Properly sanitize the user input.This SQL injection cheat sheet contains examples of useful syntax that you can use to perform a variety of tasks that often arise when performing SQL injection attacks. The most effective way to prevent SQL injection attacks is to use of stored Procedures, parameterized queries, or prepared statements.Any successful attack will result in an impact on CIA (Confidentiality, Integrity, and Availability) of the critical data. With the successful exploitation of this vulnerability, a remote user or an attacker can compromise the user account. The Second-order SQL Injection attack must be performed “blindly” in most of cases because the attacker performs the attack on the backend functionality without any prior knowledge of the system.The First-order Injections often referred to as ‘ shooting fish in a barrel’ can be observed directly by different scanners (Burp Suite, Acunetixetc.) whereas the relative probability of second-order SQL Injection is low.The success rate of identifying a first-order SQL Injection is common as compared with the second-order SQL injection. We can observe that password of the ‘ test’ user is changed instead of ‘ test’ -’.įig: 1.10: Successful Second Order SQL Injection Post-Exploitation of the attack we can login into the database and check the ‘ users’ table: It is very easy to guess such usernames and an attacker can perform the attack on such guessable usernames or accounts. For demonstration, we have considered ‘ test’ user but its common most of the websites have users as admin, administrator, etc. Henceattacker has performed Second-Order SQLInjection successfully. The Query results in updating the password for the user ‘ test ’ instead of ‘ test‘ - ’. UPDATE users SET password=’123′ WHERE username=’test’ WHERE username=’test’–‘ and password=’abc’Īs the username in WHERE clause is ‘test’ –’, after - the query will get discarded and it will consider ‘and password=’abc’ as a comment because in MySQL - is used to start comments. Note that the username is ‘test’ - ’so below is the query processing in the backend in MySQL to update the password. In Fig 1.9 as there is password change functionality, the attacker will change the password from “abc” to “hacked” and click on the ‘ Reset’ button. Now the attacker login with the ‘ test’ -’ account and go to change password functionality and then changes the password. In Fig-1.7 we observe that ‘ test’ - ’ user is created in the database. To Perform Second Order SQL Injection an attacker will register with the following username In Fig-1.4 we observe that a ‘ test’ user is created in the database. Here in Fig 1.3 new user sign-up with username ‘ test’ and password ‘ 123456’.įig: 1.3: New User Registered – Creating an account Firstly, the users are required to either signup or sign in. It’s a very common functionality among all dynamic web applications. Let us consider a new user registers, then login and changes the password. In Fig-1.2 there are two users in the database in the ‘ users’ table. To illustrate the vulnerability, let us consider a website that has User login, signup, and password change functionality. The primary reason or cause for injection vulnerabilities is usually insufficient user input validation.Įxploitation Scenario – Second Order SQL Injection with Example: Generally, an Injection attacks happen when the developer trusts the input or fails to sanitize user input to build up the query being used in the application. These attacks are based on the logical flaw in the web application so by conducting the Secure/ Source Code Review anyone can a better understanding of the application flows which helps to detect such injection attacks. One needs to understand the application logic and flow of the applications to detect this vulnerability. Important to know that these cannot be detected by tools or via scanning. Second Order SQL Injection Attack are those which are not widely discussed.
0 Comments
Leave a Reply. |