Did you know that you can navigate the posts by swiping left and right?

Stealing passwords with SQL Injections

22 Apr 2017 . category: tech . Comments
#redteam #kali #dvwa

In this post we’ll use DVWA as usually, in order to access its user passwords using SQL injections. SQL injections are similar to XSS and command injection attacks, in the way that user input is not sanitized and it ends up manipulating the vulnerable application.

Let’s navigate to the SQL Injection section of DVWA and look at its source:

sqli

As you can see the web app queries the users table, for a given ID value, which is provided by the user and is not sanitized. Then the results are being iterated and returned to the client.

First let’s use the web app to query for user the id 1:

sqli

Now let’s inject a condition that will always be true, in order to read all the tuples from the users table:


' OR ''='

sqli

That’s a start, we know that the web app is vulnerable, but the data we got back is not that interesting. We are able enumerate manually the id and get the same results back anyway, so this is not data that we’re not authorized to access. So, how can we access other columns other than the first and the last name?

Let’s try to append a SQL query after the web app’s query:


'; SELECT password FROM users WHERE user_id = '1

Well, that didn’t quite work:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘SELECT password FROM users WHERE user_id = ‘1’’ at line 1

The reason it didn’t work is because mysqli_query doesn’t allow the execution of more than one query in a single call.

The SQL UNION operator will come in handy here. The UNION operator expects two result table operands, with the same number of columns and appends the second table at the end of the first one. So, let’s close the web app’s query, and then do a UNION on our injected query, which will be asking for the passwords column of the users table:


' UNION SELECT user_id, password FROM users #

Note that we are commenting out the web app’s SQL query that comes after our injected one, using the ‘#’.

sqli-passwords

Success!

As you can see the passwords are hashed, but we’ll crack them in a future post :smile:


Me

Panos is a Computer Scientist with scientific publications in top conferences and journals, three patent applications, open-source contributions on privacy preserving products and a proven track record of delivering secure, reliable and fast cloud services. In the past, he worked as a Linux kernel developer at the CERN CERT team, did Data Mining research at the University of Athens and innovated on Microsoft’s Office 365 cloud services. Currently he is on a mission to accelerate Distributed Ledger Technologies.