Advanced Ethical Hacking - Web Architecture Injection Attacks Tutorial

Web Architecture

At this point we should spend a little bit of time talking about web architecture. Now, you really need to understand what the web architecture of a particular site is so you can understand first of all what there is to go after, and also what there may be within the site. So as an example, here I've got this page here, Welcome to the Guessnum Game.

And I'm guessing based on what I'm seeing here and what I have seen from playing around is there is really just a web server here.

Even though I have programmatic access to this, and there's some forms that I could play around with, and there's some logic in terms of application code behind it, really all there is is a web server. Now if I were to take a look at this site for example and I go to this site instead, what I can see here is I've gotta log in and it looks like there's some content here and I'm guessing that there's probably A database just from looking at it.

Of course, I happen to know that there is a database, I set this up. But based on what I'm seeing here I'm guessing there's probably a database of some sort.

First of all, there is username and password and the best place to store that sort of information is in a database. And it looks like there's some content here where I may need to save a lot of information, so there's a database behind this. So that's part of the architecture behind this. So that's part of the architecture of this particular site. There's the web server and then behind that, there is the database.

Sometimes you may run into an instance where there's A web application server. So in addition to the web server itself, you may run into a case where there's a web application server where there's more extensive logic behind it.

For example, if we were just to look up application server here, you would find things like, BEA has an application server, Oracle has a web application server, the .NET Framework is an application server, Java.

There are a lot of application servers. So, in addition to things like PHP that may be on the front end, there may also be Like a Java application server with code in behind that and then the application server would talk to the database. That's a more complex web architecture. Now there may also be load balancers stuck in the middle as well. We're not really going to worry so much about those. What we're more concerned about is where the code actually lives. And how we can actually access that.

And from that, we can do things like cross-site scripting, and cross-site request forgery, and SQL injection. And all of those sorts of attacks. But in order to understand where we should spend our time, it's useful to get a good idea of the type of web application architecture that's in place on the particular site that you're working on.

Basics of SQL Injection

Let's talk about the basics of SQL injection here. So understanding how SQL injection works and what you're actually doing is useful. You can't just plug in any old SQL statement here and expect it to work. So something like that's just not going to work more than likely.

What you need to do is you need to understand how the query is actually structured. And how you may be able to break out of the query that's there. So for example, in this case, I could do select* from users where username equals. And lets say we're using something like PHP and I would do something like this. And actually I put these into quotes. So this is sort of the What we're dealing with.

Now, what I input is, actually what's going to go in here. So, what I need to do in order to break out of this is, I need to close the quote. And depending on the server that's on the back end, I may actually need to terminate.

The query itself with something like a semicolon. So the first thing that you may want to try doing is just closing the quote and seeing if we can do something like that. Now, since you Doing a select statement and a select statement goes through the database and it chooses all of the rows that match the particular query. So what I want to do is structure a query so that I can get as much from the database as I can.

In the case of this, for example, that's what I really want to do is I want to get a lot of values back or at least one value back. That's going to indicate that probably I have passed the authentication. So what I could do is the classic where one equals one. So I could run this as a sequel injection, for example.

Actually let me get all of the spaces out of this so we're not dealing with any problems with spaces. So I could run that and just see whether I can log in doing that or not. And in that case, it didn't work. So maybe I need to terminate the query ahead of it before Doing something.

In this case I know it's not going to work because I'm doing an or here and I've actually put a semi colon in but this is something that you might do. So understanding the context of what you're doing is really helpful for being able to sequel injection attacks.

So what's your goal? In this case My goal is to actually return some rows in case the application is just seeing whether it got something back. So I may want to do just something where I'm going to get any sort of value back. So I could do something like or user equal Admin, hoping that there's an admin user as an example. So I could do something like that for a user name password where I'm attempting to login. Now other things I may be able to actually dump data from the database. So I could do Something like terminating the original query and then doing something like this.

So like the asterisk from users which hopefully will give me all of the user information or I could something like in the case of MySQL I could do Describe table and then give it a table name.

So there's a lot of different things I can do with SQL injection but the important thing is understanding the context of the forum that you're dealing with and the type of query that's probably there. Now, if you were to do something that could generate an error, you may actually be able to get the query back. So, sometimes if the developer's not paying attention. They're not parsing the error messages out there just printing them out to the screen.

You may be able to get to the error message back from the web server Indicating what the query was so you can do a better job of structuring your SQL injection to break out of that query and see what other data that you can get.

Manual Testing

So we've talked about the architecture of the website and we've talked about some of the basics of SQL injection. We've actually gone through a little bit of manual testing. Now, you may be running various tools against Your web architecture. So you've perhaps gotten some indication that sequel injection is possible based on the automated tests that you've been running.

Now, this is where manual testing comes into play, and you may have to do a lot of playing around with the query that you did with the automated testing that may have gotten you some results that led you to believe that there's some possibility there.

Now, you need to understand SQL a little bit and, You could do something like going to MySQL Documentation and understanding what queries actually look like and how you would interact with them. You may need something like a SQL injection cheat sheet just to give you some pointers on where to actually start your playing. So there are various cheat sheets that are out there that may help you with the Manual testing that you need to do.

So here's some examples of things that you could do and, of course, it tells you the database that is supported, as well, here. So here's some things that may be helpful. One thing that we didn't actually do was we didn't actually Do things like trying to break out of it with comments and sometimes you can do a comment like this. And you can break out of whats there or just comment of what's behind it.

So There are a number of things that you can do in order to further your exploration into a potential SQL injection attack. And as I said, here's some different types of things that you may be able to do.

But it really comes down to a lot of persistence and playing around with the site just to see if you can get through it or not. Now one of the nice things that this particular site has is. It's got some places where you can do the encoding. And of course we've talked about other plugins for Firefox that will do similar sorts of things, but you may need to, for example, ASCII encode your injection. So they may need to do something like this, for example. And let's just do The simple one. So I want a ASCII encode that. Now here's the ASCII encoding for it.

Now I could go back here and plug this in. And see whether that actually got me anywhere. And in this case it doesn't. But that how you would ask key N code a SQL injection. But sometimes it really just takes understanding the different types of attacks that you may be able to perform. And Just chugging through them and trying different variations, and being persistent and sometimes a little creative, to try some different things.

And that's really where you're going to find success with doing this type of testing is just chugging through until you actually hit on something that works.

SQLMap

Another tool that you could actually use to do some SQL injection testing is a tool called SQL map. Now SQL map is a tool that's actually written in In Python and as usual we've got a lot of capabilities that the tool has. So if I look at the help for example. I can see that there are a lot different things that It can test for in a lot of different ways. I'm going to show you a couple of quick things here that you can use. So there's a couple of things. You can specify a URL that you want to look at. [00:00:37] Or you could actually specify a Google query.

So let's take a look at the URL way of doing it first. So we're going to run SQL map. And I'm going to specify that the URL in this case is the system that's on my local network. And I'm going to use one of the directories underneath the main directory.

So, I've got this tool Sequel Map.

I'm actually running it against a website that's actually called Dan Vulnerable Web Application, and it's a web application that I've got installed on my System here and we're going to check to see whether it's vulnerable to SQL injections. And so it's running a lot of tests and you can see it's testing for various things.

And what it's discovered here is that the parameters may not be able to be Attacked in an injection fashion. So what I could actually do here is I could say level is 5 because I want to crank up the testing level that I'm doing. So it's going to do some, some more intensive testing that I had previously done And we're going to do some different types of testing. You can see there's a lot more tests here going on now than we had previously looked at. And the reason for this is because some of these tests may be more risky than the basic ones. So I've intensified the level.

We're going to see whether we can actually get into this particular web application in this way. So it running through a lot of tests for different databases and I could do some specifications for what I actually wanted to test it to. I'm just going to run through everything at this point and even though I know we're running like Microsoft SQL server tests or Oracle tests And it's really MySQL that's the database that's running behind the dam vulnerable application.

So you can see the level five actually does a lot of tests that we didn't before.

And you can see here that it's telling me that I could specify that the database system is my SQL. So that would limit the number of test that I'm doing if you do happen to know what the database is you can save yourself some time by specifying which database Management system you're actually using. So we're running through a bunch of generic tests right now and this actually could take some time. And I do want to show you the Google version, so I'm actually going to to end it at that point. It's telling me based on what it's found, that the parameter that it did find Couldn't be injected into.

So let's take a look at running sequel map using the Google hacking. And in order to protect myself here I'm actually going to use my site. And I can do a Google dork like this. So I'm saying that the site is this one right here.

I'm actually going to specify that. And I'm looking for php extensions. So it's going to run a Google query and it's going to see what it can Can find four results from that, and then based on that, it will run sequel map against those particular pages. And it turns out that I don't actually have PHP pages there.

Just for fun, let's try CGI instead. And we don't actually have anything there either. Even though I could actually do something like this. I do have a blog site that's running WordPress and I could do this instead. 

So for some reason, the blog isn't advertising any PHP pages, and so I could do The testing, directly against the blog. As I said, it's running WordPress, and behind WordPress is a database. And this also is showing that the parameter that it did find, might not be injectable. So, we may not be able to get much of anywhere with this. But SQLMap is a pretty useful tool, you can see it does a lot of different testing against different SQL databases and you can of course increase the level of intensity that you're testing against. You can increase the risk.

You can do all sorts of different parameters and see whether you can actually get any results back And see whether it's something that you could perform SQL injection against. And if you can it will actually do things like dump the database, get users, get a list of tables, get the databases that are involved.

You can do a lot of different things with SQL map.

Command Injection

I want to take a look at a command execution, or a command injection vulnerability. Now a command injection vulnerability is really an attack on the web application architecture. So I've got the DVWA vulnerable web application here. And you can see there's a ping for free. Now one of the important things about doing command injection. Is understanding what it is that's going on here. What's going to happen here is I'm going to put an IP address in and it's going to run a Ping for me.

So somehow, it's passing this IP address along with the ping command into either a system function or an eval function or something along those line So how would I go about exploiting that? Well one of the first things I know is that I can do a command termination with a semicolon.

So let's just see if we can do a semicolon and then LS, which would be a list command. So if I do the ;ls sure enough it runs the ping and then it runs the list and we get the results from the list. So let's see if we can do something a little bit more interesting. So I'm going to do my IP address because It needs an IP address in order for the Ping to function and then we can do, let's see if we can do a cat/etc/shadow. And we're going to do a password, instead.

So sure enough, we get the list of all of the entries in the password file. So what it's probably doing is it's appending this string onto the string ping And then passing it off to eval, getting the results and then just populating the page with all of those results. So this is a way of doing command injection. And again it's one of those things where you have to understand what's going on in order to be able to pass through What's really happening in the form and get to the system beyond it. So you're not just going to be able to do something like this for example.

Command injections are as simple as passing in a command. What it really needs is the ability of understanding what is really being asked for and then Doing an escape of beyond that which is exactly what's going on here.

So I know it needs an IP address than I can do this semi colon and then pass in a system level command at which point I will get both of those back. There are number of ways of doing command injection as well You need to understand what it is at actually going on. You maybe able to use something like a back tick for example that would do an execution in the shell or there maybe some other ways of doing the command ejection. But remember that a command injection is really an attack against the Web architecture and what you;re doing is you're exploiting The way the web code is written in order to get to the system behind it.

Cross Site Scripting

There's another type of attack that makes use of the web architecture but is actually looking to attack or target the client machine. So what I want to show you is a cross site scripting attack. So the first thing I want to do is I want to load Tamper Data and we're going to do some tampering with the request and I'll show why in just a second.

So I'm sending in some JavaScript here which is what cross-site scripting is, it's Using a scriptable language like JavaScript in order to interact with the client browser. So I'm going to tamper with this and here's the reason why. Because what happened is they did some URL encoding Or hex encoding with the characters here. So, I'm going to change these back to what they were before. Because with the hex encoding, it doesn't look quite the same, when we actually come back on the other side.

So, I'm going to replace all of these characters here. With their original non-URL non-hex encoded versions. And then finally this bracket here. So now I'm going to click OK. We're going to submit that. And what happened was it came back with That entire set of java script back in the page.

Because you see here it says welcome and there's my name. And then right here after that in the source is going to be this script. And when the browser sees that it actually executes it. So I can actually show you By looking at the page source we can see welcome, my name, script, and here's the Java script right there.

So what happened was the browser got to this and it actually executed that alert. Now Imagine what would happen, and I'm going to stop tampering here. Imagine what would happen if there were something like grabbing cookies or doing some other Bit of malicious code here that actually were to grab data from this user machine and send it off somewhere else. That could actually happen. Now in this case, this is just something that I plug in and it comes right back at me.

If this information were stored in a database In, for example, a forum post, and then every time a user went there that script was actually run. That would be stored cross-site scripting. And that's far more dangerous, because if I can store it, then I can hit everybody who goes to that particular site.

The way to do this that we just went through here Is if it's a URL parameter I could actually craft a URL and send it to somebody and hope they actually click on it.

The stored cross-site scripting is just far more dangerous because it's so much easier to get so many more people by storing in a database and then just waiting for people to come by the page.

So again cross site scripting is one of those things that makes usable web architecture but is really attacking the client browser, that's really the target Of the cross site scripting is the client browser or the user that's making use of the browser.

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

We use cookies on this site for functional and analytical purposes. By using the site, you agree to be cookied and to our Terms of Use. Find out more

Request more information

For individuals
For business
Name*
Email*
Phone Number*
Your Message (Optional)

By proceeding, you agree to our Terms of Use and Privacy Policy

We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Email*
Phone Number*
Company*
Job Title*

By proceeding, you agree to our Terms of Use and Privacy Policy