Expose Website

Security Vulnerabilities
OWASP #1: SQL INJECTION
OWASP

 Open Web Application Security Project

 Worldwide, not-for-profit, charitable organization focused on
improving the security of software
 Performs world-wide research into common threats/attacks, makes
resources (open + free!) and reports to improve security visibility
 OWASP Top 10 Report is prepared every ~3 years
OWASP 2017 RC1
(rejected, being revised further)
OWASP #1: SQL Injection

1. Simple example – you log into eBay

www.ebay.com , USER=madsellingskillz2017
2. eBay’s webserver connects to database, validates your account
3. eBay shows a customised welcome page
Hello madsellingskillz2017! You bought 8 items recently…

 Today, no one can log in. Database admin notices the database is empty!
 In the website log files, they see:
1:00pm: login successful=madskillz2017
1:01pm: login successful=DELETE *.*
 What happened??? What was supposed to happen?
 DELETE command Injected in the login process
 Database was supposed to look up a name (DATA). Instead, it ran the DELETE command
SQL

 To understand SQL injection, we need to speak the language (somewhat)

 SQL = Structured Query Language
 Plain English (ha!) language used to interact with a database. e.g.
CREATE TABLE addresses (name VARCHAR(50), address VARCHAR(100), postcode INT … );
INSERT INTO addresses (name, address, postcode…) VALUES (‘jff’, ‘123 high st’, 3000, …)
SELECT name, address, city, state, postcode FROM addresses WHERE name=‘Jff’
UPDATE addresses SET name=‘Jeff’, postcode=3000 WHERE name=‘jff’
DELETE FROM addresses WHERE name=‘Jeff’
 SELECT = get data from database
INSERT = add new data
UPDATE = update data
DELETE = remove data
SQL Operators

Comparison Operators:
Greater than/Greater than equal to: > >=
Less than/Less than equal to: < <=
Equal to / Not equal to: = <>
Logical Operators: AND OR
1. SELECT name FROM address WHERE name = “jeff”
SELECT name FROM address WHERE postcode = 3000
2. SELECT name FROM address WHERE name = “jeff” OR postcode = 3000
SELECT name FROM address WHERE name = “jeff” AND postcode = 3000
 Which one shows all Jeffs that live in the CBD?
 What does the other query show?
3. SELECT name FROM address WHERE name <> “jeff”
SQL Comments

1. Large comments / multiple lines 2. Single-line comment

/* --This is a comment
This delete all records SELECT * FROM ADDRESSES
and I’m writing a
multi-line comment
3. End-of-line-comment
across 4 lines
DELETE FROM address #This is bad
*/
DELETE FROM address WHERE name=‘Jeff’
Or

DELETE FROM address %23This is bad

URL Encoding
SQL Union

 What if I have two tables – personal and business addresses?

(# of columns must match)

SELECT business_owner_name AS who, address, postcode FROM businessAddresses

UNION
SELECT name, address, postcode FROM personalAddresses

who Address postcode

Gill Bates 1 Microsoft Way 90210
Barren Wuffett 1 Berkshire Hathaway 44444
John Doe 123 Nelson St 3128
Jane Doe 123 Nelson St 3128

Key point: The datatype must match

30 minute exercise https://www.w3schools.com/sql/trysql.asp?filename=trysql_op_in
1. Can you run this SQL query: SELECT * FROM [Customers]. What's the result?
1. Update the query to get all results from the Employees table
2. Run this query: SELECT * FROM [Customers] WHERE CustomerID = 2
1. Update the query to get ID #4
2. Update the query to show both CustomerID #2 plus CustomerID #4 (hint: "ID=x OR ID=y")
3. Update the query to show all records where ID is less than/equal to 10
4. Update the query to show all records with ID both <= 10 and >=90
5. Update the query to show all customers from the City of "London" (hint: quotes)
3. Remember the Union operation? Try it:
1. SELECT CustomerID, CustomerName from [Customers] UNION
SELECT EmployeeID, FirstName FROM [Employees]
2. What happens if we try to get the Employee last name as well?
3. Challenge: can you find a way to concatenate two SQL fields into one, to make #2 work?
In the nav menu, choose MySQL Functions→Concat https://www.w3schools.com/sql/func_mysql_concat.asp
4. Write three SELECT statements.
Use all three SQL comment styles ( /* */ or -- or # ) to comment out the first two SQL lines

4. Too easy? Fire up BurpSuite, FoxyProxy, intercept/manipulate your SQL. Then: Try next slide.
Fix these queries (W3 schools DB)

SELECT CustomerID, CustomerName from Customer

WHERE CustomerID = "One Hundred"

SELECT CustomerID, CustomerName from Customer UNION

SELECT EmployeeID, FirstName, LastName from Employee

SELECT * FROM Customers UNION

SELECT * FROM Employees
Whiteboard SQL Injection
 Any SQL questions?  Hint – here are some
of the tools you just
 Use my whiteboard marker to change this query
learned about:
to show all records (not just mine)
 AND / OR
 You can do whatever you like –
erase the entire line, add new ones, etc.  Comments
 UNION

SELECT username, password FROM logins WHERE username=‘jeff’

Consequences of seeing all records
(is SQL injection really that bad?)

 Attacker can access unauthorised info

 Well that might not be that bad, it might be just email addresses…
 But if web app is vulnerable to SQLi, usually easy to access other data
 Execute database commands (shutdown? delete? create new admin user?)
 Ok, that’s pretty bad
 Write files to the server (virus, shell..)
 Getting worse!
 Get OS/shell access (!!!)
 Use another vulnerability to escalate privileges
 Find other hosts (internal ones – with less security)
 Time to find a new job
 Create a VM for WebForPentester1
 New VM (if you don’t already have set up)
 1 core, 1GB RAM
 ISO: web_for_pentester_i386.iso
 Network: NAT (VMNet8)
 Once it starts, get the IP address (ifconfig)
 On your host PC, browse to
http://[your_ip_address]
 Click on SQL Injection, Example 1
SQLi Exercise 1: WebGoat v7.1
(in Kali)

 OWASP WebGoat = Java-based web server + insecure web application

 In Kali, Google “Download webgoat 7.1” (Github link) ➔
 Has dozens of security exercises + lessons + hints (injection, XSS, DoS, ..)
 Start Terminal type cd Downloads, then start webgoat using Java:

 In Kali, open Firefox and open this url: http://localhost:9999/WebGoat

 Login with guest/guest
 Click: Injection Flaws, String SQL Injection
 Type Smith
 Can you find 3 different ways to exploit
this exercise?
(Remember to click
each time you are successful)
SQLi Exercise 2: Web for Pentester 1
 Name=root, and we’re only seeing one record
 We want to see all the records
 Question: How do you think the SQL would look?
 SELECT id, name, age FROM ?? WHERE name=‘root’
 How would a ‘show all records’ query look?
 Remember the whiteboard exercise
1. Is there a way we could use AND/OR to change
the WHERE to always be true?
2. Could we add UNION somehow?
SELECT (…)
UNION
SELECT (…)
 2 minutes to try
 Change end of URL to name=root' OR '1'=‘1
 Success! We injected code into an SQL statement
SQLi labs

 Try Web for Pentester SQLi exercise #2

 Does the same approach work?
 We can’t use spaces… but spaces are just one way to separate words.
 What else can we use to separate words? Something we used a lot in Python?
 Hint: Can#you#read#this?

 Try for 2 minutes (go ahead to 3 and onwards if you’ve solved this)
 If you solve it, try to find a 2nd and a 3rd way to bypass the filter
SQLi Lab #2 solution

 Solution:
 Replace with tab %09 or linefeed %0A or comments /**/ in the gap below – does it work?
 http://192.168.2.141/sqli/example2.php?name=root___OR___’1’=‘1
 E.g. http://192.168.2.141/sqli/example2.php?name=root%09OR%09’1’=‘1
 Try this out. Does it work with %0A? Does it work with /**/ ?
Try #3 – 7

 Does your injection payload from #2 work in #3?

 If not, try the next one
(hint: #4 uses numbers (not strings). Hints for #5 and #6 only if you ask)
 Finished early?
 Try the next exercise
 How many payloads can you create that work?
 Try *not* to look for answers or hints online
 There are very few good, interactive security exercises – looking at the answer spoils the
struggle/brainstorming you need to do
 The struggle and brainstorming is a key part of your skill development
 Look for ‘how to’ documents – if I can’t use spaces in my payload then Google “what
characters can replace spaces in MySQL”
SQLMap

 You are still more intelligent than a computer

 But a computer is fast, works 24x7 with no pay*, and can automate repetitive tasks
 Enter: SQLMap
 Automates SQLi vulnerability checking, injecting different payloads, and collecting
information
 Goal: dump (copy) the entire database/get shell
 Getting credit card data is good, but maybe I can get some passwords?
 Maybe the DB is boring – but if I get shell and I’m on an internal network…

* (Until the computers all rise up and overthrow us)

SQLMap

 Sometimes it fails to detect/exploit SQLi even though it should work

 Automated cars sometimes crash; computers aren’t infallible
 We can use command line parameters to improve its success:
--tamper=space2comment (“I know spaces are filtered/break things, maybe try comments”)
--dbms=mysql (I know it’s a MySQL database; don’t try Oracle tricks)

 Try going back to some of your SQL injection exercises

 Does SQLMap work for all of them?
 Do the switches above change any of your results?
How to stop injections

 DO NOT TRUST USERS

(I hate capitals but this
is very important)
1. Prepared Statements (with Parameterised Queries)
2. Stored Procedures
3. White List Input Validation
4. Escaping All User-Supplied Input
5. Principle of Least Privilege
 Frameworks, WAFs, software etc. can help you but you’re the boss: you still have to use
these tools correctly and appropriately
 From: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
 Nikto
 Nikto Web Scanner is a Web server scanner that tests Web servers for dangerous
files/CGIs (scripts), outdated server software and other problems. It performs generic
and server type specific checks. It also captures and prints any cookies received.
(Wikipedia)
 Try running this against Pentester for Web 1.
What parts of the output look the most
interesting (vulnerable/exploitable) to you?
 Research some of the vulnerabilities
(OSVDB-xxxx)
 Browse /files, /img
Class / Homework

 Keep trying WebGoat and Pentester SQLi exercises (1-7)

 It will be very frustrating but worth the struggle!
 Try using Nikto on other authorised websites (hackyourselffirst.troyhunt.com)
 Research some of the vulnerabilities and results from Nikto
 Read SQLi prevention cheat sheet:
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet