SQL Injection - Lab #2 SQL injection vulnerability allowing login bypass

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi everyone welcome back to another video in the web security academy series in the previous video we covered the first lab in the sql injection module so we got some hands-on experience by exploiting a sql injection in the search functionality of the application that eventually allowed us to view products that were not released to the public i've added the link to the previous video in the description if you want to check it out now in today's video we'll be covering lab number two of the sql injection module this lab will show us how to exploit a sql injection vulnerability in order to bypass authentication all right let's get started if you do not have an account on the web security academy you can get one by visiting the url portswagger.net slash web security and clicking on the sign up button now i'm already logged in so in order to access the academy i'm going to click on academy scroll down click on the learning path select the first one which is sql injection and then jump to the second lab which is titled sql injection vulnerability allowing login bypass okay so look let's look at the description of the of the lab so it says this lab contains the sql injection vulnerability in the login functionality all right so we've got a sql injection vulnerability and it's in the login functionality to solve the law perform a sql injection attack that logs into the application as the administrator user so the end goal is to perform a sql injection attack and log in as the administrator user okay so let's access the lab this might take a few seconds in the meantime we'll we'll create our analysis section okay so it looks like it's a shopping application which allows you to log in so let's click on login over here and based on the exercise this login functionality is vulnerable to a sql injection attack so let's try admin admin so it's just uh maybe a default username password or a common username password and click on login and we get the error invalid username or password so this is what we call a non-verbal generic generic error message and it's always good to use a non-verbals one when it comes to functionality like this one and the reason is because if you said that the username was invalid uh that means uh the attacker would be able to enumerate usernames on the system and so that's a vulnerability on its own however in this application it actually takes that into account because if we put just a random username and again a random password it doesn't actually tell us which one of the input vectors is invalid although we know for sure that that was an invalid username because we just put random characters there okay perfect all right so uh let's try exploiting this sql injection vulnerability so let's put a sql character into the username field and see how the application reacts and i'm just going to put anything in the password field and click login all right so this gives us an internal server error which means something happened at the back end that broke the application and so this is a good indication that this is vulnerable to a sql injection um we are not given just unlike the previous exercise we are not given uh the sql query so we're gonna have to uh figure it out by fuzzing the application however before we do that since this is a login functionality chances are the sql query is something similar to this so select a certain number of rows from a table so let's say it outputs the first name from the table say users and then where username would be equal to the username that we give it so remember over here the first thing that we did was admin admin so username is equal to admin and password is equal to admin so it's likely that the query at the back end is something similar to this now um it will be probably different because passwords are not or it's unusual that passwords are stored in clear text anymore so there must be a hashing functionality over here um but uh what we're trying to do with the sql injection is uh change uh put in uh query put in sql characters into the username field in order to get the application to ignore ever checking the password um so it doesn't matter if the password is hashed or not anyways so this is likely to be what the query is at the back end and so let's try and figure out how we could exploit it alright so when we put a quote character over here we got an internal server and the reason behind that is because this quote character um interfered with the query so what happens is it closed uh the single quote over here and now you were left with a single quote on its own and a bunch of the rest of the query string and so it likely threw a syntax error which resulted in an internal server at the application and so what we're going to try to do is um is log in as a user and have it ignore the password field so let's go back here now if i want to log in as the admin user and i wanted to ignore the password what i can do is add the comment characters in sql and what that means is ignore the rest of the query so when this gets processed the query that it all processes this one over here select first name from users where the username is equal to admin and if the username is equal to admin then it'll this it'll log myself in and it'll ignore the password completely so let's try that out and that won't work and we'll see why in a bit so password could be anything random it doesn't matter because it'll get ignored over here and we click login and we still get an invalid username and password error and the reason behind that is because the admin user is not actually a user in the system so what it's doing is it checks it wants me to log in as the user where the username is equal to admin but admin is not a user in the system and so i don't get logged in now we know from the from the exercise description that the user that we want to log into is the administrator user so let's use that that's the user on the system and we copy our payload and then again the password could be anything because it gets ignored and hit login and here we go we got redirected and you could see you're logged in because you have a logout button to log out from the administrator user's account you can see it says congratulations you've solved the lab okay perfect so we successfully completed the exercise by manually exploiting a sql flaw in the authentication component of the application now the next thing to do first let's save this the next thing to do is to script our attack vector and if you're new to the channel and wondering why i'm scripting it it's because in your pen testing career you're going to come across a certain attack vectors that require you to script them because it becomes unrealistic in order to do them by hand and that's why i script all my attack vectors so that i'm prepared when a situation like that happens um and we'll see that in in some of the sql injection exercises where you have a blind sql injection and you need to run a bunch of requests uh to the application in order to be able to extract information from the backend database okay so the first thing that i do since i'm using python i'm going to import the request library and that library will be your best friend when it comes to web applications and the reason behind that is because it'll allow you to easily make get and post requests and so on to the application the next thing i'm going to do is import the sys library and the url lib3 okay i'm also going to set the proxy setting so that the script uh sends all my requests to berproxy and we'll see that in a bit okay so we've got our configuration set now let's create the main method and i'm using python 3 if the syntax seems a little bit off to you it's because python 2 got deprecated and so i try to use it i try not to use it as much as possible okay we have a try and catch i'll try and accept clause okay so um what i want is to be able to run my script so let's say script dot py and give it two parameters the first one being the url of the application and the second is my sql payload and so um in my try and accept clause the first thing that i'm gonna take from the command line is uh the first argument which is going to be the url so it says dot our g3 one dot strip which strips all the white spaces you don't necessarily have to do that and then the sqli payload is the second argument okay now if for some reason i give it an incorrect number of arguments i don't want it to output the exception or the error instead i wanted to output a message and so i'm going to catch the exception and have it instead display this string over here which is just the usage instructions because most of the time i don't want to go back and look at my script to see what it does so i just run it without any arguments and so it'll throw this exception which will instead upload the usage instructions in an example of the usage instructions so url sql payload and then the name of the program that looks good and then we also output an example just in case in case the the usage instructions was not clear an example url is let's say www.example.com and for sql payload let's say one is equal to one hey that looks good i think i have an error here that should be double equal sign let's say that and let's run it it's a terminal new terminal um and the name of the program is python 3 sqli lab zero two dot py so i'm running it with no arguments right now and i hit enter that's good we're not getting any errors so there isn't any errors in the program but you'll see over here because oh we're missing uh there we go uh you'll see over here because i didn't enter the correct number of arguments in the command line it outputted the usage and the example instructions instead of um enter that's not going to look too good in our script okay perfect so that's working working well next thing to do is actually uh write down the function that will make the requests for us so to do that the first thing i'm going to do is use the session object from the requests library and that becomes that's because it allows me to persist certain parameters across the session and will need that for this exercise as opposed to just sending a new request every time i actually need the cookie to be the same i need certain parameters to be passed along and and that's why i'm using the sessions object next i'm going to create a function called exploit sqli and if it evaluates to true so i'm going to pass the session object there the url and the sqli payload if it evaluates to true then our sql injection was successful so say sql injection successful we have logged in as the administrator user however if it evaluates to false then i want to print sql injection unsuccessful okay again let's save that okay so uh just to recap what's happening over here is it takes in the first command line argument it sets it to the parameter url and then takes in the second command line argument and it uh sets it to the parameter sqli payload we create a session object from the request library and then we pass the session object the url and the sqli payload into a function called exploit sqli which we'll write in a bit and if that function evaluates to true that means our sql injection was successful if it evaluates to false that means our sql injection was unsuccessful so let's start writing the function sqli and again takes the session object the url and the payload and for now our session sorry our function does nothing because we don't actually know what type of requests are being made um in the application so to do that we need to use our favorite proxy tool which is burp suite click ok and if you've never used it before what that what this is it's pretty much a middleman in between uh your browser and the application and so any requests that the script makes or that the browser makes first go through burp and then get passed to the application and any responses from the application itself go through burp again before they're passed to your script or your browser so let's see that over here um i'm going to click log out if you look at the options over here it's at localhost 8080 which is why i use that configuration in the proxy setting in my in my script and this is taking a while it might have timed out so what we're going to do is we're going to create a new instance of the lab here we go all right um in order for for the browser to send all the requests to burp we need to configure it to do that and in order to do that what i use is an extension called foxy proxy and i have burps as one of my options and now what it will do is it will send all the requests to burp before it actually gets sent to the application itself and you could see that by clicking on the login button the request is intercepted over here and now it's just waiting for me to forward that request so what i'm going to do is send this to repeater and hit forward and now it forwarded the request it forward again and i'm just going to send intercept to be off so if you go to repeater and hit send you could see that the response that this is the response over here now let's go back to the proxy http history that logs in all your requests if you hit the login button it makes a request to slash login over here so let's look at that so it makes a request to login and this is the response and then when i hit admin admin and i click login it makes a post request over here and notice that it uses the parameter csrf username and password so this csrf token is something that we should test out so i'm going to send this to repeater and let's look at it so i'm going to put this over here because this will be something that we need to analyze for our script so i want to make sure that the csrf token is actually being used by the application and this is useful if you're testing applications in general to see if it's implemented correctly so the first thing that i'm going to test is i'm going to remove it and see if the application actually cares that there's a csrf token if it doesn't we should get like a 200 response but in this case you get a 400 response code and it says that csrf token is missing so we do definitely need one now let's see if i can use a random one so let's say this and hit send so it's telling me that this is an invalid csrf token again this is good that means it's implemented correctly so what that means let me just go back what that means is that this token is being saved at the back end and it's associated to this session and this is why when we make multiple requests because we're going to have to first make a get request to the login page and then a post request in the login page this is why it was necessary for us to use the sessions object over here because if we just made the request themselves uh we the the cookies um and the parameters will not persist across the session and so over here for me to make the uh to make the login requests i need three values the first being the csrf token the second being uh the ad the username and then the password so to get the csrf token i needed to make a request to the login page so to do that i'm going to create a new function called get csrf token and it takes in the session object and the url i'm going to say incomplete and the next thing i'm going to do is implement this function okay s url okay so to make the uh uh the first get request to the login page which is what we saw if we go to proxy over here this request over here uh so it makes it to the login path so let's use session object to do that dot gaap and it takes in the url verify sql to false i don't want to verify any tls certificates and proxies is equal to proxies and again what that means is that this get request when it makes it it'll pass through my proxy and that would be very useful in case it doesn't work this way i can i can see what requests the script was making and the response that i got from that request okay now when it makes that get request i need to be able to parse this response in order to get the csrf token from it so if you do csrf over here you'll see it's in and an input what is it called an input element and it's it's a value field that has the csrf token in it so i need to be able to sorry i need to be able to parse that request or parse that response in order to get the csrf token from there so to do that i'm going to import one more library and it's called beautiful soup and then i'm gonna it over here our dot text so the response text and to the html parser okay so now the csrf token is in the first input element and grab the value field okay so this will search the response code over here take the first input element and then take the the the string that is um that the value field is equal to and so let's test this out i'm gonna click save and let's just say print csrf and see if it actually prints it out let's clear this and the url is this one over here and again i don't care what the sql injection is let's just say admin and hit enter okay so we get an error and it's on line number 22 and we spelt that wrong that's why okay clear run the same command and we get a warning so i want to suppress this warning because um i don't want to see it every time it makes a request and the way you could do that is using this line of code over here and secure requests warning okay let's clear okay here we go so it suppressed the warning and you could see over here that it printed out the csrf token uh so let's see if that is exactly the case because i have my proxy settings up uh to send all my requests to burp we should be able to see it so this is the login request that was made and if you look uh if you look for csrf you'll see that's the value that it pulled from over here okay awesome so now we have the csrf token instead of printing it i'm gonna return it this way when we call the function it it'll return the csrf token and it'll save it in the variable called csrf so the next thing to do is to make a post request to to the login functionality so if we look at the post request over here it takes in the csrf token it takes in the username and it takes in the password and so we'll put url data is equal to data so that parameter has to include all these variables over here we'll set it in a second verify is equal to false and i want to verify tls certificates and proxies is equal to proxies because again i wanted to always pass the uh request to my uh to to the proxy just in case i need to debug it all right for data let's instantiate that first we use the csrf token we'll learn in uh in the upcoming modules what the like the type of attack that the csrf uh token which is known as cross-site request forgery so the type of attack that it defends against username over here that would be our payload because that's the field that we're exploiting the sql injection in and then password that could be anything so i'm just going to say random text okay all right perfect um over here we're making the post request and then right now what i need to do is if i'm logged in i need a way to figure out that i am logged in so i'm going to set the response of the request in the parameter res and if the string log out is in the response then i know that i successfully logged in so i'm going to return true else return false okay so let's explain this portion over here let's go back to the application i don't actually know a valid username sorry a valid credential so username and password so i'm just going to exploit the sql injection again to log in once we're logged in we get displayed with a logout button and that's why in order to figure out if i if my sql injection successfully was successful or was successfully exploited then i check for the logout button in the response if it's there that means i'm i've logged in as the administrator user and so it returns true otherwise it returns false okay so let's look at the script one more time before we run it so if we go back over here it first takes in the first parameter from the command line it sets it to url and it takes in the second com the second parameter which is the sql injection payload and it said that's it to this uh parameter over here it starts a session object and then it calls the exploit sqli function if that function evaluates to true then it says sql injection is successful otherwise if it evaluates to false then it says it's unsuccessful now in the function itself the first thing that the function does is it gets the csrf token uh from the response and then it uses that csrf token to make an to make a login request using the token itself and then the payload in the username field so the sql payload and any password it makes the post request over here it checks uh the response to see if the response has log out in it if it does have the string log out in it then it returns to true otherwise it returns to false and that's kind of a recap of what the script does so let's clear this and run this again so just putting admin in here right so if we log out that should say that the sql injection was unsuccessful because we don't actually log in and i'm not sure the url is the same so i'm just going to copy it one more time okay hit enter and it says it's unsuccessful which is uh the behavior that we expected this is good so let's clear one more time and try a true case so one that would be successful administrator and then come out the rest and hit enter here we go and it says sql injection successful we have logged in as the administrator user and if you go to burp over here you'll see that it made a post request this is the csrf token that we got this is the uh sql payload that we entered in the script and this is the password which is random text over here and then the response was at 302 since we are using the session object it followed the redirect and uh it it made the get request with the same session cookie and the response was a valid logged in response because we could see the log out string over here okay awesome so we've completed the exercise uh to recap in the video we first manually exploited a sql flaw in the authentication component of the application this allowed us to log in as the administrator user without actually knowing the administrator's password we then scripted the exploit so that it automatically does that for us if you liked the video hit the subscribe and share button so that it reaches a wider audience also comment below what you learned in the video and what you would like to see more of in the future see you in the next video you

Info

Channel: Rana Khalil

Views: 25,457

Rating: undefined out of 5

Keywords: security, web security, owasp, open web application security project, sqli, sql injection, portswigger, web security academy, python, offensive security, bug bounty, scripting, burp, burp suite, oswe, offensive security web expert

Id: fMPvCyD2v4w

Channel Id: undefined

Length: 33min 39sec (2019 seconds)

Published: Sun Mar 14 2021