While going through a nice paper written by Cesar Cerrudo on 'Hacking Intranet with IE', I found an interesting term XSSQLI. Though it's not a new vulnerability,it's a combination of two attacks. Details:
XSSQLI is a term to describe a Cross Site Request Forgery (XSRF) + SQL Injection attack. This
attack consists in forcing a user to request a web application URL that will exploit a SQL
Injection vulnerability, as XSRF attacks the user can be forced to request a URL by using a
HTML IMG, FRAME, IFRAME, STYLE, etc. tag :
img src="”http://intranetsite/pagevulnerable?id="';"
When a victim browses a web page with the above HTML code an automatic request will be
made to “intranetsite” web application without the user noticing it. The difference with a classic
XSRF attack is that instead of the URL requested triggering some action in the target web
application it will exploit SQL Injection.
Within Intranets, some web applications implementations use Windows integrated authentication, this means that the user authenticates to the web application with his Windows credentials, which is done automatically by IE because of “Automatic logon only in Intranet zone” security setting. MS SQL Server (other DBMS could be attacked in this way too) also authenticate users with Windows integrated authentication, some web applications are configured to access SQL Server backend database authenticating with the current Windows user that's accessing the web application. If an
attacker exploits a SQL Injection vulnerability in this kind of web application isn't as valuable as other attack paths since the attacker could directly connect to SQL Server and run SQL statements as far his permissions allows him but by using XSSQLI in order to attack, for instance a SQL Server DBA, the attacker will be able to elevate privileges running SQL Server statements with DBA permissions.
Reference:http://www.argeniss.com/research/HackingIntranets.pdf
XSSQLI is a term to describe a Cross Site Request Forgery (XSRF) + SQL Injection attack. This
attack consists in forcing a user to request a web application URL that will exploit a SQL
Injection vulnerability, as XSRF attacks the user can be forced to request a URL by using a
HTML IMG, FRAME, IFRAME, STYLE, etc. tag :
img src="”http://intranetsite/pagevulnerable?id="';"
When a victim browses a web page with the above HTML code an automatic request will be
made to “intranetsite” web application without the user noticing it. The difference with a classic
XSRF attack is that instead of the URL requested triggering some action in the target web
application it will exploit SQL Injection.
Within Intranets, some web applications implementations use Windows integrated authentication, this means that the user authenticates to the web application with his Windows credentials, which is done automatically by IE because of “Automatic logon only in Intranet zone” security setting. MS SQL Server (other DBMS could be attacked in this way too) also authenticate users with Windows integrated authentication, some web applications are configured to access SQL Server backend database authenticating with the current Windows user that's accessing the web application. If an
attacker exploits a SQL Injection vulnerability in this kind of web application isn't as valuable as other attack paths since the attacker could directly connect to SQL Server and run SQL statements as far his permissions allows him but by using XSSQLI in order to attack, for instance a SQL Server DBA, the attacker will be able to elevate privileges running SQL Server statements with DBA permissions.
Reference:http://www.argeniss.com/research/HackingIntranets.pdf
Comments