.

MySQL HTTP Header injection help

<<

eyenit0

User avatar

Jr. Member
Jr. Member

Posts: 52

Joined: Wed Sep 01, 2010 2:17 pm

Post Wed Sep 01, 2010 2:31 pm

MySQL HTTP Header injection help

I've got an in house web app(programmed by a freelancer) that I'm testing before pushing it into production and think I've found a SQL injection point, but can't really figure out how to exploit it.

It basically takes the HTTP User Agent header and adds it to a usrlog table. The syntax is like this:
INSERT INTO usrlog (useragent) VALUES ('Injection Point')

There's obviously no output on the page, so I cant use it to really enumerate anything like that, but none of the input is santitized at all. I can throw all the single quotes at it that I want.
The only weird thing is that using -- to comment out the rest of the line doesn't seem to work. Isn't -- supposed to comment out the rest of  line?

I just wanted to know if there's anything that could be done with this kind of injection. If you have any ideas, please let me know.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Sep 01, 2010 5:42 pm

Re: MySQL HTTP Header injection help

How are you changing the values? Something like the User Agent Switcher add-on for Firefox?

When you do that, what shows up in the database? Maybe the developer is sanitizing input and has coded things properly.
Last edited by dynamik on Wed Sep 01, 2010 5:44 pm, edited 1 time in total.
The day you stop learning is the day you start becoming obsolete.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed Sep 01, 2010 6:08 pm

Re: MySQL HTTP Header injection help

I would say that at least you can pollute the log file with a bunch of junk, and possibly some sensitive data.  Is the usrlog table being displayed elsewhere?  You can inject an XSS vector. 

Are you using PHP?  mysql_query?
~~~~~~~~~~~~~~
Ketchup
<<

eyenit0

User avatar

Jr. Member
Jr. Member

Posts: 52

Joined: Wed Sep 01, 2010 2:17 pm

Post Thu Sep 02, 2010 12:22 am

Re: MySQL HTTP Header injection help

Sorry, I should have included some of that info in the first post. My bad.
Yes it's PHP and mysql_query. It's a typical LAMP setup.

I'm changing the value by intercepting the http requests with Burp. I'm positive that things aren't getting sanitized from the PHP page because I have the general log turned on in MySQL and can see the full request that goes through to the database and it's exactly how I send it. Whatever I enter is put into the database, granted I don't screw up the syntax of the query.

As far as I know, that table is not displayed anywhere else, but maybe I'm wrong. I will do some more searching and see if I can find any reference to it.
Thanks for the help.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Thu Sep 02, 2010 2:23 am

Re: MySQL HTTP Header injection help

If you can locate the vulnerable piece of code and find any references to it, then it would be easier for you to exploit the web application and also for others to aid you in that process.

What you should be looking for is $_SERVER['HTTP_USER_AGENT'].

Use Grep if you're on Linux, and perhaps WinGrep if you're on Windows to search through all the files in the Web Application.
I'm an InterN0T'er
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu Sep 02, 2010 8:45 am

Re: MySQL HTTP Header injection help

Well, I believe that mysql_query will essentially prevent you from running stacked queries.  So, adding a semicolon and another statement wouldn't work.  One thing is clear, you can insert anything you want into that table.  I think that you are back looking to see where that data is displayed.  You can then implement a CSRF / XSS vector.  The CSRF vector is especially nice since an admin would likely be reviewing the logs.
~~~~~~~~~~~~~~
Ketchup
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Thu Sep 02, 2010 9:13 am

Re: MySQL HTTP Header injection help

Ketchup wrote:Well, I believe that mysql_query will essentially prevent you from running stacked queries.  So, adding a semicolon and another statement wouldn't work.  One thing is clear, you can insert anything you want into that table.   I think that you are back looking to see where that data is displayed.   You can then implement a CSRF / XSS vector.   The CSRF vector is especially nice since an admin would likely be reviewing the logs.


Correct, stacked queries does not work on PHP and MySQL implementations  ;)

It is possible to pollute / poison the logs with CSRF and / or XSS vector attacks,
however it is also possible to perform completely blind sql injection if all aspects are known or possible to be predicted or enumerated.

In this case, one thing to check is e.g. is magic_quotes turned on?

Possible attack vectors include but are not limited to:
- Altering user and password credentials
- Uploading backdoors in PHP (this requires special permissions.)
- Loading system files and moving them into the "http" (html) directory. (requires special permissions too.)
- Adding new users with administrator privileges.
- Log Pollution / Poisoning as Ketchup said  ;)
I'm an InterN0T'er
<<

eyenit0

User avatar

Jr. Member
Jr. Member

Posts: 52

Joined: Wed Sep 01, 2010 2:17 pm

Post Thu Sep 02, 2010 10:12 am

Re: MySQL HTTP Header injection help

Hmm, thanks for the input, I have a lot of thinking to do.
For the record magic_quotes is set to ON in php.ini.

I'll search more and see if I can find if that text is displayed anywhere, although right now I'm not finding anything.

Is it possible to alter other tables by injecting into that INSERT query? I know I should be able to inject into columns in the usrlog table, but could I edit something like say...the users table? I know I can't stack the queries because of mysql_query, but didn't know if there's another way.

I'll keep fooling around with it.

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software