21 hours 43 minutes
Learning objectives are to understand how to how to identify sequel injection vulnerabilities and demonstrate how to manually exploit sequel injections.
So sequel structured query language in relational databases, databases are everywhere in web applications. Have you ever been shopping for something on amazon? And you know, there's a price and there's an item, there's probably an underlying database for that.
Uh if you ever signed up for a forum, you know, if if you've signed up for PW K, you have access to
the Offensive Security forum and you have a username and password and you interact with other users in that forum, there's probably an underlying database there that's storing that information. And because there's so many databases out there and web applications that the a sequel injection attack has been around for a very very long time.
A sequel injection is basically being able to inject our own sequel statements, raw sequel statements into forms or the U. R. L. Itself. And that allows us to query the database, interact with a database. Delete things, add things
um and do very bad things. Like figure out user names and passwords
or other sensitive information in these databases.
It's also important to know what the underlying database is. Is that my sequel? Is it? M. S. Sequel is an oracle dB. Why is that important? Because the way you structure your queries is going to depend upon uh
the underlining database.
So how do we find it? Our most powerful tool is a single quote.
The single quote is going to close out a string and you'll notice that we may get verbose errors. It may say there's an error in our sequel statement. It may give us the version or the name
of of the underlying technology of my sequel. We saw that with um WAP Allies er a few lessons ago where it told us with the underlying database was was my sequel. That's great information because now we know if there's a sequel injection
we can write those queries using my sequel.
So you can also try this not only informs and the U. R. L. But also in uh in logins. And we're gonna have a whole other lesson on that as well.
I will say when I was doing bug bounty I did this with a single quote. And and when the web web applications I was testing and it gave me a whole lot of verbose information. It told me the name of the database. It told me how the columns and the tables and it was a very verbose stack trace. So
a single quote can be very powerful in finding uh sequel injections.
So you'll see here this image from D. V. W. A. Where I added a single quote and it says you have an error in your sequel syntax
and check my sequel server. So we already know is my sequel based on that air message is very helpful.
That is an error based sequel injection because we see an error blind based I bet you can guess is where you don't see an error like that.
Our most powerful tool with sequel injections finding them in enumerating databases
is sequel map.
It's a great tool. Great tool if you're going to be doing any of the learn uh exams, sequel map is is a great tool for that. Can't use it. No SCP
sorry. But uh you know sequel maps, great for labs and things like that.
Um But you cannot use it in. Oh SCP unfortunately.
So how do we manually enumerate
or manually use sequel statements to find out if there's a sequel injection and pull information?
So people say you know use the single quote or one equals one.
Um Which is a true statement. So you'll see here in D. V. W. A. For the user I. D. Or one equals one.
It's going to give you every single first name and surname
of everyone in that database.
That's a true statement. If you make it a false statement we're talking about bullying values. Right? True and false. If it's a false statement you get
So obviously if you do one equals one and you get everybody in the database that's great.
But if you don't try using a false value and seeing if things change.
There's a great guide on exploit DB. I will tell you I did a hack the box
um where it had a sequel injection and I manually enumerated it and it was probably the greatest learning experience I had
in manually enumerating sequel injections and pulling information.
So let's dive into the demo now.
All right. We are back with the awesome photo blog. So like I said a single quote
here you have an error in your sequel syntax and we know it's my sequel. So what do we do we google sequel injections for my sequel? Right. That's our best friend.
I'm gonna try to get that bullying value I'm gonna do and one equals one
and I see I still get an error so I'm gonna try to remove the single quote
and see what happens. Okay
that's a true statement. Let's try a false statement.
I get nothing like we saw in the slides.
Okay so we're getting somewhere.
What I'm gonna do now is I'm gonna order
order by to see how many columns I have. I want to order by one,
ordered by two.
Order by three.
Order by four.
And I'm trying to see where I get an error order by five. Okay. Unknown column five. So we know we have four columns. Why is that important? Because when we do union select statements
we can inject,
we can inject information into
the union select statements to pull information from the database. What do I mean by that? So union select. I like to use null values and we know what we have four columns.
So if we have four columns,
we see that we don't get any errors. If I do 1/5 column, we'll get in there. Right.
The you select statements have different values in the number of columns.
So what do I mean by inject? So if I want to pull the version of put version here
and let's take a look down here.
So now we have the version 5.1.63 Squeeze one.
So if we wanted to get more information of course like I said, google is your best friend.
My sequel. That version.
What if I wanted to get
I see I'm in photo blog.
Okay. Well that's that's all fine and good.
But let's further enumerate what's going on here.
I want to see all the databases that I'm working with here.
So what I'm going to do
the union select null. Can cat schema name
No, no from information schema. A schema to
what that tells me is we have information schema which we should have it all
my sequel databases and photo blog.
So I want to find out what the table names are in
in photo blog.
So I'll go
You can select null. Table name. No, no from information schema, tables where table schema database, he was database.
And we'll see that we have categories pictures and users. Well,
users very interesting. Right?
Because if we have users we may have a user name and password. Right.
So now we're doing a union select no column name. No, no from information schema columns where table name equals users.
And now we have these columns, ID, login and password.
So now we're really getting somewhere.
Of course we want to know what the login and password is. Right?
So now I have union select one can cat so captivating I. D. Leaving space, log in, leaving a space and password.
So they should give us the I. D. Login and password of the users.
And we see here we have the ideal login and password. Now this isn't obviously a clear text password. It's
is hashed with some kind of value.
I'm not going to use any fancy tools right now because we're we have a whole different module on cracking passwords. So I'm gonna do is
search for it in google
And I can see that this is an MD five hash for this very fancy password here.
All right. So you saw the hard, we had to do it how to manually enumerated.
Now, let's look at
or I'm sorry, sequel map.
I'm gonna take off dBS right now.
And you can see simply with the push of a button
it already has found that idea that it's vulnerable to bullying based
air based time based union query
sequel injections. And if I want to enumerate the databases, I do do dBS
and like we saw before there's information schema and photo blog.
I'm going to do photo blog
and we want to dump the tables
categories. Pictures users We've seen this before. Right? But this is much faster.
now I can do dump.
We're going to try to crack the password and we did
it's that fancy password there.
So my sequel are so I'm sorry sequel map is a great tool to use but we cannot use it in. Oh SCP.
So knowing how to manually enumerate sequel injection. Vulnerabilities
is very important so that we can learn how to pull valuable information from sequel injection vulnerabilities.
So in summary we covered understanding how to identify sequel injection vulnerabilities and I demonstrated how to manually exploit a sequel injection.