SQL Injection in 1 min! – 10 minute mail

A lot could go wrong on the internet!

A clever attacker can with ease gather all the intelligence he/she needs in order to conduct a full fledged exploit to reveal all the usernames (emails) and passwords of your website.

  1. An attacker finds your website.
    An attacker finds your website.
  2. The attacker pinpoints if an SQL injection flaw is present.
    image
  3. The attacker resolves relevant data regarding the vulnerability.
    image
  4. The attacker forges an exploit and steals your confidential information.
    image

If an attacker found a hole like this when you started reading, chances are that he/she already has your database by now. That’s how easy it can be from an attackers point of view.If you got any questions, please send us an email at [email protected]

By: Fredrik Nordberg Almroth

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

New vulnerability findings: Joomla, JBoss, Jenkins and others! – 10 minute mail

During the past month, a great deal has happened in the web security landscape, and we have added a ton of new findings to the service. Some of these findings come from other security companies’ public disclosures, whilst others are the results of internal audits of responsible disclosure programs.

 Jenkins & JBoss remote code execution

We have added checks for the Jenkins and JBoss remote code execution vulnerabilities that were disclosed the November 6 . The two vulnerabilities involve the deserialization of arbitrary Java objects, which leads to remote code execution. If you have a vulnerable configuration, an attacker will be able to gain remote access to your system. If you have run either Jenkins or JBoss and have missed these news, we urge you to get another report ASAP.

 Critical SQL injection vulnerability in Joomla!

A check for the Joomla! SQL injection vulnerability (as discovered by Trustwave)has been added to the service. If you have an unpatched version of Joomla! (ranging from version 3.2 through 3.4.4), you are at risk of having your database leaked and disclosed online. If you know you’re affected, upgrade immediately, otherwise grab another report to see if you’re vulnerable.

  Multiple vulnerabilities in Ganglia

Added vulnerabilities for the Ganglia Monitoring System used for clusters and grids. It may be wise not to expose this service to the Internet.

  Source code disclosure for Ruby applications

Added the ability for the service to detect Ruby-based source code disclosures. If your server is configured in such a way that it cannot properly handle Ruby files, the content of the files may leak. The source code for your application contains all the business logic and is hence highly critical.

  Enhanced checks for Git-based projects

Git disclosures are bad. We’ve added further methods to find and analyze the content of publicly accessible git projects. Remember to never add database dumps, config files and pem-files to your Git repositories. A slip-up in your setup may disclose very sensitive data. If that happens and we spot it, we’ll mark the finding as Critical.

  Findings in regards to IDE metadata

New checks for common files generated by the editors Eclipse and IntelliJ IDEA (including PhpStorm). Depending on how you use these tools, they may generate files containing sensitive data. These files should not reach your production environments as they may leak information (such as database credentials, commit messages, code changes and file paths).

  Setting disclosure through /.env

Added check for /.env. If publicly accessible, it may contain system-critical information such as database credentials and API keys.

  New check for the version control system Mercurial

Added Mercurial information disclosure finding (for the few who still use it).

Further findings for PHP misconfigurations
(Notice) It’s not uncommon for devops to configure and tweak PHP. Sometimes mistakes slip through. We have added checks for publicly exposed php.ini and error_log files.

As well as all of the above, new findings for Jetty, TravisCI and a ton of other systems have been added. To summarize, a large number of new vulnerabilities to look out for.

What are you waiting for? Go hack yourself!

Fredrik Nordberg Almroth
Co-Founder Disposable mail
@almroot


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

What is an SQL Injection and how do you fix it? – 10 minute mail

SQL injection flaws are very critical. A remote attacker will gain access to the underlying database. In the worst case scenario it allows the attacker to read, write and delete content in the database.

Risk of SQL Injection

The attacker can gain access to all data stored on the system. It makes it possible to read, create and delete data. Popular attacks include the stealing of passwords and changes in the websites content. Under some circumstances remote command execution might also be possible.

In 2009 the Heartland Payment Systems got compromised by an SQL injection attack. It resulted in a leak of 134 million credit cards.

SQL Injection example

This is a sanitization issue. The most common flaw is the lack of sanitization of user input that are used to set up an ad-hoc SQL query. If not properly sanitized, the attacker can force its way to inject valid SQL syntax in original query, thus modifying its prior purpose.

A sample of a vulnerable “login” for PHP/MySQL would look something like this:

$db = new mysqli('localhost', 'root', 'passwd', 'base');
$result = $db->query('SELECT * FROM users WHERE user="'.$_GET['user'].'" AND pass= "'.$_GET['password'].'"');

Suppose an attacker submits ” OR 1 — as username and whatever as password. The variables would then contain these values:

$_GET['user'] = " OR 1 --
$_GET['password'] = whatever

The resulting query would become:

SELECT * FROM users WHERE user="" OR 1 -- AND pass="whatever"

Everything after — (which indicates the start of a comment in SQL) will be discarded and ignored. The query to be executed would then look like this:

SELECT * FROM users WHERE user="" OR 1

The query now states “Grab everything (SELECT *) from the user list (FROM users)where the username matches nothing (WHERE user=””) or 1 (which will be interpreted asTrue (OR 1)). Since the latter statement will always result in True, the right hand of the statement will successfully eliminate the left hand statement and the condition will always be true. The result of that query would be the same as this one:

SELECT * FROM users

Which would return all data there is about all the users. E.g, the injection in the$_GET[‘user’] parameter is enough to make the MySQL server to select the first user and grant the attacker access to that user.

Remediation

Prepared statements will protect against (almost) all SQL injection vulnerabilities. They take the form of a template in which certain constant values are substituted during execution for variables containing user input. This way, you can make sure of the type of the substitutes and it will also escape all bad characters that might break an SQL statement. Hence leaving the SQL query properly sanitized as no user input may break the query.

Some functions like mysqli_real_escape_string() in PHP can also protect against them. But careful to read documentation when using those kind of functions. For example, in PHP addslashes() may seem to be a good alternative but cheap when it comes to SQL injection protection due to malicious charset tricks.

How Disposable mail can help

Disposable mail is an automated web security scanner that checks your website for hundreds of security issues including SQL injection vulnerabilities. Sign up for a 14-day free trial and find out if your site is vulnerable »

Resources

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

OWASP TOP 10: Injection | Disposable mail Blog – 10 minute mail

Injection, the first on OWASP‘s Top 10 list, is often found in database queries, as well as OS commands, XML parsers or when user input is sent as program arguments. A proof of concept video follows this article. OWASP is a non-profit organization with the goal of improving the security of software and the internet. We cover their list of the ten most common vulnerabilities one by one in our OWASP Top 10 blog series. 

Description

Injection is the first item on OWASP’s list. This type of finding is more like a category, and includes all kinds of vulnerabilities where an application sends untrusted data to an interpreter. It is often found in database queries, but other examples are OS commands, XML parsers or when user input is sent as program arguments.

Prevalence

This is a very common vulnerability type, especially in legacy code as it was way more common a few years ago when fewer were aware of the danger. SQL-injection is to be considered the most known injection type, and according to a survey conducted by Ponemon 65 percent of the organizations represented in the survey had experienced a SQL-injection attack in the prior 12 months. That research was published two years ago, but should still be able to be used as an estimation.

Potential impact

As it is a very broad category of a vulnerability, the danger varies greatly from case to case. As SQL injection is the most known injection-type, the impact is often stolen data from a database. That can include usernames, password and other sensitive information.

The worst-case scenario would be a full takeover of the system, which certainly is possible depending on where the injection is and in what environment.

It is an attack that can be automated, which puts you at higher risk. An attacker does not need to be after you, they can simply write a script that exploits as many sites as possible and yours being one of them is a coincidence.

Well-known events

A few famous/infamous events involving SQL-injections specially can be found on Wikipedia,

One of the most known attacks done by SQL injection was targeted against Sony. Another almost ironic one was when MySQL themselves suffered from an SQL-injection. As can be understood from the examples, big players are also at risk and the result of an attack can be terrifying.

How to discover

For more advanced users it is a vulnerability that can often be found while doing code analysis. Ie., identifying all queries in the web application and following the data flow. As it sometimes generates no visible feedback it can be hard to detect during a blackbox-test, even though it often is possible as well.

How Disposable mail can help

We provide a quick and easy way to check whether your site passes or fails OWASP Top 10 tests. Disposable mail is a web security scanner that performs fully automated tests to identify security issues on your website. It tests your website for over 700 vulnerabilities, including OWASP Top 10, and can be used on both staging and production environments. Sign up for a free trial to find out if you are vulnerable » 

Exploitability

As Injection is a very broad definition it varies from case to case, but a general classic SQL-injection is very easy to exploit. Troy Hunt once uploaded a video of him teaching a three year old to exploit an SQL-injection to demonstrate that really anyone can learn to exploit this kind of vulnerability.

Code example of vulnerable application

A typical example of a SQL injection would be in a login form, with the code shown below:

 $db = new mysqli('localhost', 'root', 'passwd', 'base');

$result = $db->query('SELECT * FROM users WHERE user="'.$_GET['user'].'" AND pass= "'.$_GET['password'].'"');

Suppose the attacker submits “ OR 1 — as username and whatever as password the whole query will end up looking like this:

SELECT * FROM users WHERE user="" OR 1 -- AND pass="whatever"

Everything after — (which indicates the start of a comment in SQL) will be discarded and ignored. The query to be executed would then look like this:

SELECT * FROM users WHERE user="" OR 1

The query now states “Grab everything (SELECT *) from the user list (FROM users) where the username matches nothing (WHERE user=””) or 1 (which will be interpreted as True (OR 1))”.

Since the latter statement will always result in True, the right hand of the statement will successfully eliminate the left hand statement and the condition will always be true. The result of that query would be the same as this one:

SELECT * FROM users

Which would return all data there is about all the users. Eg., the injection in the $_GET[‘user’]parameter is enough to make the MySQL server to select the first user and grant the attacker access to that user.

Remediation

1. As Injections is more of a category of vulnerabilities, the remediation varies from case to case depending on what kind of vector and interpreter we are talking about. The optimal solution is to use an API which either avoids the interpreter or provides a parameterized interface.

Parameterized queries are not hard to do, and if you use PHP we would recommend PDO. It may sound strange at first, but it really is not as hard as you may first think. Examples in other languages can be found here.

2. If parameterized queries are not an option in your case, you should instead carefully escape special characters. How this is done depends on the interpreter used, and something you would need to look up.

3. Whitelist input validation is also an alternative, but often cannot be used as the application can require special characters as input. For example, a blog wants to allow its visitors to make comments using quotes, even though that is a character that could be used to break out from a query. In those cases it is necessary to go with solution one or two.

Injection Proof of Concept video:

Read more
The Ultimate SQL Injection Payload
SQL Injection Support Entry
What is an SQL Injection and How Do You Fix It
SQL Injection In 1 Min!
New Findings: Joomla, JBoss, Jenkins and others

Other injection types we have mentioned:
How Patreon Got Hacked: Publicly Exposed Werkzeug Debugger
How We Got Read Access On Google’s Production Servers

OWASP:
Top 10: Injection

 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

[Release] New modules | Disposable mail Blog – 10 minute mail

Security never stands still, which is why we update our service on a regular basis to help you keep up with the latest vulnerabilities. We are constantly working on updating and improving our modules, but you can find some highlights from this week’s update below.

WordPress vulnerabilities

*Added WordPress theme colorway XSS

Other updates

*Added highlight to VBS XSS findings
*Added more DBMS regex patterns (SQL Error & SQL Injection)
*Added CVE-2016-0957 Adobe CQ5 authentication bypass

If you have any questions about what vulnerabilities we test for and how we update our service, don’t hesitate to reach out by emailing support [at]detectify.com.

Happy scanning!
/The Disposable mail Team

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Newly Added Security Tests, February 3, 2017: WordPress plugins and Elastic search – 10 minute mail

Security never stands still, which is why we update our service on a regular basis to help you keep up with the latest vulnerabilities. We are constantly working on updating and improving our modules, but you can find some highlights from this week’s update below:

  • WMPL SQL injection
  • XSS in Jetpack WordPress plugin
  • WordPress user enumeration via REST API
  • publicly exposed Predis example files
  • publicly exposed Webalizer interface
  • Elastic search remote code execution
  • /.bash_history finding
  • open memcache port finding
  • WordPress plupload.swf XSS
  • WordPress wpml-plugin XSS
  • information disclosure module for /unzip.php

Happy scanning!
The Disposable mail Team

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Newly added security tests, June 21, 2017: XSS and SQL injection modules – 10 minute mail

To bring you the most up-to-date security service and help you stay on top of threats, we update Disposable mail on a regular basis. Here are some of the latest security tests added to the tool:

  • WordPress adrotate XSS
  • WordPress hugeit SQL injection
  • WordPress wp-db disclosure
  • Unix core dump disclosure

Happy scanning!
The Disposable mail Team

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail security updates for 4 April – 10 minute mail

For continuous coverage, we push out major Disposable mail security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.

Magento Unauthenticated SQL Injection

The recent Magento vulnerability that made a lot of news was submitted together with a proper proof of concept. That means that we are able to actually test for the vulnerability, instead of just looking at the installed version of Magento. This minimizes false positives and creates a much more accurate report.

WordPress wp-google-maps SQL Injection

Reported to us as a 0day at the same time as they noticed the developers of the plugin. The plugin vendor acted quickly and the patch for the plugin was released two days ago as can be seen in the changelog. 

Google Maps Unrestricted API Key Exposure

Google Maps provide an API for site owners that want to embed a map on their website. The API-key can be configured in several different ways, and if a specific domain is not specified when setting it up it would be possible for other websites to embed a map using your API-key. This is a paying API, meaning it could drastically increase your bill to Google, or prevent it from functioning on your own site.

Git Daemon Exposure

Not only does it happen that people accidentally expose configuration files that have to do with Git, some people also accidentally expose a Git Daemon itself. When this happens it could be possible for an attacker to connect to it and download the source code of a git project.

 

Questions or comments on our latest security updates? Let us know in the section below.

Begin a scan for the latest vulnerabilities today. Start a free trial with Disposable mail here!

Already have an account? Log in to check your assets.

Disposable mail is a continuous web scanner monitor service that can be set up for automated scanning for 1000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.