Sunday, September 30, 2012

SQLI-LABS SERIES PART-16



SQL Injection via COOKIES


CAUTION: This is for educational purposes only, please do not use the skills you gain from following the video lessons, blog to harm or test sites on the internet for whom you do not have permissions. Doing so is illegal. I do not support these sort of activities and would advice you all to stay away from the same... If you do so you are solely responsible for your actions, you have been warned.


As we discussed before in the earlier posts, enumeration is the first and very essential part of every penetration test. Knowing the workflow of application is trivial to its testing. The more one knows about the application, the better and effective it becomes. 
Secondly, all input parameters should be tested. These do not include just the form fields, but also the other input fields like the referrers, user-agent, cookies. Developers these days take care to sanitize the the form inputs and take extra care for those but forget to pay the same attention to the other inputs.

We discussed the injection in update query and injection in the headers in our previous lessons. In  this lesson we will discuss the injection via cookies. 
Technically speaking, it is trivial to understand, how cookies are being generated by application and how the same is used within application. Understanding the cookie generation logic is trivial to the successful testing.
In Less-20, we introduce the basics and use a clear text cookie generation logic to explain. There is no difference in how the injection is performed via a cookie or any other form parameter. In Less-20 and 21 we deal with error based injections.
Less-21 uses an encoded cookie value and the application logic is used to encode and decode the data and use the result in the queries later on.

Because both are error based based injections, and the database is interacting with the webpage, therefore we can use union statements to dump the databases or we can use the double query injections for dumping the database.

For enumerating the application, we first try to see the workflow off application by providing a legitimate input.






This successful login places a cookie in the user browser with Key value ==> pair. Cookie name uname and value as username. 
This cookie value is then used to retrieve some information from the database causing the vulnerable injection point.






Using firebug, tamperdata or any interceptor proxy like burp suite, ZAP (Zed Attack Proxy), web scarab or any other similar, we can modify the cookies and inject in our payloads. Fuzzing the cookies, we observe that sql query breaks and mysql error is displayed on the screen.





Once we achieve this error, then this can be considered similar to error based injection and proceed accordingly to dump the database.

For Less-21 we observe that the system is using Base64 encoding scheme to send an encoded cookie to the browser. Hence forth we need to encode our injections using Base64 to be consumed nicely by the web application.

You can watch the video demonstration on YouTube.