Web2: SQL Injection - Other Exploits

Through cookies

Cookies are files that store user state information when accessing web applications. This information is determined by the programmer, generated on the server and stored at the client. When the user re-visits the web application, cookies are sent by the browser to the server to help restore the user's state in the previous visit.

Because it is stored in the client, the user can edit it at will, so if a web application uses the information stored in cookies to build queries to the database, hackers can completely insert cookies. sql scripts to perform a SQL Injection attack.

There are many tools that allow viewing, adding and editing cookies, in which the addon Cookies Manager of firefox is a quite convenient tool. You can download and install it in firefox easily.

Web2: SQL Injection - Other Exploits Picture 1

Through server variables

The server variable may be a relatively new concept, but it's not new. Some examples of server variables are Http header, Network header. Not very common but values ​​stored in server variables can be used by web applications such as in logging access or access statistics by user agent. These jobs all have interaction with the database, so hackers can completely use server variables in exploiting Sql Injection.

Firefox addons support these things very well, Tamper Data or Live HTTP headers (exampled above) can help us catch requests sent from the client to the web server, from which we can easily change change the server variables (http header…) before sending them to the server. Mining via server variables is similar to mining via cookies.

Tamper Data:

Web2: SQL Injection - Other Exploits Picture 2

Second-order Injection

This is a rarely used technique because it is difficult to tell if a web application has this error or not. The technique is described as follows: First, we will 'inject' into the database a piece of code. This code does not pose any danger to the system but it will be used as a springboard for the next injection. Let's see a concrete example to better understand this technique.

We will access a web application and try to register an account with the username "administrator' --". Then we will perform the password change operation. Changing the password is handled by the web application as follows:

Web2: SQL Injection - Other Exploits Picture 3

With the username registered above, the above query becomes:

Web2: SQL Injection - Other Exploits Picture 4

Thus, we can change the password of the administrator account and can completely log in as the administrator account.

Lesley Montoya

Update 29 June 2022