Welcome to our Pentest Files blog series.
Each blog post will present an interesting or dangerous finding one of our testers has identified in an actual recent pen-test, so you can see the kinds of cool things our pen-testers get up to, and also to help you take steps to prevent similar vulnerabilities in your own assets.
These findings are taken from real reports, anonymised, and published with kind permission from our clients.
Impact: Complete compromise of the application data via SQLi.
Testing uncovered several SQL injection vulnerabilities within multiple functions of the application. Our tester was able to leverage the initial SQL Injection vulnerability to cause a much more serious Union SQL Injection.
An unauthenticated attacker could potentially steal all sensitive information within the databases, and take control of the server via remote code execution.
SQL injection vulnerabilities occur when user-supplied data is placed into an SQL query directly and then executed. As a result, attackers can manipulate part of the SQL query and leverage this to run a SQL query of their choosing, which could result in any of the following:
- Retrieving information from the Database including but not limited to:
- Users application data
- Users credentials
- Users confidential information
- Deleting information from the Database
- Potentially executing arbitrary code leading to full compromise of the server that hosts the database.
Consequently, SQL injection attacks pose a severe security issue to vulnerable applications.
For example, take the following PHP code snippet:
$query = "select * from users where username = '.$_POST['username'].' and password = '.$_POST['password'].'
As in the above example, data is read directly from the requests HTTP POST variables and placed within the query. It would be possible for a user to manipulate this query to always return the first row in the database, by submitting the following value as their username:
' or 1=1;--
With the variable substitutions processed in the code which creates the query string, the final query would hit the database as follows:
select * from users where username = '' or 1=1;-- ' and password = 'whatevertheusersubmitted'
While the above example simply modifies the rows returned from a query within the context of one table, it is possible to abuse SQL queries in more complex ways to fully extract all information from a database.
In some instances, if a writeable directory within the web root can be identified, it may be possible for attackers to execute arbitrary code on the web server (e.g. by uploading a malicious PHP file via SQL injection and invoking it via the web server if the application uses PHP).
During testing of our client's application, our tester was able to uncover multiple SQL injection (SQLi) points across the application.
Adam was able to successfully deploy a common SQLi payload that instructed the application to delay its response by 5 seconds, indicating a successful injection.
Now that our tester had proved an SQLi vulnerability existed in the application, he was able to further exploit the application via error-based SQLi. “Error-Based" injection is a type of SQL injection attack that relies on causing database errors in order to extract information from the database.
In the case of an error-based SQL injection attack, the attacker's injected code is designed to cause an error in the database. The resulting error can then be used to extract information about the structure of the database, such as the names of tables and columns, or even the contents of individual rows.
Error-based MySQL injection attacks can be difficult to detect because they do not always cause visible errors or abnormal behaviour in the application. As a result, it is important for developers to use secure coding practices and implement proper input validation and sanitisation to prevent these types of attacks.
Our tester was again able to upgrade the risk rating of the initial SQLi finding into a more powerful Union SQL injection vulnerability.
A Union SQL injection vulnerability is generally considered to be more powerful than a normal SQLi vulnerability, because it allows an attacker to combine the results of two or more SELECT statements into a single result set. With a normal SQLi vulnerability, an attacker can manipulate the SQL query to modify or extract data from a single database table. However, with a Union SQLi vulnerability, the attacker can combine data from multiple tables, even if those tables have different structures or contain different types of data.
In conclusion, we have provided recommendations to address the vulnerabilities discovered by our tester. By implementing prepared statements for all SQL queries and undertaking an internal review of application functionality to eliminate any potential SQL injection issues not found during testing, our client can greatly reduce the risk of SQL injection attacks against their application.