In my previous post I discussed how to setup a mysql server with AWS RDS services. In this post I’ll cover how to create a web application that vulnerable to SQL Injection.
I’m going do this tutorial a little differently than the previous tutorial. I’m going provide you my code:
git clone https://github.com/dailigf/cs467_Vulnerability_POCs.git
git checkout sqli_pocThe above command will clone my repository into your working directory and will checkout the “sqli_poc” branch.
You’ll need to create main working directory of the web app, you’ll need to create a folder named “database” and inside the “database” folder, a file named “db_connector.js”.
mkdir database
touch database/db_connector.js
Contents of “db_connector.js”:
You’ll need to enter the contents of your username and credentials.
Vulnerable Piece of Code
The vulnerable piece of code is located in the “sqli.js” file:
In this code we are creating an sql query by concatenating user input directly. This is always a bade idea.
Testing out the Vulnerability
We’re going to run the web application:
node app.js
Then open up a browser and browse to “http://127.0.0.1/sqli/test”:
The web application requires a name, in this case I’ll provide the name of “francis” because that name is currently in the user table in my capstone database. The website will return the following page:
The query return my full name.
Proof of Concept
If we enter the following into the text area:
'UNION ALL SELECT 1,2,3;#
Explanation of the POC:
- ‘ (single quote) :: the single quote in the beginning “closed off” the single quote in our sql query
- Essentially the query became:
SELECT users.userId, users.first_name, users.last_name FROM users WHERE users.first_name =”- it’s a valid query, but it’s an empty record
- UNION ALL SELECT 1,2,3
- This will join the previous query with the “SELECT 1,2,3” query.
- In the initial query there are three attributes it’s pulling from the DB – userId, first_name, and last_name
- SELECT 1,2,3 must match the number attributes pulled, otherwise the union/join will be an error. In SQL Unions between two tables have to have the same number of attributes/columns, hence why we perform SELECT 1,2,3
- If the previous query only pulled to records from db, our UNION Select statement would be “UNION ALL SELECT 1,2”
- ; (semi-colon) :: this signifies the end of an sql statement
- #(hashtag) :: everything after this is commented out, it’s not treated as query.
Pulling data from another table in the database
A “UNION” is interesting but not all that useful, however, what it does provide is an indication that the server is vulnerable. With this in mind, it’s possible pull information from other parts of the database.
Recall that our web application was only pulling information from the “users” table. With an sqli vulnerability, we can grab information that we were not meant to see. Example:
'UNION ALL SELECT 1,(SELECT password from credentials where userID=1), 3;#
Here we were able to pull the password attribute from a completely different table – “credentials”.
Anyway I hope this post proved enlightening. I’ll probably revisit this to provide some more detail. I’ve been pretty busy with work lately.
Until next time, cheers.
