Blind SQLi Differential Checks False Negatives

wspires's Avatar

wspires

07 Dec, 2015 04:58 PM

I noticed that the sql_injection_differential check sends the following payloads that replace parameter values:

-1 or 1=1
-1' or 1='2
-1' or 1='1
-1" or 1="1
-1' or 1='2
-1 or 1=1
-1' or 1='1
-1" or 1="1
-1" or 1="2
-1" or 1="2
-1 or 1=2
-1 or 1=2
These seem to be missing several blind SQL Injection vulns on an app I'm testing and from manually testing it appears there may be a few issues with the above generated payloads that could cause them to miss vulnerable inputs:
  1. Is it possible to both append and replace parameter values? I could see cases where both approaches would be beneficial to improve coverage.
  2. Would leading the payloads with -1 also generate errors before the boolean gets tested in some cases?
  3. For quoted payloads like -1' or 1='1, should the 1 after the or be quoted as well like this -1' or '1'='1?
  1. Support Staff 1 Posted by Tasos Laskos on 07 Dec, 2015 05:23 PM

    Tasos Laskos's Avatar
    1. I'll need to look into it but it should be possible.
    2. I haven't come across that, can you think of a case?
    3. I guess that's a good idea, you can't always rely on type casting.

    Btw, I've identified a bug in the differential analysis technique that caused some issues and I'll merge the fix soon, changing -1 to a larger random negative integer solved it.

    I'll let you know once the nightlies are up.

  2. Support Staff 2 Posted by Tasos Laskos on 07 Dec, 2015 05:51 PM

    Tasos Laskos's Avatar

    One thing I forgot to mention is that for cases where there are several variants for each issue (sql_injection, sql_injection_timing, sql_injection_differential) you shouldn't expect adequate coverage unless you're using all of the available checks.
    And the differential analysis one isn't the most reliable.

    Of course, this doesn't mean that improvements aren't welcomed.

  3. 3 Posted by wspires on 07 Dec, 2015 06:03 PM

    wspires's Avatar

    That's cool. Thanks. I'll check it again in the nightlies once it's posted.

    I agree and intend to use the other variants, however in cases where a target's DB is mysql, I'm not going to be able to use the mysql timing checks to detect blind SQLi due to the previous issue I logged where the payloads are causing resource exhaustion. In cases like that, I would need to fallback to differential analysis to detect a blind SQLi against a mysql target.

  4. Support Staff 4 Posted by Tasos Laskos on 07 Dec, 2015 06:12 PM

    Tasos Laskos's Avatar

    Yeah I figured that was the case, pushing nightlies now, it'll take a couple of hours until they're up so I'll let you know.
    And I didn't run the full test suite because that takes even longer but preliminary tests pass and I don't think my changes broke anything.

    If the situation isn't improved I'd like to check out those test cases (hackazon still?) myself and see if I can increase the differential analysis coverage.

    With that technique the situation gets tricky when there are multiple inputs without default values so those cases are usually skipped.

    And there's also a threshold of change, Arachni does noise reduction on the responses to make page comparisons reliable without using levenshtein distance, but in this case a diff ratio is also used.

    So, there are a few things that can be tweaked.

  5. 5 Posted by wspires on 07 Dec, 2015 06:33 PM

    wspires's Avatar

    Yeah. It's Hackazon that I'm currently seeing this on. I'm running it locally, but you can grab a VM with it loaded from here. Although you can reconfigure where the vuln inputs are located with Hackazon, with that image you can find a vuln test case here:

    /category/view?id=[input]

    It should return all rows for the true condition and a friendly 404 for the false condition.

    Thanks again!

  6. Support Staff 6 Posted by Tasos Laskos on 07 Dec, 2015 06:57 PM

    Tasos Laskos's Avatar

    Ah, that probably explains it, that check will bail out on anything other than a status 200.
    I guess I can allow a 404 for these types of cases.

  7. 7 Posted by wspires on 07 Dec, 2015 08:28 PM

    wspires's Avatar

    I pulled down the changes from the experimental branch and ran another scan with those. That seems to fix the issue:

     [~] Relevant issues:
     [~] --------------------
     [+] Blind SQL Injection (differential analysis) in link input 'id' using GET at the following pages:
     [~]   * http://172.x.y.z:8000/product/view
     [~]   * http://172.x.y.z:8000/category/view
    

    Thanks for the quick turnaround!

  8. Support Staff 8 Posted by Tasos Laskos on 07 Dec, 2015 08:30 PM

    Tasos Laskos's Avatar

    Sounds great, thanks for the feedback. :)

  9. Tasos Laskos closed this discussion on 07 Dec, 2015 08:30 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac