SQL Injection

SQL Injection whitebox approach (part1)

SQL Injection whitebox approach (part1)

Have you ever been in a situation where you have a bunch of code to review ?

Let’s take an example of Atutor, a fully working Learning Management System (LMS) available at  https://github.com/atutor/ATutor which contains more than 1900 thousand php files. If we were to detect any sqli vulnerability in that application, what should be the process ?

The first approach is to take all the php files and read them line by line. Of course, this is not a viable approach considering the high number of files and the complexity of the code written.

The second approach will be to set up an algorithm to check the vulnerability for one file and automate the process for the remaining files. In this topic covering sql injection (with whitebox approach), I will be describing my algorithm, implementing it in a python code, and testing it.

The algorithm consist in 3 steps :

  1. Detect all php files taking parameter from users via common methods;
  2. For each file in the list identified, send all POST and GET request with the expected parameter;
  3. Check in the database log, any sqli attempt using regex expression.

In order to accomplish the 3rd step, we would have to enable SQL Database logging. In this first part of the current topic we we have to :

  1. Identify the files we want to deal with;
  2. Define the pattern we will be looking for in the file, for us to inject our payload;
  3. Enable Database logging.
  • Files identification 

This is a very simple step and can be done with the find command of bash.

Assuming that the base directory of the web project is /var/www/html and we would like to search SQLi vulnerability in all the php files, we can type

 find /var/www/html -regex  “.*\.[pP][hH][pP][0-9]?”  2> /dev/null

Here we used regular expressions to output any file in /var/www/html whose name ends by php (whatever the case) with an eventual number at the end (php4 and php5) are examples of extensions that are used in php web coding.

Another simple way to do the search is

find /var/www/html -name “*.php” 

Assuming all php files are written in the conventional syntax (filename + . + php)

  • Identification of pattern that will be used for payload injection 

In php, parameters are generally received by a GET or a POST request, but there are other keywords like REQUEST and SESSION. In our next part these 4 keywords will be used.

  • Enabling Database logging

We assume here, we’re dealing with MariaDB, here are what we should do:

  • open the MariaDB server configuration file located at /etc/mysql/my.cnf with any tool (vi, vim, nano, gedit, etc …);
  • Add the following lines under [mysqld] directive:
    general_log_file = /var/log/mysql/mysql.log
    general_log = 1 
  • sudo systemctl restart mysql

In this example we chose the file /var/log/mysql/mysql.log to hold every request coming to the database.

Now we are ready for the attack. The next step of the tutorial will be shared in the next part of the topic.

Share this post

About the author


Offensive Security Experienced Penetration Tester (OSEP)
Offensive Security Web Expert (OSWE)
Offensive Security Certified Professional (OSCP)
Certified Soc Analyst (CSA)
Certified Ethical Hacker (CEH)
Web Developer

View all posts

Leave a Reply

Your email address will not be published. Required fields are marked *