SQL Injection whitebox approach (part1)
Have you ever been in a situation where you have a bunch of code to review ?
Let’s take an example of Atutor, a fully working Learning Management System (LMS) available at https://github.com/atutor/ATutor which contains more than 1900 thousand php files. If we were to detect any sqli vulnerability in that application, what should be the process ?
The first approach is to take all the php files and read them line by line. Of course, this is not a viable approach considering the high number of files and the complexity of the code written.
The second approach will be to set up an algorithm to check the vulnerability for one file and automate the process for the remaining files. In this topic covering sql injection (with whitebox approach), I will be describing my algorithm, implementing it in a python code, and testing it.
The algorithm consist in 3 steps :
- Detect all php files taking parameter from users via common methods;
- For each file in the list identified, send all POST and GET request with the expected parameter;
- Check in the database log, any sqli attempt using regex expression.
In order to accomplish the 3rd step, we would have to enable SQL Database logging. In this first part of the current topic we we have to :
- Identify the files we want to deal with;
- Define the pattern we will be looking for in the file, for us to inject our payload;
- Enable Database logging.
- Files identification
This is a very simple step and can be done with the find command of bash.
Assuming that the base directory of the web project is /var/www/html and we would like to search SQLi vulnerability in all the php files, we can type
find /var/www/html -regex “.*\.[pP][hH][pP][0-9]?” 2> /dev/null
Here we used regular expressions to output any file in /var/www/html whose name ends by php (whatever the case) with an eventual number at the end (php4 and php5) are examples of extensions that are used in php web coding.
Another simple way to do the search is
find /var/www/html -name “*.php”
Assuming all php files are written in the conventional syntax (filename + . + php)
- Identification of pattern that will be used for payload injection
In php, parameters are generally received by a GET or a POST request, but there are other keywords like REQUEST and SESSION. In our next part these 4 keywords will be used.
- Enabling Database logging
We assume here, we’re dealing with MariaDB, here are what we should do:
- open the MariaDB server configuration file located at /etc/mysql/my.cnf with any tool (vi, vim, nano, gedit, etc …);
- Add the following lines under [mysqld] directive:
general_log_file = /var/log/mysql/mysql.log
general_log = 1 - sudo systemctl restart mysql
In this example we chose the file /var/log/mysql/mysql.log to hold every request coming to the database.
Now we are ready for the attack. The next step of the tutorial will be shared in the next part of the topic.
