Injection attacks (Part 1)

If we go by the literal meaning of this i.e. injecting something.Now three questions

  • What to inject?
  • Where to inject?
  • Why to inject.?

We will take these one by one

what to inject ?????

A SQL query, PHP command, chaging the arguments in the URL etc

Where to inject ?????

Wherever a user input is requested or a user can modify the input.
It can be a text box (username, password field, feedback fields etc) or a URL modification.We can always play around with the URL.

Why to inject?????

So that we can expoit.!

TYPES

  • HTML injection (GET and POST)
  • PHP injection (GET)
  • iFrame injection
  • SQL injection
  • LDAP injection
  • XPATH injection

There are other types of injection attacks as well like OS command injection etc.I will be explaining the first two here and others in subsequent parts.


HTML injection (GET)

Explaining GET and POST on a high level – These are the ways by which the data is sent.
If the application uses GET – the user input can be seen in the URL itself and if it uses POST we will not be able to see it in the URL, Don’t dig deeper on this right now.

1)User has to enter firstname and lastname and when we hit Go we can see that displayed on screen.

1      2a

2)Lets take a look at the URL – You can see the parameters entered by the users in the URL(GET)

2

3)Now i modify the URL – placing the HTMLtags in the user name and password

3a

4)Here is the output for that.

3b
5)Now lets do something else.. i try to create a list in the URL itself.

4a

6)Once we hit go , we have the list displayed below along with firstname and lastname.

4b

Now lets see POST


HTML injection (POST)

1)When we enter the firstname and lastname – the URL remains the same (all the sending activity is invisible in the URL)

1Pst

2) Now , instead of changing the URL we place the HTML entities in the text fields itself.

2Pst              3Pst

3) URL remains same, since it is a POST

4Pst

All this happens because the application is not checking the user input for what is valid and what is not. It is simply taking the input from the user, processes it and displays the output.


PHP Injection

Now the fundamental difference is that now instead of injecting HTML queries we will be injecting PHP commands.

If you dont know PHP ; no worries, the below demo is easy to catch

1) As soon as we click the message we are expecting the message to be displayed on the screen.

1PH

2) Let’s click the message.

2PH

3) Now if we refer the URL we can see that the message string is present there.
Let’s fondle with it.

3PH

4) Changing the message string- test with a PHP command
Phpinfo() and hit enter.

4PH

We get something to grab our eye.

5PH


Lesson learned – DON’T TRUST USERS INPUT

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s