The Ethical Hacker Network - MySQL HTTP Header injection help

eyenit0

Jr. Member

Offline

Posts: 51

MySQL HTTP Header injection help

« on: September 01, 2010, 02:31:45 PM »

I've got an in house web app(programmed by a freelancer) that I'm testing before pushing it into production and think I've found a SQL injection point, but can't really figure out how to exploit it.

It basically takes the HTTP User Agent header and adds it to a usrlog table. The syntax is like this:
INSERT INTO usrlog (useragent) VALUES ('Injection Point')

There's obviously no output on the page, so I cant use it to really enumerate anything like that, but none of the input is santitized at all. I can throw all the single quotes at it that I want.
The only weird thing is that using -- to comment out the rest of the line doesn't seem to work. Isn't -- supposed to comment out the rest of line?

I just wanted to know if there's anything that could be done with this kind of injection. If you have any ideas, please let me know.


	Logged

ajohnson

Recruiters
Hero Member

Offline

Posts: 1057

aka dynamik

Re: MySQL HTTP Header injection help

« Reply #1 on: September 01, 2010, 05:42:14 PM »

How are you changing the values? Something like the User Agent Switcher add-on for Firefox?

When you do that, what shows up in the database? Maybe the developer is sanitizing input and has coded things properly.


« Last Edit: September 01, 2010, 05:44:39 PM by dynamik »	Logged

WIP: GCFA | www.infosiege.net | @infosiege

The day you stop learning is the day you start becoming obsolete.

Ketchup

Hero Member

Offline

Posts: 1021

Re: MySQL HTTP Header injection help

« Reply #2 on: September 01, 2010, 06:08:59 PM »

I would say that at least you can pollute the log file with a bunch of junk, and possibly some sensitive data. Is the usrlog table being displayed elsewhere? You can inject an XSS vector.

Are you using PHP? mysql_query?


	Logged

~~~~~~~~~~~~~~
Ketchup

eyenit0

Jr. Member

Offline

Posts: 51

Re: MySQL HTTP Header injection help

« Reply #3 on: September 02, 2010, 12:22:21 AM »

Sorry, I should have included some of that info in the first post. My bad.
Yes it's PHP and mysql_query. It's a typical LAMP setup.

I'm changing the value by intercepting the http requests with Burp. I'm positive that things aren't getting sanitized from the PHP page because I have the general log turned on in MySQL and can see the full request that goes through to the database and it's exactly how I send it. Whatever I enter is put into the database, granted I don't screw up the syntax of the query.

As far as I know, that table is not displayed anywhere else, but maybe I'm wrong. I will do some more searching and see if I can find any reference to it.
Thanks for the help.


	Logged

MaXe

Hero Member

Offline

Posts: 669

I've just upgraded myself to a cyborg muahahaa!!1

Re: MySQL HTTP Header injection help

« Reply #4 on: September 02, 2010, 02:23:03 AM »

If you can locate the vulnerable piece of code and find any references to it, then it would be easier for you to exploit the web application and also for others to aid you in that process.

What you should be looking for is $_SERVER['HTTP_USER_AGENT'].

Use Grep if you're on Linux, and perhaps WinGrep if you're on Windows to search through all the files in the Web Application.


	Logged

I'm an InterN0T'er

Ketchup

Hero Member

Offline

Posts: 1021

Re: MySQL HTTP Header injection help

« Reply #5 on: September 02, 2010, 08:45:18 AM »

Well, I believe that mysql_query will essentially prevent you from running stacked queries. So, adding a semicolon and another statement wouldn't work. One thing is clear, you can insert anything you want into that table. I think that you are back looking to see where that data is displayed. You can then implement a CSRF / XSS vector. The CSRF vector is especially nice since an admin would likely be reviewing the logs.


	Logged

~~~~~~~~~~~~~~
Ketchup

MaXe

Hero Member

Offline

Posts: 669

I've just upgraded myself to a cyborg muahahaa!!1

Re: MySQL HTTP Header injection help

« Reply #6 on: September 02, 2010, 09:13:55 AM »

Quote from: Ketchup on September 02, 2010, 08:45:18 AM

Correct, stacked queries does not work on PHP and MySQL implementations Wink

It is possible to pollute / poison the logs with CSRF and / or XSS vector attacks,
however it is also possible to perform completely blind sql injection if all aspects are known or possible to be predicted or enumerated.

In this case, one thing to check is e.g. is magic_quotes turned on?

Possible attack vectors include but are not limited to:
- Altering user and password credentials
- Uploading backdoors in PHP (this requires special permissions.)
- Loading system files and moving them into the "http" (html) directory. (requires special permissions too.)
- Adding new users with administrator privileges.
- Log Pollution / Poisoning as Ketchup said Wink


	Logged

I'm an InterN0T'er

eyenit0

Jr. Member

Offline

Posts: 51

Re: MySQL HTTP Header injection help

« Reply #7 on: September 02, 2010, 10:12:46 AM »

Hmm, thanks for the input, I have a lot of thinking to do.
For the record magic_quotes is set to ON in php.ini.

I'll search more and see if I can find if that text is displayed anywhere, although right now I'm not finding anything.

Is it possible to alter other tables by injecting into that INSERT query? I know I should be able to inject into columns in the usrlog table, but could I edit something like say...the users table? I know I can't stack the queries because of mysql_query, but didn't know if there's another way.

I'll keep fooling around with it.


	Logged

Pages: [1] Go Up

« previous next »