Skip to main content

Cross Site SQL Injection (XSSQLI)

While going through a nice paper written by Cesar Cerrudo on 'Hacking Intranet with IE', I found an interesting term XSSQLI. Though it's not a new vulnerability,it's a combination of two attacks. Details:
XSSQLI is a term to describe a Cross Site Request Forgery (XSRF) + SQL Injection attack. This
attack consists in forcing a user to request a web application URL that will exploit a SQL
Injection vulnerability, as XSRF attacks the user can be forced to request a URL by using a
img src="”http://intranetsite/pagevulnerable?id="';"

When a victim browses a web page with the above HTML code an automatic request will be
made to “intranetsite” web application without the user noticing it. The difference with a classic
XSRF attack is that instead of the URL requested triggering some action in the target web
application it will exploit SQL Injection.

Within Intranets, some web applications implementations use Windows integrated authentication, this means that the user authenticates to the web application with his Windows credentials, which is done automatically by IE because of “Automatic logon only in Intranet zone” security setting. MS SQL Server (other DBMS could be attacked in this way too) also authenticate users with Windows integrated authentication, some web applications are configured to access SQL Server backend database authenticating with the current Windows user that's accessing the web application. If an
attacker exploits a SQL Injection vulnerability in this kind of web application isn't as valuable as other attack paths since the attacker could directly connect to SQL Server and run SQL statements as far his permissions allows him but by using XSSQLI in order to attack, for instance a SQL Server DBA, the attacker will be able to elevate privileges running SQL Server statements with DBA permissions.



Popular posts from this blog

File Upload through Null Byte Injection

Sometimes, during file upload we come across situation wherein there would be check on the file extension at the client side as well as server side too. If the application does allow only .jpeg extension to be uploaded, the client side java script checks for the extension of the file before passing the request. We all know that how easily this can be defeated.
Some applications, checks for the extension at the server side also. That's not easy to bypass. However there are some ways with which it still can be bypassed. Most of server side scripts are written in high level languages such as Php, Java etc who still use some C/C++ libraries to read the file name and contents. That leads to the problem. In C/C++ a line ends with /00 or which is called Null Byte. So whenever the interpreter sees a null byte at the end of the a string, it stops reading thinking it has reached at the end of the string.
This can be used for the bypass. It works for many servers, specially php servers. Th…

SQL Injection in search field

Earlier I had written about performing SQL injection in search field and how to do a DoS attack and privilege escalation using 'Like' operators. Now another SQLi exploitation I came across recently. That too in the search field. This becomes important as lots of people don't pay much attention on the search forms/ fields in the application. My aim is to show that a search form can also be exploited with SQL Injection. The following queries are based on a real world exploitation. The steps and data are for just illustration purpose only. Suppose, the search form provides the details of users who have accessed the application some time and their login time details etc, we just need to provide their name in the search box provided. All the data were being going as Post request. So, to just fingerprint the database, I provide, 'nil'+'esh' in the search field and it successfully gives me the results. That means the database behind the application is concatenat…

Insecure protocols

Some basic insecure protocols and risk associated with them: