understanding more about blind SQL injection
Hi. I'm a web app developer and new user of Arachni. Thank you for such a powerful tool. I'm writing for pointers on how to start understanding the report better (report is included below).
The report stated that "This injection was detected as Arachni was able to inject specific SQL queries, that if vulnerable, result in the responses for each injection being different. This is known as a blind SQL injection vulnerability."
I'm wondering if there is a way to manually replicate this so I can watch and learn from each step. I don't know what steps to take to fix this vulnerability.
thank you,
--Chris
[+] [1] Blind SQL Injection (differential analysis)
[~] ~~~~~~~~~~~~~~~~~~~~
[~] Digest: 561729369
[~] Severity: High
[~] URL: http://xxxx.xxx/wp-includes/js/jquery/jquery.js?ver=1.11.3
[~] Element: cookie
[~] Method: GET
[~] Input name: wordpress_test_cookie
[~] All inputs: wordpress_test_cookie
[~] Tags: sql, blind, differential, injection, database
[~] Description:
[~]
.........
This injection was detected as Arachni was able to inject specific SQL queries,
that if vulnerable, result in the responses for each injection being different.
This is known as a blind SQL injection vulnerability.
........
[~] http://cwe.mitre.org/data/definitions/89.html
[~] References:
[~] OWASP - https://www.owasp.org/index.php/Blind_SQL_Injection
[~] MITRE - CAPEC - http://capec.mitre.org/data/definitions/7.html
[~] WASC - http://projects.webappsec.org/w/page/13246963/SQL%20Injection
[~] W3 Schools - http://www.w3schools.com/sql/sql_injection.asp
[*] Variations
[~] ----------
[~] Variation 1 (Trusted):
[~] Seed: "-1 or 1=1"
[~] Injected: "-1 or 1=1"
[~] Referring page: http://xxxx.xxx/wp-includes/js/jquery/jquery.js?ver=1.11.3
[~] Affected page: http://xxxx.xxx/wp-includes/js/jquery/jquery.js?ver=1.11.3
[~] HTTP request
GET /wp-includes/js/jquery/jquery.js?ver=1.11.3 HTTP/1.1
Host: xxxx.xxx
Accept-Encoding: gzip, deflate
User-Agent: Arachni/v1.2.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cookie: _gat=1;_ga=GA1.2.873544389.1444600132;wordpress_test_cookie=-1%20or%201%3D1
[~] Remarks
[~] -------
[~] By differential_analysis:
[~] * True expression: -1 or 1=1
[~] * False expression: -1 or 1=2
[~] * Control false expression: -1
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
Support Staff 1 Posted by Tasos Laskos on 13 Oct, 2015 12:43 AM
Hello,
This particular issue looks like a false-positive, which is good for you but bad for me.
Is there any way you can send me the real address privately in order to have a closer look?
The general idea behind this type of check is that if SQL code is actually executed, then the "false expression" will be identical to the "control false expression", while the "true expression" will return a different response than both one of the previous ones.
Is this case though there must have been some network interference resulting in the responses being different, which shouldn't happen because there are checks against this.
Is there a web application firewall or IDS/IPS or something between you and the webapp?
Also, which Arachni version are you using?
2 Posted by cdowney on 13 Oct, 2015 01:12 AM
Hello! Thanks for such a quick response.
You know, I'll run the scan again because my server is in EC2 and MySQL kept getting shut down... so I upgraded the instance size until it could withstand the scanning. So for awhile the response went back and forth between normal and an ugly error message about no database connection.
After re-running, I will respond with the results.
Support Staff 3 Posted by Tasos Laskos on 13 Oct, 2015 01:15 AM
Yeah I can see that causing the issue, there's a safeguad against that too, but it's not foolproof.
4 Posted by cdowney on 15 Oct, 2015 09:57 PM
Hi Tasos, I ran the tests again and blind sql injection with jquery.js as affected page didn't happen. However, I did get another blind sql injection with a different URL with the same input: wordpress_test_cookie.
I have the web app in AWS, so there is a firewall. I'd really like to figure out how to go deeper into this so I can understand if the risk is real or not. Could you point me in the best direction?
Arachni 1.2.1 (ruby 2.2.2p95) [x86_64-darwin13]
thank you!
Support Staff 5 Posted by Tasos Laskos on 15 Oct, 2015 10:41 PM
I don't think AWS's firewall matters in this case and I really can't know for sure what's going on without inspecting the website myself.
The technique used for this issue is explained at: https://www.owasp.org/index.php/Blind_SQL_Injection
It's the "Content-based" one under the "Examples" section so you could try to verify this manually.
6 Posted by cdowney on 15 Oct, 2015 11:40 PM
What's the best way to send you the URL privately? Thanks much for the specific pointer...
Support Staff 7 Posted by Tasos Laskos on 15 Oct, 2015 11:41 PM
tasos.laskos[at]arachni-scanner.com
Support Staff 8 Posted by Tasos Laskos on 19 Oct, 2015 02:25 AM
Discussion moved to e-mail due to the sensitive nature of the exchanged info.
Tasos Laskos closed this discussion on 19 Oct, 2015 02:25 AM.