept every request to the vulnerable website and change it according to instruction in the advisory:

After PoC was executed on the website, we should check for the existence of the /file.php file:

Successful exploitation of the vulnerability allowed us the creation a file on the file system with arbitrary contents. Instead of phpinfo() function, we can store a web-shell and gain control over the system.

6. Severity and CVSS Scoring
……………………………………..

SQL injection influences confidentiality, integrity and availability of the application. It should be scored as C:H/I:H/A:H.

The common CVSS score for SQL injection vulnerabilities in publicly accessible scripts is:
9.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H] — Critical severity.

Credits: https://www.immuniweb.com/

--

--

Contact us for Information Security Services & Training https://thehacktivists.in/

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store