HomeSecurity Testing Concepts

SQL Injection – Payload Two – Part 4

SQL Injection – Payload Two – Part 4
As explained in the previous post, we can use single quote (i.e. ) to guess whether the input fields in the application are vulnerable to SQL Injection. Once the input fields are guessed as vulnerable to SQL Injection using the single quote (i.e. ) payload, we can perform further advanced payloads to access or control the data stored at the Application DB end. In this post, I will demonstrate entering an advanced payload into the input field, which sets the dynamic query behind the input field to be always true.

Pre-requisites: Go through the below pre-requisites which are required for understanding this post.

Caution: Look into the following steps before testing the application for SQL Injections:
  • Don’t try the following example on other websites.
  • Only perform these payloads on the application which are open for Penetration testing.
  • If you perform Penetration testing on the application without a written statement from its owner, you have to face legal problems, face cyber police and even go to jail.

Payload Two: Follow the below steps to simulate the payload as an attacker on the bWAPP application which is open for Penetration Testing:

Enter test’ or 1=1- – into the input fields to modify their dynamically generated SQL queries and generate a malicious SQL query. More information on this payload will be provided at the end of this post.


Case One: Enter test’ or 1=1- – into the input fields available on the bWAPP application.

Step#1 – Once the above-specified pre-requisites are ready, open the bWAPP application in the Firefox Browser using the URL http://localhost:8080/bwapp/login.php as shown below:

Security Testing - Demo Hosted Application - bWAAP
Security Testing – Demo Hosted Application – bWAAP
Step#2 – Login to the application by entering bee into the Login field and bug into the Password field and click on Login button as shown below:

Security Testing – bWAPP application – Login Details

Step#3 – Once the user is logged in, select SQL Injection (GET/SEARCH) option from the ‘Choose your bug’ drop-down field and click on ‘Hack’ button as shown below:

Step#4 – In the displayed ‘SQL Injection (GET/SEARCH)’ screen, enter the payload test’ or 1=1- – into the ‘Search for a movie:’ text box field and click on ‘Search’ button as shown below:

Security Testing - bWAPP - Second Payload
Security Testing – bWAPP – Second Payload
Note: In some cases, you need to give a space after the – – in the payload

Step#5 – Observe that all the movie list got searched and displayed as shown below:

Security Testing - bWAPP - Movies Search list
Security Testing – bWAPP – Movies Search list
Note: If the above payload given in step#4 is not working, just add a single space after the payload to make it work.

Understanding this payload in detail:  In the above step#4 where the user enters the payload test’ or 1=1- – into the ‘Search for a movie’ textbox field and clicks on ‘Search’ button, then a SQL query will be dynamically generated as below:

  • Select * from movies where title Like = test’ or 1=1- –
 
The above dynamic generated SQL query has resulted from the below tasks:
 
  • Single quote  in the payload will concatenate the remaining or 1=1- – with the dynamically generated SQL query Select * from movies where tittle Like test to form Select * from movies where title Like test’ or 1=1- –
  • or is the boolean operator (i.e. true or false = true, false or true = true, true or true = true, false or false = false).
  • test is some random text which is not there in the movies list. Hence test if false.
  • 1=1 is nothing but always true
  • – – is nothing but a comment in SQL language. So everything which comes after – – will be commented out and won’t be executed.
  • Hence test’ or 1=1- – (i.e. false or true results in true)
  • So the dynamic generated SQL query will be treated as Select * from movies where title Like test’ or true —
  • Hence the final processed query will be Select * from movies where title like true 
  • Since the above query is always true, all the Movie names in the database will be retrieved as a result, as shown in the above screen-shot of Step#5 .

This same payload test’ or 1=1- – when entered into the Username field of another application say www.demo.testfire.net will result in admin access by bypassing the authentication of login functionality. Let me demonstrate this as part of the below Case Two.


Case Two: Follow the below steps to simulate the payload as an attacker on the www.demo.testfire.net application which is open for Penetration Testing:

Enter test’ or 1=1- – into the Username input field available on the www.demo.testfire.net application and trick its interpreter available at the Application Server to gain access to the Application DB by getting the given payload processed by the Application Server. Here in this Case Two example, we are going to use the same payload used in Case One example to gain admin user access.

Step#1 – Once the above-specified pre-requisites are ready, open the demo application in the Firefox Browser using the URL www.demo.testfire.net and click on ‘Sign In’ option displayed in the below screenshot:

Security Testing - TestFire application for Demo
Security Testing – TestFire application for Demo
Step#2 – Enter the payload test’ or 1=1- – into the Username input field and any invalid password say xyzabcd into the password field and click on ‘Login’ button as shown below:

Security Testing – TestFire Demo Application – Login Screen
Step#3 – Observe that the admin access can be bypassed as shown below:

Security Testing - TestFire Demo Application - Bypassing Admin Access
Security Testing – TestFire Demo Application – Bypassing Admin Access
Though the payload used in Case One example and Case Two example are same, the result that the attacker got from executing the payloads is different. i.e. In the Case One example, the attacker has resulted in retrieving all the movie names in the database, whereas in the Case Two example, the attacker has resulted in gaining the admin access. This happened because different input fields in the application will generate different dynamic SQL queries based on the purpose of the input fields.

Understanding Case Two payload in detail:  In the above step#2 where the user enters the payload test’ or 1=1- – into the ‘Username’ text box field, enters any invalid/wrong password into the password field and clicks on ‘Login’ button, then a SQL query will be dynamically generated as below:

  • Select * from Users where username= test’ or 1=1- – and password=xyzabcd
 
In the above dynamic generated SQL query has resulted from the below tasks:
 
  • Single quote  in the payload will concatenate the remaining or 1=1- – with the dynamic generated SQL query Select * from Users where username=test and password=xyzabcd to form Select * from Users where username=test’ or 1=1- – and password=xyzabcd
  • or is the boolean operator (i.e. true or false = true, false or true = true, true or true = true, false or false = false).
  • test is some random text which is not there in the usernames list. Hence test if false.
  • 1=1 is nothing but always true
  • Hence test’ or 1=1- – (i.e. false or true results in true)
  • So the dynamic generated SQL query will be treated as Select * from Users where username=true – – and password=xyzabcd
  • – – is nothing but a comment in SQL language. So everything which comes after – – will be commented out and won’t be executed. i.e. and password=xyzabcd in the above query won’t be executed.
  • So the dynamically generated SQL query will be executed as Select * from Users where username=true
  • Hence the final processed query will be Select * from Users where username=true 
  • Since the above query is always true, the first user record in the database (i.e. in most cases the admin record) will be bypassed and hence the attacker can gain the admin access as shown in this example.
It’s not always required to enter the payloads into the input fields on the application, we can also achieve the same results by entering these payloads into the Application URL while submitting few input fields. The below Case Three example will demonstrate how to do this:


Case Three: Entering the payload test’ or 1=1- – into the URL of the bWAPP application

Step#1 – Once the above-specified pre-requisites are ready, open the bWAPP application in the Firefox Browser using the URL http://localhost:8080/bwapp/login.php as shown below:

Step#2 – Login to the application by entering bee into the Login field and bug into the Password field and click on Login button as shown below:

Step#3 – Once the user is logged in, select SQL Injection (GET/SEARCH) option from the ‘Choose your bug’ drop-down field and click on ‘Hack’ button as shown below:

Step#4 – In the displayed ‘SQL Injection (GET/SEARCH)’ screen, enter a non-existing movie title say test into the ‘Search for a movie:’ text box field and click on ‘Search’ button as shown below:

Security Testing - bWAPP Demo Application - SQL Injection (GET/SEARCH)
Security Testing – bWAPP Demo Application – SQL Injection (GET/SEARCH)
Step#5 –  Observe that ‘No movies were found!’ will be displayed as the search result and also observe the searched text test in the URL of the application as shown below:

Step#6 – Now update the title text into the URL with ‘ or 1=1- – and then browse the updated URL as shown below:

Note: If the payload updated in the URL is not working, then provide a space between – – and & symbol in the URL as shown above.

Step#7 – Observe that all the movie list got searched and displayed as shown below:


Conclusion: Using the payload explained in this post, we can access the complete data from the database or bypass the admin access to the application. In most of the cases we enter this payload into the input fields on the application and in few cases, we can also enter the payload into the URL of the application. As there is a huge list of payloads to be demonstrated, I will be demonstrating them in the upcoming posts.

Please leave your questions/comments/feedback below.

Happy Learning 🙂

Arun Motoori (www.QAFox.com)

Comments (8)

Leave a Reply

Your email address will not be published. Required fields are marked *