22 Feb, 2024

Visible error-based SQL injection

Visible error-based SQL injection

Visible error-based SQL injection is a database attack method in which an attacker intentionally injects incorrect data or SQL commands into database queries to cause an error. These errors can contain valuable information, including details of the database structure, table names, column names, and even parts of the data they contain. This allows the attacker to gain insight into the database and further exploit vulnerabilities to retrieve, modify or delete data.

In this type of attack, the attacker typically begins by sending queries to the web application that deliberately break the SQL queries generated by the application. In response to these “broken” queries, the web application may return error messages containing information about the internals of the SQL queries and the database. Using this information, the attacker can tailor their next steps for a more effective attack.

The visible error-based SQL injection method is one of the simplest and most effective ways to find vulnerabilities in web application and database security, as it does not require sophisticated tools or in-depth knowledge of the target system internals.

Examples of exploitation

To deepen your knowledge of Visible error-based SQL injection, here is a hands-on exercise from PortSwigger, an authority on web security. This exercise focuses on a SQL Injection vulnerability found in a cookie tracking mechanism used for analytics. The vulnerability allows the execution of SQL queries that depend on the value of the passed cookie.

To successfully complete the lab work, we need to manage the queries in such a way that we can figure out the admin user’s password using the differences in the application responses.

First, consider a request to track a cookie on a website.

Let’s send this request to Repeater to make it more comfortable to look at the request/response. We are interested in the TrackingId parameter, let’s try to enter there a payload like ‘ and (SELECT ‘123’,’123′) — to understand how many columns the database outputs.

Well, knowing that, let’s try a payload that derives the password from the user table. This payload looks like this ‘ and (SELECT password from users) —.

We got an error that says “ERROR: argument of AND must be type boolean, not type character varying”. This means that the SQL query expected a logical value (true or false), but instead a string (data type character varying) was provided. Let’s open the SQL cheat sheet from PortSwigger and see what we can do about this.

We can convert our output to int using the CAST((…)AS int) command and add 1= to this query to make it a boolean expression. Let’s rework our payload, its final form will be like this ‘ and 1=CAST((SELECT password from users)AS int) — .

Now we got an error that there are too many columns, let’s limit them with the LIMIT 1 command. The final payload is ‘ and 1=CAST((SELECT password from users LIMIT 1)AS int) —.

We got an error with some password, let’s change password to username to see which account this password is from.

We found out that it’s the password for the administrator user. Let’s log in to the account to make sure.

Scanners that detect vulnerabilities

  1. SQLmap: An open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws.

  2. Acunetix: A comprehensive web vulnerability scanner that automatically checks for SQL injection, XSS, and other vulnerabilities.

  3. OWASP ZAP (Zed Attack Proxy): An open-source security tool maintained by OWASP, designed to find security vulnerabilities in web applications.

  4. Nessus: A widely used vulnerability scanner that can detect various types of SQL injection vulnerabilities among other security issues.

  5. Burp Suite: An integrated platform for performing security testing of web applications, which includes functionality for testing SQL injections.

  6. IBM Security AppScan: A tool that provides automated vulnerability scanning for web services and applications, including SQL injection.

  7. Netsparker: An easy-to-use web application security scanner that automatically finds SQL Injection, XSS, and other vulnerabilities in your web applications and web services.

  8. WebInspect: A dynamic security application testing tool by Micro Focus that simulates attacks to identify potential vulnerabilities, including SQL injection.

  9. w3af: A web application attack and audit framework, which helps in scanning web applications for vulnerabilities including SQL injection.

  10. Sqlninja: A tool focused on exploiting SQL injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.

Average CVSS score for Visible error-based SQL injection

The Common Vulnerability Scoring System (CVSS) score for visible error-based SQL injection vulnerabilities can vary depending on the specific details and context of the vulnerability. However, to give you an idea of the severity these types of vulnerabilities can have, we can look at a couple of examples:

  1. An SQL injection vulnerability in the “evoadm.php” component of b2evolution v7.2.2-stable was assigned a CVSS score of 8.8 (High) according to the NVD entry CVE-2021-28242.

  2. Another example is CVE-2022-24124, which had a CVSS V3 score of 7.5 (High). This vulnerability was reported in Casdoor and affected versions before the 1.13.1 release.

  3. Probely lists SQL Injection with a CVSS score of 8.6, which is also considered high.

These scores suggest that visible error-based SQL injection is typically seen as a high-severity issue due to its potential impact on confidentiality, integrity, and availability. It’s important to note that each vulnerability must be assessed on its own merits, and the CVSS score should be determined based on the specifics of the individual case.

CVES related to Visible error-based SQL injection

CVE-2021-43408: This vulnerability was identified in the “Duplicate Post” plugin for WordPress, versions up to 1.1.9. It allowed SQL Injection due to insecure handling of user-supplied data within SQL queries. Authenticated users with access to the plugin could exploit this to manipulate database operations, potentially leading to unauthorized data modifications or access.

CVE-2023-35036: In various versions of MOVEit Transfer before specific updates, SQL injection vulnerabilities were discovered. These vulnerabilities could permit unauthenticated attackers to manipulate SQL queries and potentially gain unauthorized access to or modify database contents, compromising the integrity and confidentiality of the data stored.

CVE-2023-34362: This vulnerability in MOVEit Transfer’s managed file transfer solution allowed unauthenticated attackers to inject SQL queries. This could enable attackers to access, modify, or delete data in the MOVEit database, posing significant risks to data confidentiality and integrity.

CVE-2020-25638: Found in hibernate-core versions up to 5.4.23.Final, this vulnerability stemmed from the use of unsanitized SQL literals in query comments. Attackers could exploit this to perform SQL injection attacks, potentially leading to unauthorized data access or manipulation within applications using affected Hibernate versions.

To study Visible error-based SQL injection

The Web Security Academy by PortSwigger offers a lab titled “Visible error-based SQL injection” that provides a hands-on experience with SQL injection vulnerabilities using tracking cookies within SQL queries. This lab is designed for practitioners to understand the dynamics of SQL injections through real-world simulations and teaches how to exploit these vulnerabilities to leak sensitive information like passwords​​.

For a comprehensive overview of SQL Injection, including its impact, detection methods, and various examples, PortSwigger’s tutorial on “What is SQL Injection?” is an excellent resource. It covers the consequences of successful SQL injection attacks, such as unauthorized access to sensitive data and potential long-term compromises of systems. The tutorial also guides on manually detecting SQL injection vulnerabilities and emphasizes the importance of using tools like Burp Scanner for more efficient vulnerability identification​​.

Cybrary provides insights into Error-Based SQL Injection, discussing how error messages from the server can be used to determine the next steps in an attack. The article guides on finding vulnerable websites, exploiting SQL syntax errors to retrieve data from the database, and ultimately, leveraging this information to gain unauthorized access or manipulate the database. It’s a great starting point for understanding the methodology behind exploiting error-based SQL injection vulnerabilities

How to be protected from Visible error-based SQL injection

  1. This is a primary defense against SQL Injection. Instead of concatenating user inputs directly into SQL queries, use prepared statements where you define the SQL code first and pass each parameter to the query later. This ensures that the database distinguishes between code and data, regardless of user input, preventing attackers from altering the query intent​​.

  2. While stored procedures can sometimes be vulnerable to SQL injection, when constructed correctly, they can serve as an effective defense mechanism. Ensure that the SQL statements within the stored procedures are parameterized and do not include any dynamic SQL generation based on user inputs​​.

  3. Validate all user inputs against a set of strict rules, such as type, length, format, and range. This approach, known as allow-listing, helps ensure that only predetermined acceptable inputs are processed by your application​​.

  4. Regularly monitor, validate, and sanitize user inputs to eliminate malicious code. This includes escaping user-supplied input where necessary, so that specific characters or words cannot be used to form malicious requests​​.

  5. Implement the principle of least-privilege by giving users the minimum level of access required for their role. This helps minimize the potential damage in the event of a breach, as attackers would have limited capabilities within the database​​.

  6. Minimize the risk of unauthorized queries by restricting data inputs and the types of database procedures that can be executed. This includes enforcing prepared statements and using stored procedures to prevent direct code execution on the database​​.

Conclusion

The exploration into visible error-based SQL injection highlights its potential as a severe security threat that leverages detailed error messages from databases to facilitate unauthorized access and manipulation. The examples and exploitation techniques detailed in the article underscore the simplicity yet effectiveness of such attacks, emphasizing the need for robust defensive strategies. Protection against these vulnerabilities is multi-faceted, involving secure coding practices such as the use of prepared statements, stored procedures, and strict input validation, as well as implementing the principle of least privilege for database access.

To effectively mitigate these risks, developers and security professionals must employ a proactive approach to web application security. Utilizing vulnerability scanners and security tools, as recommended, can provide an additional layer of defense by identifying and addressing potential injection points before attackers can exploit them. The insights offered by this article serve as a critical reminder that security is an ongoing process of vigilance and adaptation to emerging threats.

For further reading and practical exercises, resources such as the Web Security Academy by PortSwigger and platforms like Cybrary offer valuable hands-on experience and in-depth understanding of SQL injection and other security vulnerabilities. It’s through continuous education and application of best practices that organizations can fortify their defenses against the ever-evolving landscape of cyber threats.

Other Services

Ready to secure?

Let's get in touch