GET /?Cookie=language99999' union select unhex(hex(version())) -- 'x'='x HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; eMusic DLM/3; MSN Optimized;US; MSN Optimized;US)
The attacker must believe the Cookie query string parameter is vulnerable to SQL injection. So they put in a value (language99999) but try to escape the sql parameter with an apostrophe.
Thus for example if the web developer was performing a database query such as
select result from language table where id='@Cookie'
The attempt here is to escape that parameter and union (join) in the search results with another evil query such as.
select result from language table where id='language99999' union select unhex(hex(version())) -- 'x'='x'
The attacker is using 3 MySQL functions in this attack
1.) version() which returns the MYSQL version number.
2.) hex() which converts a string to a hex value. 3.) unhex() which converts a hex value back to a string.
In theory if this works the MYSQL database version will get returned instead of the language result.
As a sysadmin to prevent this ensure your website is up to date and patched, and implement an IPS or WAF that could block these basic attacks even if you are vulnerable.
As a web developer to prevent this ensure you're using strongly typed parameterized sql queries and in addition do pattern matching to ensure that parameters like language are in the format you expect and do SQL injection security sanitization libaries so that evil characters like apostrophes are encoded and rendered harmless.
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- DOM XSS 101 Walk-Through
- An Invoice email and a Hot mess of Java
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
No comments:
Post a Comment