MySQL HTTP Header injection help

Viewing 7 reply threads
  • Author
    Posts
    • #5534
      eyenit0
      Participant

      I’ve got an in house web app(programmed by a freelancer) that I’m testing before pushing it into production and think I’ve found a SQL injection point, but can’t really figure out how to exploit it.

      It basically takes the HTTP User Agent header and adds it to a usrlog table. The syntax is like this:
      INSERT INTO usrlog (useragent) VALUES (‘Injection Point’)

      There’s obviously no output on the page, so I cant use it to really enumerate anything like that, but none of the input is santitized at all. I can throw all the single quotes at it that I want.
      The only weird thing is that using — to comment out the rest of the line doesn’t seem to work. Isn’t — supposed to comment out the rest of  line?

      I just wanted to know if there’s anything that could be done with this kind of injection. If you have any ideas, please let me know.

    • #34942
      dynamik
      Participant

      How are you changing the values? Something like the User Agent Switcher add-on for Firefox?

      When you do that, what shows up in the database? Maybe the developer is sanitizing input and has coded things properly.

    • #34943
      Ketchup
      Participant

      I would say that at least you can pollute the log file with a bunch of junk, and possibly some sensitive data.  Is the usrlog table being displayed elsewhere?  You can inject an XSS vector. 

      Are you using PHP?  mysql_query?

    • #34944
      eyenit0
      Participant

      Sorry, I should have included some of that info in the first post. My bad.
      Yes it’s PHP and mysql_query. It’s a typical LAMP setup.

      I’m changing the value by intercepting the http requests with Burp. I’m positive that things aren’t getting sanitized from the PHP page because I have the general log turned on in MySQL and can see the full request that goes through to the database and it’s exactly how I send it. Whatever I enter is put into the database, granted I don’t screw up the syntax of the query.

      As far as I know, that table is not displayed anywhere else, but maybe I’m wrong. I will do some more searching and see if I can find any reference to it.
      Thanks for the help.

    • #34945
      MaXe
      Participant

      If you can locate the vulnerable piece of code and find any references to it, then it would be easier for you to exploit the web application and also for others to aid you in that process.

      What you should be looking for is $_SERVER.

      Use Grep if you’re on Linux, and perhaps WinGrep if you’re on Windows to search through all the files in the Web Application.

    • #34946
      Ketchup
      Participant

      Well, I believe that mysql_query will essentially prevent you from running stacked queries.  So, adding a semicolon and another statement wouldn’t work.  One thing is clear, you can insert anything you want into that table.  I think that you are back looking to see where that data is displayed.  You can then implement a CSRF / XSS vector.  The CSRF vector is especially nice since an admin would likely be reviewing the logs.

    • #34947
      MaXe
      Participant

      @Ketchup wrote:

      Well, I believe that mysql_query will essentially prevent you from running stacked queries.  So, adding a semicolon and another statement wouldn’t work.  One thing is clear, you can insert anything you want into that table.   I think that you are back looking to see where that data is displayed.   You can then implement a CSRF / XSS vector.   The CSRF vector is especially nice since an admin would likely be reviewing the logs.

      Correct, stacked queries does not work on PHP and MySQL implementations  😉

      It is possible to pollute / poison the logs with CSRF and / or XSS vector attacks,
      however it is also possible to perform completely blind sql injection if all aspects are known or possible to be predicted or enumerated.

      In this case, one thing to check is e.g. is magic_quotes turned on?

      Possible attack vectors include but are not limited to:
      – Altering user and password credentials
      – Uploading backdoors in PHP (this requires special permissions.)
      – Loading system files and moving them into the “http” (html) directory. (requires special permissions too.)
      – Adding new users with administrator privileges.
      – Log Pollution / Poisoning as Ketchup said  😉

    • #34948
      eyenit0
      Participant

      Hmm, thanks for the input, I have a lot of thinking to do.
      For the record magic_quotes is set to ON in php.ini.

      I’ll search more and see if I can find if that text is displayed anywhere, although right now I’m not finding anything.

      Is it possible to alter other tables by injecting into that INSERT query? I know I should be able to inject into columns in the usrlog table, but could I edit something like say…the users table? I know I can’t stack the queries because of mysql_query, but didn’t know if there’s another way.

      I’ll keep fooling around with it.

Viewing 7 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?