SQL injection through User-Agent

fr0stNuLL
fr0stNuLL
May 8, 2019 · 4 min read

Hi everyone, in this simple tutorial I will describe how I was able to exploit a SQL injection, using the user-agent as vector. First of all, I will leave “blur” in the sensitive parts as it was requested from the customer of the private program. After authenticating in the application I came across the following request:

Image for post
Image for post

After, try several things .. and application always return “OK” in the response .. I put a single quote (‘) in the User-Agent Header .. result, instead of the application return 200 OK, returned 401 .. as demonstrated below:

Image for post
Image for post

Next step was trying to exploit some SQL injection payloads, after a few tries it sees that the application was vulnerable to a type of SQL injection Boolean based. Putting the tests into practice, when the payload ‘ AND’ 1 ‘=’ 1 was inserted into the User-Agent the application returned 200 OK, when the payload ‘ AND’ 1 ‘=’ 2 was entered the application returned 401. The images below illustrate the fact:

Image for post
Image for post
Image for post
Image for post

After confirming that the application was vulnerable, the next step was to try to verify which version of the database the application was using. For this, I have tested functions of the Oracle, MySQL, MicrosoftSQL etc. databases. Finally, through the payload ‘ and substring(@@version,1,1)=1=’1'’, it was possible to identify that the database was MySQL or MariaDB. The images bellow show the fact:

OBS: if you don’t know what the function substring here you can found :)

Image for post
Image for post

After iterates the values of substring function i got the version i it was 10.1.21 Mariadb.

A cool trick when you find a Boolean based, is to test if there is a possibility of using a “subselect”, in my case it was possible.

Image for post
Image for post

To get the name of the table, it is necessary to make a wordlist with some familiar names and it is also cool, to make a wordlist with the name of the company. Through the following payload ‘ AND (select 1 from “WORDLIST” limit 0,1)=1+‘, it was possible to get the name of the table “app_user”, see that in the image the below is returned 200 OK in the response of the server.

Image for post
Image for post

Now, that we have the name of the table, we go behind the name of the columns so we can get the user and the password. In the same way that it was exploited to get the table name, an attempt / error is also used here with common names used in colums such as user, password, user_pass, passwd, etc. The following images illustrate the name of the retrieved columns.

Image for post
Image for post
Image for post
Image for post

Finally, the following payload looks for the “password” column in the “app_user” table where the user id is equal to ‘X’ and brings the user password in the application.

Image for post
Image for post
Return 200 “OK” for user id 971
Image for post
Image for post
Return 401 for user id 972

This is all personal, I can not show the rest with the passwords in the application because it would violate some terms :) any doubt we are together. Sharing is Caring :)

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store