Task 16, Day 10, SQL injection Inject the Halls with EXEC Queries

Typical SQL queries include: SELECT options FROM table WHERE value = x INSERT INTO target_table (comma. separated, columns) VALUES (comma, separated, values)

PHP is a server-side scripting language that allows performing server-side tasks like connecting to and querying DBs, and dynamically generating web content.

Injection methods

One dodgy SQL query is ' OR 1=1 --. OR appeneds a second condition to a query. 1=1 is an equality check that will always evaluate as true. -- is a SQL comment that tells the DB server to ignore everything after it, nullifying the rest of the query and causing the server to ignore any additional conditions or syntax. So manipulating a query that would normally be
SELECT * FROM [table_name] WHERE color = ' [color] into
SELECT * FROM [table_name] WHERE color = '' OR 1=1 --' results in the WHERE condition being true for every row in the table, possibly revealing information that shouldn’t be revealed.

Word of warning

Risks to the OR 1=1 payload include not knowing how far the scope or context of the query might go. Some applications may build off of initial requests. Injecting it into a query that updates user information would update every user, causing unwanted significant data loss in a pentesting environment. Safer to use a query with a known good target like bob' AND 1=1 -- which would change only Bob’s info or bob' AND 1=2-- which would demonstrate the injection without causing any damage.

Can also stack queries as an injection attack. Stacked queries allow terminating the expected query and replacing it with other SQL statements. A semi-colon signifies one statements end and the start of another. Allows execution of multiple statements through a single interaction. Not all database management systems support stacked queries and may require different syntax. Enumeration is needed to know what is required.

SELECT * FROM [table_name] WHERE color = '' ; INSERT INTO [table_name] (comma, separated, columns) VALUES (comma, separated, values); --' allows insertion of malicious data into a table.

Stacked queries can also be used to call stored proceedures or functions, like MSSQL’s xp_cmdshell. This can allow running os calls and rce.

Xp_cmdshell allows for executing os commands and programs from within SQL Server. Disabled by default, but recommended to leave it disabled in production servers. Misconfigurations ans legacy application requirements might cause it to be enabled in the wild. Xp_cmdshell can be maually enabled through EXEC queries if a user has the sysadmin role or has ALTER SETTINGS server-level permissions. These situations shouldn’t occur, but are not uncommon misconfigurations. To enable xp_cmdshell:

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

RECONFIGURE applies the change to the running configuration.

A good RCE POC is attempting to run certutil.exe on the target machine because it’s a native Windows cli program installed as part of Certificate Services.

The task

Test for SQL injection, force way to RCE and reverse shell, restore site and grab flags along the way.

The process involved really should be recorded so can step my way through it again later. Hopefully I’ll remember to come back and add the procedure later.

Lesson Learned? room and Software Security module.

Best practices

To protect from SQL injection attacks consider the following straight from the THM author:

  • Input validation: Sanitise and validate all user-supplied input to ensure it adheres to expected data types and formats. Reject any input that doesn’t meet validation criteria.
  • Parameterised statements: Use prepared statements and parameterised queries in your database interactions. Parameterised queries automatically escape user input, making it difficult for attackers to inject malicious SQL.
  • Stored procedures: Use stored procedures to encapsulate your SQL logic whenever possible. This reduces the risk of SQL injection by separating user input from SQL code.