HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 97 guests and 1 member online
 
Free Business and Tech Magazines and eBooks

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Web Applicationsarrow MySQL HTTP Header injection help
EH-Net
May 23, 2013, 10:04:11 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: MySQL HTTP Header injection help  (Read 5683 times)
0 Members and 1 Guest are viewing this topic.
eyenit0
Jr. Member
**
Offline Offline

Posts: 51


View Profile
« on: September 01, 2010, 02:31:45 PM »
I've got an in house web app(programmed by a freelancer) that I'm testing before pushing it into production and think I've found a SQL injection point, but can't really figure out how to exploit it.

It basically takes the HTTP User Agent header and adds it to a usrlog table. The syntax is like this:
INSERT INTO usrlog (useragent) VALUES ('Injection Point')

There's obviously no output on the page, so I cant use it to really enumerate anything like that, but none of the input is santitized at all. I can throw all the single quotes at it that I want.
The only weird thing is that using -- to comment out the rest of the line doesn't seem to work. Isn't -- supposed to comment out the rest of  line?

I just wanted to know if there's anything that could be done with this kind of injection. If you have any ideas, please let me know.
Logged
ajohnson
Recruiters
Hero Member
*
Offline Offline

Posts: 1057


aka dynamik


View Profile WWW
« Reply #1 on: September 01, 2010, 05:42:14 PM »
How are you changing the values? Something like the User Agent Switcher add-on for Firefox?

When you do that, what shows up in the database? Maybe the developer is sanitizing input and has coded things properly.
« Last Edit: September 01, 2010, 05:44:39 PM by dynamik » Logged
WIP: GCFA | www.infosiege.net | @infosiege

The day you stop learning is the day you start becoming obsolete.
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #2 on: September 01, 2010, 06:08:59 PM »
I would say that at least you can pollute the log file with a bunch of junk, and possibly some sensitive data.  Is the usrlog table being displayed elsewhere?  You can inject an XSS vector. 

Are you using PHP?  mysql_query?
Logged
~~~~~~~~~~~~~~
Ketchup
eyenit0
Jr. Member
**
Offline Offline

Posts: 51


View Profile
« Reply #3 on: September 02, 2010, 12:22:21 AM »
Sorry, I should have included some of that info in the first post. My bad.
Yes it's PHP and mysql_query. It's a typical LAMP setup.

I'm changing the value by intercepting the http requests with Burp. I'm positive that things aren't getting sanitized from the PHP page because I have the general log turned on in MySQL and can see the full request that goes through to the database and it's exactly how I send it. Whatever I enter is put into the database, granted I don't screw up the syntax of the query.

As far as I know, that table is not displayed anywhere else, but maybe I'm wrong. I will do some more searching and see if I can find any reference to it.
Thanks for the help.
Logged
MaXe
Hero Member
*****
Offline Offline

Posts: 669


I've just upgraded myself to a cyborg muahahaa!!1


View Profile WWW
« Reply #4 on: September 02, 2010, 02:23:03 AM »
If you can locate the vulnerable piece of code and find any references to it, then it would be easier for you to exploit the web application and also for others to aid you in that process.

What you should be looking for is $_SERVER['HTTP_USER_AGENT'].

Use Grep if you're on Linux, and perhaps WinGrep if you're on Windows to search through all the files in the Web Application.
Logged
I'm an InterN0T'er
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #5 on: September 02, 2010, 08:45:18 AM »
Well, I believe that mysql_query will essentially prevent you from running stacked queries.  So, adding a semicolon and another statement wouldn't work.  One thing is clear, you can insert anything you want into that table.   I think that you are back looking to see where that data is displayed.   You can then implement a CSRF / XSS vector.   The CSRF vector is especially nice since an admin would likely be reviewing the logs.
Logged
~~~~~~~~~~~~~~
Ketchup
MaXe
Hero Member
*****
Offline Offline

Posts: 669


I've just upgraded myself to a cyborg muahahaa!!1


View Profile WWW
« Reply #6 on: September 02, 2010, 09:13:55 AM »
Quote from: Ketchup on September 02, 2010, 08:45:18 AM
Well, I believe that mysql_query will essentially prevent you from running stacked queries.  So, adding a semicolon and another statement wouldn't work.  One thing is clear, you can insert anything you want into that table.   I think that you are back looking to see where that data is displayed.   You can then implement a CSRF / XSS vector.   The CSRF vector is especially nice since an admin would likely be reviewing the logs.

Correct, stacked queries does not work on PHP and MySQL implementations  Wink

It is possible to pollute / poison the logs with CSRF and / or XSS vector attacks,
however it is also possible to perform completely blind sql injection if all aspects are known or possible to be predicted or enumerated.

In this case, one thing to check is e.g. is magic_quotes turned on?

Possible attack vectors include but are not limited to:
- Altering user and password credentials
- Uploading backdoors in PHP (this requires special permissions.)
- Loading system files and moving them into the "http" (html) directory. (requires special permissions too.)
- Adding new users with administrator privileges.
- Log Pollution / Poisoning as Ketchup said  Wink
Logged
I'm an InterN0T'er
eyenit0
Jr. Member
**
Offline Offline

Posts: 51


View Profile
« Reply #7 on: September 02, 2010, 10:12:46 AM »
Hmm, thanks for the input, I have a lot of thinking to do.
For the record magic_quotes is set to ON in php.ini.

I'll search more and see if I can find if that text is displayed anywhere, although right now I'm not finding anything.

Is it possible to alter other tables by injecting into that INSERT query? I know I should be able to inject into columns in the usrlog table, but could I edit something like say...the users table? I know I can't stack the queries because of mysql_query, but didn't know if there's another way.

I'll keep fooling around with it.
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.092 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.