22 Dec 2023
SQL injection Inject the Halls with EXEC QueriesTypical SQL queries include:
SELECT options FROM table WHERE value = x
INSERT INTO target_table (comma. separated, columns) VALUES (comma, separated, values)
PHP is a server-side scripting language that allows performing server-side tasks like connecting to and querying DBs, and dynamically generating web content.
One dodgy SQL query is ' OR 1=1 --.
OR appeneds a second condition to a query.
1=1 is an equality check that will always evaluate as true.
-- is a SQL comment that tells the DB server to ignore everything after it, nullifying the rest of the query and causing the server to ignore any additional conditions or syntax.
So manipulating a query that would normally be
SELECT * FROM [table_name] WHERE color = ' [color]
into
SELECT * FROM [table_name] WHERE color = '' OR 1=1 --'
results in the WHERE condition being true for every row in the table, possibly revealing information that shouldnât be revealed.
Risks to the OR 1=1 payload include not knowing how far the scope or context of the query might go. Some applications may build off of initial requests. Injecting it into a query that updates user information would update every user, causing unwanted significant data loss in a pentesting environment. Safer to use a query with a known good target like bob' AND 1=1 -- which would change only Bobâs info or bob' AND 1=2-- which would demonstrate the injection without causing any damage.
Can also stack queries as an injection attack. Stacked queries allow terminating the expected query and replacing it with other SQL statements. A semi-colon signifies one statements end and the start of another. Allows execution of multiple statements through a single interaction. Not all database management systems support stacked queries and may require different syntax. Enumeration is needed to know what is required.
SELECT * FROM [table_name] WHERE color = '' ; INSERT INTO [table_name] (comma, separated, columns) VALUES (comma, separated, values); --'
allows insertion of malicious data into a table.
Stacked queries can also be used to call stored proceedures or functions, like MSSQLâs xp_cmdshell. This can allow running os calls and rce.
Xp_cmdshell allows for executing os commands and programs from within SQL Server. Disabled by default, but recommended to leave it disabled in production servers. Misconfigurations ans legacy application requirements might cause it to be enabled in the wild. Xp_cmdshell can be maually enabled through EXEC queries if a user has the sysadmin role or has ALTER SETTINGS server-level permissions. These situations shouldnât occur, but are not uncommon misconfigurations. To enable xp_cmdshell:
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
RECONFIGURE applies the change to the running configuration.
A good RCE POC is attempting to run certutil.exe on the target machine because itâs a native Windows cli program installed as part of Certificate Services.
Test for SQL injection, force way to RCE and reverse shell, restore site and grab flags along the way.
The process involved really should be recorded so can step my way through it again later. Hopefully Iâll remember to come back and add the procedure later.
Lesson Learned? room and Software Security module.
To protect from SQL injection attacks consider the following straight from the THM author: