Web Exploitation – SANReN Cyber Security Challenge

SQL Injection

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. This is a method to attack web applications that has a data repository or a database backend. The attacker would send specially crafted SQL statements that is designed to cause some malicious action. SQL injection occurs due to failure to validate user input.

Let us take the following SQL statement below. The application will crash because the SQL statement is incorrectly formatted (extra single quote at the end of the statement).

SELECT * FROM users WHERE username='''

With the knowledge that a single quote will cause an error in the application, the SQL statement can be further modified as shown below.

SELECT * FROM users WHERE username='' OR 1=1

1 is indeed equal to 1. This equates to true in SQL, which will cause the return every row in the table because each row that exists must be true.

It is also possible to inject comments and termination characters like – – or /* or ;. This allows one to terminate SQL queries after your injected statements.

Command Injection

Command injection involves a web security vulnerability that allows an attacker to execute arbitrary but unauthorised commands on the host operating system. Similar to SQL injection, command injections also occur due to failure to validate user input that goes into a system shell. It is very common to see this vulnerability when a developer uses the system() command or its equivalent in the programming language of the application.

For example, see the code snippet below.

import os

domain = user_input() # google.com

os.system('ping ' + domain)

Under normal conditions, the above code snippet will ping the google.com domain. However, consider what will happen when the following user_input is supplied: ping ; ls

Because of the additional semicolon, the os.system() function is instructed to run two commands. In addition to the empty ping command, the ls command will also be executed!

Command injection is a very common means of privilege escalation within web applications that interface with system commands.

Directory Traversal

Directory traversal (or file path traversal) is a vulnerability where an application takes in user input and uses it in a directory path. Any kind of path controlled by user input that isn’t properly sanitized or properly sandboxed could be vulnerable to directory traversal.

Consider the following example:

<img src="/loadImage?filename=123.png">

The loadImage URL takes a filename parameter and returns the contents of the specified file. The image file is stored on disk in the location /var/www/images/. Using the filesystem API, the filename is appended to the base directory: /var/www/images/123.png.

If the web applications lacks the necessary defenses, an attacker can request the following URL to retrieve an arbitrary file from the server’s filesystem:

https://insecure-website.com/loadImage?filename=../../../etc/passwd

In the above example, the sequence ../ is valid within a file path and causes one step up in directory structure. Therefore, three consecutive ../ sequences step up from /var/www/images/ to the filesystem root, finally to read /etc/passwd. On Unix-based systems, this is the standard file containing user accounts registered on the system.

Tools and Resources

Web exploitation is a vast topic, for more information please visit PortSwigger’s Web Security Academy.