SQL Injection in 1 min! – 10 minute mail

A lot could go wrong on the internet!

A clever attacker can with ease gather all the intelligence he/she needs in order to conduct a full fledged exploit to reveal all the usernames (emails) and passwords of your website.

  1. An attacker finds your website.
    An attacker finds your website.
  2. The attacker pinpoints if an SQL injection flaw is present.
    image
  3. The attacker resolves relevant data regarding the vulnerability.
    image
  4. The attacker forges an exploit and steals your confidential information.
    image

If an attacker found a hole like this when you started reading, chances are that he/she already has your database by now. That’s how easy it can be from an attackers point of view.If you got any questions, please send us an email at [email protected]

By: Fredrik Nordberg Almroth

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

What is an SQL Injection and how do you fix it? – 10 minute mail

SQL injection flaws are very critical. A remote attacker will gain access to the underlying database. In the worst case scenario it allows the attacker to read, write and delete content in the database.

Risk of SQL Injection

The attacker can gain access to all data stored on the system. It makes it possible to read, create and delete data. Popular attacks include the stealing of passwords and changes in the websites content. Under some circumstances remote command execution might also be possible.

In 2009 the Heartland Payment Systems got compromised by an SQL injection attack. It resulted in a leak of 134 million credit cards.

SQL Injection example

This is a sanitization issue. The most common flaw is the lack of sanitization of user input that are used to set up an ad-hoc SQL query. If not properly sanitized, the attacker can force its way to inject valid SQL syntax in original query, thus modifying its prior purpose.

A sample of a vulnerable “login” for PHP/MySQL would look something like this:

$db = new mysqli('localhost', 'root', 'passwd', 'base');
$result = $db->query('SELECT * FROM users WHERE user="'.$_GET['user'].'" AND pass= "'.$_GET['password'].'"');

Suppose an attacker submits ” OR 1 — as username and whatever as password. The variables would then contain these values:

$_GET['user'] = " OR 1 --
$_GET['password'] = whatever

The resulting query would become:

SELECT * FROM users WHERE user="" OR 1 -- AND pass="whatever"

Everything after — (which indicates the start of a comment in SQL) will be discarded and ignored. The query to be executed would then look like this:

SELECT * FROM users WHERE user="" OR 1

The query now states “Grab everything (SELECT *) from the user list (FROM users)where the username matches nothing (WHERE user=””) or 1 (which will be interpreted asTrue (OR 1)). Since the latter statement will always result in True, the right hand of the statement will successfully eliminate the left hand statement and the condition will always be true. The result of that query would be the same as this one:

SELECT * FROM users

Which would return all data there is about all the users. E.g, the injection in the$_GET[‘user’] parameter is enough to make the MySQL server to select the first user and grant the attacker access to that user.

Remediation

Prepared statements will protect against (almost) all SQL injection vulnerabilities. They take the form of a template in which certain constant values are substituted during execution for variables containing user input. This way, you can make sure of the type of the substitutes and it will also escape all bad characters that might break an SQL statement. Hence leaving the SQL query properly sanitized as no user input may break the query.

Some functions like mysqli_real_escape_string() in PHP can also protect against them. But careful to read documentation when using those kind of functions. For example, in PHP addslashes() may seem to be a good alternative but cheap when it comes to SQL injection protection due to malicious charset tricks.

How Disposable mail can help

Disposable mail is an automated web security scanner that checks your website for hundreds of security issues including SQL injection vulnerabilities. Sign up for a 14-day free trial and find out if your site is vulnerable »

Resources

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

OWASP TOP 10: Injection | Disposable mail Blog – 10 minute mail

Injection, the first on OWASP‘s Top 10 list, is often found in database queries, as well as OS commands, XML parsers or when user input is sent as program arguments. A proof of concept video follows this article. OWASP is a non-profit organization with the goal of improving the security of software and the internet. We cover their list of the ten most common vulnerabilities one by one in our OWASP Top 10 blog series. 

Description

Injection is the first item on OWASP’s list. This type of finding is more like a category, and includes all kinds of vulnerabilities where an application sends untrusted data to an interpreter. It is often found in database queries, but other examples are OS commands, XML parsers or when user input is sent as program arguments.

Prevalence

This is a very common vulnerability type, especially in legacy code as it was way more common a few years ago when fewer were aware of the danger. SQL-injection is to be considered the most known injection type, and according to a survey conducted by Ponemon 65 percent of the organizations represented in the survey had experienced a SQL-injection attack in the prior 12 months. That research was published two years ago, but should still be able to be used as an estimation.

Potential impact

As it is a very broad category of a vulnerability, the danger varies greatly from case to case. As SQL injection is the most known injection-type, the impact is often stolen data from a database. That can include usernames, password and other sensitive information.

The worst-case scenario would be a full takeover of the system, which certainly is possible depending on where the injection is and in what environment.

It is an attack that can be automated, which puts you at higher risk. An attacker does not need to be after you, they can simply write a script that exploits as many sites as possible and yours being one of them is a coincidence.

Well-known events

A few famous/infamous events involving SQL-injections specially can be found on Wikipedia,

One of the most known attacks done by SQL injection was targeted against Sony. Another almost ironic one was when MySQL themselves suffered from an SQL-injection. As can be understood from the examples, big players are also at risk and the result of an attack can be terrifying.

How to discover

For more advanced users it is a vulnerability that can often be found while doing code analysis. Ie., identifying all queries in the web application and following the data flow. As it sometimes generates no visible feedback it can be hard to detect during a blackbox-test, even though it often is possible as well.

How Disposable mail can help

We provide a quick and easy way to check whether your site passes or fails OWASP Top 10 tests. Disposable mail is a web security scanner that performs fully automated tests to identify security issues on your website. It tests your website for over 700 vulnerabilities, including OWASP Top 10, and can be used on both staging and production environments. Sign up for a free trial to find out if you are vulnerable » 

Exploitability

As Injection is a very broad definition it varies from case to case, but a general classic SQL-injection is very easy to exploit. Troy Hunt once uploaded a video of him teaching a three year old to exploit an SQL-injection to demonstrate that really anyone can learn to exploit this kind of vulnerability.

Code example of vulnerable application

A typical example of a SQL injection would be in a login form, with the code shown below:

 $db = new mysqli('localhost', 'root', 'passwd', 'base');

$result = $db->query('SELECT * FROM users WHERE user="'.$_GET['user'].'" AND pass= "'.$_GET['password'].'"');

Suppose the attacker submits “ OR 1 — as username and whatever as password the whole query will end up looking like this:

SELECT * FROM users WHERE user="" OR 1 -- AND pass="whatever"

Everything after — (which indicates the start of a comment in SQL) will be discarded and ignored. The query to be executed would then look like this:

SELECT * FROM users WHERE user="" OR 1

The query now states “Grab everything (SELECT *) from the user list (FROM users) where the username matches nothing (WHERE user=””) or 1 (which will be interpreted as True (OR 1))”.

Since the latter statement will always result in True, the right hand of the statement will successfully eliminate the left hand statement and the condition will always be true. The result of that query would be the same as this one:

SELECT * FROM users

Which would return all data there is about all the users. Eg., the injection in the $_GET[‘user’]parameter is enough to make the MySQL server to select the first user and grant the attacker access to that user.

Remediation

1. As Injections is more of a category of vulnerabilities, the remediation varies from case to case depending on what kind of vector and interpreter we are talking about. The optimal solution is to use an API which either avoids the interpreter or provides a parameterized interface.

Parameterized queries are not hard to do, and if you use PHP we would recommend PDO. It may sound strange at first, but it really is not as hard as you may first think. Examples in other languages can be found here.

2. If parameterized queries are not an option in your case, you should instead carefully escape special characters. How this is done depends on the interpreter used, and something you would need to look up.

3. Whitelist input validation is also an alternative, but often cannot be used as the application can require special characters as input. For example, a blog wants to allow its visitors to make comments using quotes, even though that is a character that could be used to break out from a query. In those cases it is necessary to go with solution one or two.

Injection Proof of Concept video:

Read more
The Ultimate SQL Injection Payload
SQL Injection Support Entry
What is an SQL Injection and How Do You Fix It
SQL Injection In 1 Min!
New Findings: Joomla, JBoss, Jenkins and others

Other injection types we have mentioned:
How Patreon Got Hacked: Publicly Exposed Werkzeug Debugger
How We Got Read Access On Google’s Production Servers

OWASP:
Top 10: Injection

 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Newly added security tests, June 21, 2017: XSS and SQL injection modules – 10 minute mail

To bring you the most up-to-date security service and help you stay on top of threats, we update Disposable mail on a regular basis. Here are some of the latest security tests added to the tool:

  • WordPress adrotate XSS
  • WordPress hugeit SQL injection
  • WordPress wp-db disclosure
  • Unix core dump disclosure

Happy scanning!
The Disposable mail Team

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Newly added security tests, July 6, 2017: OpenVPN CRLF injection – 10 minute mail

To bring you the most up-to-date security service and help you stay on top of threats, we update Disposable mail on a regular basis. Here are some of the latest security tests added to the tool:

  • WordPress VIP open redirect
  • WordPress spiffy-calendar XSS
  • OpenVPN CRLF injection
  • CVE-2013-1636: open-flash-chart SWF XSS

Happy scanning!
The Disposable mail Team

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

OWASP Top 10 2017 is here – Injection still #1 – 10 minute mail

After four years, OWASP published the new list of the most common vulnerabilities – OWASP Top 10 2017. We have taken a look at the updated list to see what has changed, what remains the same, and what it tells us about the state of web security.  

OWASP Top 10 2017

OWASP Top 10 2017

The OWASP Top 10 project was initially created to raise security awareness among developers, but has since grown to become an international security standard. The list is the result of a cooperation between the security industry and the community, brought to life by OWASP volunteers. Let’s get right to it! Here the OWASP Top 10 2017 list:

  1. Injection
  2. Broken Authentication
  3. Sensitive Data Exposure
  4. XML External Entities (XXE) (NEW!)
  5. Broken Access Control (MERGED)
  6. Security Misconfiguration
  7. Cross-site Scripting (XSS)
  8. Insecure Deserialization (NEW!)
  9. Using Components with Known Vulnerabilities
  10. Insufficient Logging & Monitoring (NEW!)

What’s new?

OWASP Top 10 2017 brings three new vulnerabilities and retires two. Despite these changes, many vulnerabilities from 2013 remain on the list, making OWASP Top 10 2017 very similar to its predecessor. In other words, while a lot has happened since 2013, the most common security mistakes remain the same.  

The three newcomers to the list are XML External Entity (XXE), Insecure Deserialization, and Insufficient Logging and Monitoring. Disposable mail’s co-founder and security researcher Fredrik Nordberg Almroth says that Insufficient Logging and Monitoring has received a lot of attention in the security community:

“There is some uncertainty as to whether this vulnerability belongs on the OWASP list and many say that the lack of logging doesn’t make a system vulnerable. Others claim that logging and monitoring needs to be in place, but can’t really explain why not having it is a vulnerability.”

Fredrik Nordberg Almroth, Disposable mail co-founder and security researcher

Another change is the Broken Access Control category, combining two previously separate vulnerabilities, Missing Function Level Access Control and Insecure Direct Object References.

What’s been removed?

CSRF and Unvalidated Redirects and Forwards did not make it to the new list as they are not as common as they used to be. CSRF is only found in 5% of applications thanks to frameworks that include CSRF defenses, while Unvalidated Redirects and Forwards are found in 8% of applications. Based on OWASP’s data cited in Release Candidate 2, the two vulnerabilities have now dropped to #13 and #25, respectively.

What it means

New technologies and new approaches to building web apps have changed web security and the new OWASP Top 10 is a timely update that reflects recent developments. Fredrik Nordberg Almroth explains:

“Many technologies are built on XML, making companies vulnerable to XXE even though they might not expect it. The same goes for Insecure Deserialization. There’s been a lot of research lately showing that deserialization of various objects can lead to RCE in different programming languages. Java, PHP, Ruby and Python are particularly affected by this.”

The 10 vulnerability categories on the list are, of course, just the tip of the security iceberg. Disposable mail’s security researcher Linus Särud points out that working with security stretches far beyond the OWASP list:

“There is a lot more to security than ten vulnerabilities, and this is something that is also emphasised by OWASP. However, the list is a good place to start if you want to improve your web security and write better code.”

Linus Särud, security researcher

Why some vulnerabilities remain on the list

Despite these changes, some widespread vulnerabilities have been on the OWASP Top 10 list since 2010. Fredrik says that the reason categories like Cross-site Scripting and Injection remain on the list is simple – they are everywhere:

“XSS is so common it simply doesn’t disappear and that’s why it’s still on the list. New JavaScript frameworks emerge every day and modern web applications are built using layers upon layers of frameworks that handle data in different ways, which results in XSS vulnerabilities.”

Similarly, Injection remains on the list as no. 1: “Injection is an umbrella term for the majority of server-side vulnerabilities (like SQL Injection, path traversals and RCE). These are ‘game over’ vulnerabilities and because they are so common and have such a serious impact, they remain at the top of the list,” Fredrik explains.

What does Disposable mail check for?

Disposable mail can discover all OWASP Top 10 vulnerabilities that can be validated by an outside attacker (or, in this case, a security scanner) and automated. Some vulnerabilities are difficult for a scanner to identify, Fredrik Nordberg Almroth says: “For example, Insufficient Logging and Monitoring is tricky because we don’t know whether our customers use some sort of logging.” 

When you run a Disposable mail scan, your site is checked for the following vulnerabilities on the OWASP Top 10 2017 list:

* A1: Injection
* A3: Sensitive Data Exposure
* A4: XML External Entities (XXE) – we have a range of tests covering XXE vulnerabilities in various platforms like Magento
* A6: Security Misconfiguration
* A7: Cross-Site Scripting (XSS)
* A9: Using Components with Known Vulnerabilities

Curious about how your code stacks up against OWASP vulnerabilities? Sign up for our free trial and run a Disposable mail scan on your site. 

To learn more about how OWASP Top 10 vulnerabilities work and what you can do to make your code more secure, take a look at our OWASP Top 10 attack demo playlist.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

BSQLinjector – Blind SQL Injection Exploitation Tool

Options:

  --file	    Mandatory - File containing valid HTTP request and SQL injection 
                    point (SQLINJECT). (--file=/tmp/req.txt)
  --pattern	    Mandatory - Pattern to look for when query is true. 
                    (--pattern=truestatement)
  --prepend	    Mandatory - Main payload. 
                    (--prepend="abcd'and'a'='b'+union+select+'truestatement'
                    +from+table+where+col%3d'value'+and+substr(password,"
  --append	    How to end our payload. For example comment out rest of SQL 
                    statement. (--append='#)
  --schar	    Character placed around chars. This character is not used while 
                    in hex mode. (--schar="'")
  --2ndfile	    File containing valid HTTP request used in second order 
                    exploitation. (--2ndfile=/tmp/2ndreq.txt)

  --mode	    Blind mode to use - (between - b (generates less requests), 
                    moreless - a (generates less requests by using "<", 
                    ">", "=" characters), like - l (complete bruteforce), 
                    equals - e (complete bruteforce)). (--mode=l)
  --hex		    Use hex to compare instead of characters.
  --case	    Case sensitivity.

  --ssl		    Use SSL.
  --proxy	    Proxy to use. (--proxy=127.0.0.1:8080)

  --test	    Enable test mode. Do not send request, just show full payload.
  --special	    Include all special characters in enumeration.
  --start	    Start enumeration from specified character. (--start=10)
  --max		    Maximum characters to enumerate. (--max=10)
  --timeout	    Timeout in waiting for responses. (--timeout=20)
  --only-final	Stop showing each enumerated letter.
  --comma	    Encode comma.
  --bracket	    Add brackets to the end of substring function. --bracket="))"
  --hexspace	Use space instead of brackets to split hex values.
  --verbose	    Show verbose messages.

Example usage:

ruby ./BSQLinjector.rb --pattern=truestatement --file=/tmp/req.txt --schar="'" 
--prepend="abcd'and'a'='b'+union+select+'truestatement'
+from+table+where+col%3d'value'+and+substr(password," --append="'#" --ssl


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.