Syntax
Suffix Syntax – AlphabeticsSpecialcharacters (It means alphabetic followed by special characters. We
put special characters at the end that is why it is called as a suffix.)
E.g: jonnybravo’
(Where jonnybravo is a character and ‘ is a
special character.)
Prefix Syntax – SpecialcharactersAlphabetics (It
means special characters followed by alphabets. We put special characters on
the starting that is why it is called as prefix.)
E.g: ‘jonnybravo (Where jonnybravo
is a character and ‘ is a special character.)
Analysis
Picking the suffix example and giving it
to the authentication and watching the result. Below picture shows the result
when I gave jonnybravo’ in the username.
 |
| Figure 1 My input string jonnybravo |
GET
/chintan/index.php?page=user-info.php&username=jonnybravo%27&password=&user-info-php-submit-button=View+Account+Details
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0
(Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://localhost/chintan/index.php?page=user-info.php
Cookie: showhints=0; PHPSESSID=39hb01vtdib9sov8rmmfok7kn2
Connection: keep-alive
Encoding of Special Characters in
URL
After giving that input string I
intercepted request and came to know that browsers encodes my input as in
specific format of URL. So ‘ changed to %27 and then it sent to server via
browser. Likewise, here is the list of all those special characters from your
keyboards and their relevant conversation in specific browser URL format.
!
- %21
@
- %40
#
- %23
$
- %24
^
- %5e
&
- %26
*
- %2a
(
- %28
)
- %29
{
- %7b
}
- %7d
- - %2d
+
- 2b
[
- %5b
]
- %5d
;
- %3b
:
- %3a
\
- %5c
|
- %7c
,
- %2c
<
- %3c
.
- %2e
>
- %3e
/
- %2f
?
- %3f
Once I forwarded request I have got
error page as the username is not legitimate. Here is the page.
So from above error page we can identify
in message box that jonnybravo’ is
our injection. Let us analyze the Query which is shown in message box. Query is
as follows:
Query: SELECT username FROM
accounts WHERE username='jonnybravo'';
By looking at this query we may
straightaway come to know that we need suffix and prefix in order to finish the
query itself. Let me illustrate this by writting this query in below format.
Query: SELECT username FROM accounts WHERE username='jonnybravo'';
We are giving ‘ in order to complete the
SQL statement. So once I give jonnybravo’ then the suffix ‘ and the ‘ which
comes before jonnybravo completes the syntax format. You can clearly see that starting and ending ‘
are provided by server query but we want to add one more so that our ‘ finishes
the statement query and then the remaining additional one lies as it is which
may cause an error while executing this query because it is additional not
being used and it is not correct as per the SQL query syntax. So the one we put
after jonnybravo finishes the query syntax by working with the initial one ‘
provided by server before jonnybravo and the
remaining one provided by the server is useless because syntax is
already finished with our one and that additional one causes error.
“ If we don’t
close, then no matter whatever you give in your injection. It will never work
out and you will never get error page.”
This is the only username lookup page so
you may get this query in backend to run. Let us move on authentication page so
we may see username and password field in query. Query is as follows. I gave
jonnybravo’ as a username and momma as a password. So we add suffix ‘ in this
username and password remained simple plaintext. Sometimes we need both in
order to pass our injection. Let us follow below query.
Query: SELECT * FROM accounts WHERE
username='jonnybravo'' AND
password='momma'
Let us suppose that we want to get rid
of highlighted sentence which is AND password=’momma’. So how can we do that.
So I am going to use ‘ as a prefix and (space)-- as a suffix. Main reason of using (space)--
this is because this is MYSQL server, so when we give (space)-- it is
considered as a comment notation. So whatever we write after this will be
consider as a comment and server will ignore that part of the query.
Injection - ‘ --
Then we can add our payload in between
this such as or 1=1’. So our final injection will look like below.
Injection - ‘ or 1=1’ --
Once I give this injection to the
username field. Generated error looks like below pic.
Analyzing our injection then we gave
first prefix ‘ which completes the username field. Username is passing ‘ ‘ from
server but in between that we are giving our injection so it becomes ‘ ‘ or 1=1’ -- ‘ where yellow marked quotes are passed by server
only and red one is our injection. Now simplifying it, if we consider first two
‘ ‘ then it completes the username field. ‘ ‘
or 1=1’ -- ‘.
So prebuilt ‘ from server and one of our ‘ makes the complete ‘’ for username
field. Now analyzing further query then it is as follows.
Username=‘ ‘
or 1=1’ -- ‘
AND password=’ ’. As I already mentioned earlier that this is MYSQL server so
whatever comes after (space)--is considered as a comment. So commenting further
query would be look like below.
Username=‘ ‘
or 1=1’ -- ‘ AND
password=’ ’. Now simplifying this query in detail. Only thing remaining
in our query is or 1=1’ because after that everything is in comment which is
highlighted in cian colour and before that ‘ ’ completes the sentence. So this is how you can use suffix and prefix
in SQL injection. Now I have put one more ‘ after 1=1 in order to bring error
on the page. If I remove that extra ‘ then this injection will work and we will
be able to inject the application successfully as everyone knows 1=1 so that
logic can not be refused by a server and server executes that query. So My
final injection becomes ‘ or 1=1 -- and giving this query into the username
field gave me below result.
As you can see server executed our injection and it gave
all the results stored in the database. It brings all the results from the
entire table.
Conclusion
So, in this article I introduced you
suffix and prefix and how to use them in order to complete the SQL statement in
order to get our injection executed by the server does not matter whether it is
MYSQL server or any other server. In my next article of this series I will
focus on getting our payload executed while playing with HTML tags.
References
1.http://asset-b.soup.io/asset/2979/4742_b7be.jpeg
References
1.http://asset-b.soup.io/asset/2979/4742_b7be.jpeg
No comments:
Post a Comment