1BO4r2U
1BO4r2U
1BO4r2U
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
127 128<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
where name is the .mdb filename and table is a valid database table. In<br />
case of password protected databases, multiple software utilities can<br />
be used to crack the password. Please refer to the references.<br />
Blind SQL Injection Testing<br />
Blind SQL Injection vulnerabilities are by no means the most easily exploitable<br />
SQL injections while testing real-life applications. In case of<br />
recent versions of MS Access, it is also not feasible to execute shell<br />
commands or read/write arbitrary files.<br />
In case of blind SQL injections, the attacker can only infer the result of<br />
the query by evaluating time differences or application responses. It is<br />
supposed that the reader already knows the theory behind blind SQL<br />
injection attacks, as the remaining part of this section will focus on MS<br />
Access specific details.<br />
The following example is used:<br />
http:/www.example.com/index.php?myId=[sql]<br />
where the id parameter is used within the following query:<br />
SELECT * FROM orders WHERE [id]=$myId<br />
our string, we can use the IFF, MID and LAST functions to infer the<br />
actual value of the username. In our example, we employ IFF to return<br />
a number or a string. Using this trick, we can distinguish whether we<br />
have a true response or not, by observing application error responses.<br />
As id is numeric, the comparison with a string results in a SQL error<br />
that can be potentially leaked by 500 Internal Server Error pages. Otherwise,<br />
a standard 200 OK page will be likely returned.<br />
For example, we can have the following query:<br />
http:/www.example.com/index.php?id=’%20AND%201=0%20<br />
OR%20’a’=IIF((select%20MID(LAST(username),1,1)%20<br />
from%20(select%20TOP%2010%20username%20from%20users))=’a’,’a’,’b’)%00<br />
that is TRUE if the first character is ‘a’ or false otherwise.<br />
As mentioned, this method allows to infer the value of arbitrary strings<br />
within the database:<br />
[1] By trying all printable values, until we find a match<br />
[2] By inferring the length of the string using the LEN function, or by<br />
simply stopping after we have found all characters<br />
for NoSQL injection attacks will need to familiarize themselves with<br />
the syntax, data model, and underlying programming language in order<br />
to craft specific tests.<br />
NoSQL injection attacks may execute in different areas of an application<br />
than traditional SQL injection. Where SQL injection would execute<br />
within the database engine, NoSQL variants may execute during<br />
within the application layer or the database layer, depending on the<br />
NoSQL API used and data model. Typically NoSQL injection attacks will<br />
execute where the attack string is parsed, evaluated, or concatenated<br />
into a NoSQL API call.<br />
Additional timing attacks may be relevant to the lack of concurrency<br />
checks within a NoSQL database. These are not covered under injection<br />
testing. At the time of writing MongoDB is the most widely used<br />
NoSQL database, and so all examples will feature MongoDB APIs.<br />
How to Test<br />
Testing for NoSQL injection vulnerabilities in MongoDB:<br />
The MongoDB API expects BSON (Binary JSON) calls, and includes a<br />
secure BSON query assembly tool. However, according to MongoDB<br />
documentation - unserialized JSON and JavaScript expressions are<br />
permitted in several alternative query parameters.[4] The most commonly<br />
used API call allowing arbitrary JavaScript input is the $where<br />
operator.<br />
With normal SQL injection, a similar vulnerability would allow an attacker<br />
to execute arbitrary SQL commands - exposing or manipulating<br />
data at will. However, because JavaScript is a fully featured language,<br />
not only does this allow an attacker to manipulate data, but also to<br />
run arbitrary code. For example, instead of just causing an error when<br />
testing, a full exploit would use the special characters to craft valid JavaScript.<br />
This input 0;var date=new Date(); do{curDate = new Date();}while(cur-<br />
Date-date