I have always been interested in testing the security of Government websites. This is my first real-world experience in INFOSEC I found SQL Injection vulnerability on a Government website that was a little difficult to detect and exploit. Due to security reasons, I cannot reveal the details of the target website.
What is SQL Injection?
SQL Injection is a technique that misuses security holes in the database layer of an application. This gap occurs when the input from the user is not filtered correctly, for example, the username column should only be filled with letters or numbers but instead filled with other characters (such as: — = ‘) so that the attacker uses the gap by entering queries from SQL. SQL Injection has always been the most favorite attack technique for hackers. Many web programmers who are still not “aware” of it.
Let’s start the GAME : )
Subdomain Enumeration
A few days ago I choose a target as kerala.gov.in for bug hunting. As always I started recon on the website and find 1100+ subdomains. During the subdomain enumeration, I used my own tool.
I randomly selected a subdomain of kerala.gov.in from the huge list for testing.
Testing input validation
I always looking to identify SQLi on website. So I need to list out all database contacting functionalities of the website. During the manual enumeration, I saw a search box on the home page of the website. Then I decided to check input validation of search functionality.
Target : http://[REDACTED].kerala.gov.in/search.php?q=abc
Testing Error-based SQLi
Error-based SQL injection attack is an In-band injection technique where we utilize the error output from the database to manipulate the data inside the database.
PAYLOADS=> [‘],[“],[`],[;]
The first step is to break out SQL query statements. Put single-quote(‘), double-quote(“), backtick(`) or semi-colon(;)in the search input fields to interfere with the existing query. And lookout for any error-messages or misbehavior in the application.
http://[REDACTED].kerala.gov.in/search.php?q=abc’ ===> No error http://[REDACTED].kerala.gov.in/search.php?q=abc” ===> No error http://[REDACTED].kerala.gov.in/search.php?q=abc` ===> No error http://[REDACTED].kerala.gov.in/search.php?q=abc; ===> No error
Unfortunately server responding without any error-messages or misbehavior. So I move to test time-based SQLi.
Testing Time-based SQLi
Most databases support the SLEEP() function. A function that pauses the execution of the query for a certain amount of seconds. We can use this to exfiltrate data by measuring the time it takes for the server to send a reply back.
Identify the Actual PAYLOAD by using Burp Suite
Whenever we can automate stuff, we should try to automate it. I instruct the Burp Suite Intruder to use payloads and replace the §abc§ part with characters from a predefined list (consisting of all the Time-based payloads).
After I run the attack I sort on the Response completed column, this one shows the time it took for every payload to return a server response. The following request will make the database sleep for around 20 seconds.
Now that I have got the vulnerable response (time delay) from the server and I confirm that the target is vulnerable to Time-based SQL Injection.
Identify available databases by using with SQLMap
A great tool that helps you discover and exploit SQL injection bugs is SQLMap. It can return you proof of concepts payloads and it’s even possible to make full dumps of the target database.
Save the suspected vulnerable request in a text file and run SQLMap: use -r to load your file, use -p to specify the parameter you want to test and use --dbs to show available databases names.
After 10 minutes I have got available database names.
Impact
An attacker could use this vulnerability to control the content in the database, exfiltrate information, and potentially obtain remote code execution.
HOPE YOU LIKE IT :)
