SQL injection with filter bypass via XML encoding

The following is my documentation on Portswigger’s Academy Labs.

Goal: Log into the Admin user’s account with password credentials retrieved from a hidden table by exploiting SQL injection.

I will be using Burpsuite (in this case the community edition) to view proxy history and automate our payloads.

To begin let us take a look at the website that we will be exploiting (with permission, of course).

The site is a shop with multiple products. After clicking “view details” on one of the products we come across our potential vulnerability. The product that we are viewing (in this case the “Chesire Cat Grin”) allows you to “check the stock” of the product by hitting a button. When we do this the site returns a number at the bottom of the page.

By examining the code we get a closer idea of how the site is handling the check stock feature.

The POST request shows us that the page takes in the productId and the storeId, and then somewhere in the backend performs a SQL query that then checks and returns the number of products at this store. If it is not correctly parameterized, we have a vulnerability that we can maybe exploit as we now have a direct way to communicate using SQL. We can quickly check this by attaching the payload UNION SELECT NULL after the “1” under productId and seeing what our request returns.

Our request returns a 404 error code with the cheeky message “Attack detected”. This confirms that there is some sort of firewall preventing our UNION injection. So what can be done? We now need to obfuscate our attack. After looking for ways to do this, a Burpsuite extension named “Hackvertor” was suggested to me (big thanks to Rhana Khalil). After installation, this extension allows us to select our payload and do our obfuscation.

I call it “obsFUNcate”

Our payload should now look like this: <@hex_entities>1 UNION SELECT NULL<@/hex_entities> and after sending it we get a 200 OK response (showing us that we did indeed bypass the firewall). It is now time to concatenate our tables to extract the information that we need. But why concatenate?

We do this because after trying the payload 1 UNION SELECT NULL, NULL (we add a second NULL to check for other columns in the table) we still get a 200 OK response, however, the number of products returned is 0, which suggests that we can only output one column at a time. Concatenating will allow us to return data from other columns into one column, allowing us to return said information easily. How do we do this? With the following payload: 1 UNION SELECT USERNAME || '|' || password FROM users (we’ll be using ‘|’ between the piping so that we can visually seperate the usernames from the passwords). After we add our hex entities we send our new payload and…

We’ve got a list of usernames and passwords output with the stock amount! Obviously we are going to jot down the information for the administrator. Let’s head over to the login section of the site and see if these credentials work.

We did it! The password got us into the administrator’s account and we solved the lab!

Potential Impact of a SQL injection like this

Though we were able to get to the administrator’s account, we stopped there. Had this been a real company’s website, and not a lab, there really would not be anything to stop us from abusing our new privildges. Anything could be open to us with a high-level administrator account, such as sensitive PI and PII information. Beyond taking things like credit card details, a threat actor could decide to wait, leave a backdoor, and wreck further untold havoc. This could ruin a company’s reputation and put their customer’s information at serious risk, and once PII comes into play regulatory fines are not far behind.

Possible prevention methods

In this case the firewall was just not enough. Installing Hackvertor took only seconds and gave us a good XML work around. We can help solve this by recommending the code be paramertized with prepared statements and whitelisting permitted input values1.

Notes

This sort of UNION attack may not be one that I can use for larger clients in Bug Bounties or Pentesting as it is a well known one. Never make assuptions, however, as issues with cybersecurity, at its heart, is issues with people, and people make mistakes. All vulnerabilites must be considered, and this one will be a good one to have in my toolkit. This sort of vulnerability was immediately useful in capturing a flag in Hacker101’s CTF.

I used the following resources in this exercise:

  1. These are common reccomendations, one that I learned through my Google certification, but is also recommended by PortSwigger. ↩︎
–=⛧⛧⛧=– About the author: Michael Fitzgerald is a penetration tester, post-apocalyptic parody author, and a mad scientist. –=⛧⛧⛧=–

Filed under: Cybersecurity,Pentesting,PortSwigger Academy,SQLi - @ December 12, 2023 6:54 am