Lab Scenario: Our mission is to explore and exploit a web application's SQL injection vulnerability while overcoming a Web Application Firewall (WAF) by leveraging XML encoding. By manipulating the XML-formatted requests, we intend to bypass security filters and retrieve sensitive data from the database. Let's embark on this educational journey using Burp Suite:
Identifying the Vulnerability:
Observe that the stock check feature sends the
productIdandstoreIdto the application in XML format.Send the
POST /product/stockrequest to Burp Repeater.In Burp Repeater, probe the
storeIdto check if input is evaluated, using expressions like<storeId>1+1</storeId>.
Probing for Columns and WAF Bypass:
Attempt to determine the number of columns returned by the original query using a UNION SELECT statement.
xmlCopy code<storeId>1 UNION SELECT NULL</storeId>Note that the request has been blocked due to WAF detection.
Bypass the WAF by obfuscating your payload using XML entities with tools like the Hackvertor extension.
Crafting the Exploit:
Deduce that the query returns a single column.
Concatenate returned usernames and passwords using SQL injection:
<storeId><@hex_entities>1 UNION SELECT username || '~' || password FROM users<@/hex_entities></storeId>Observe that you've successfully fetched usernames and passwords from the database, separated by a ~ character.
Solving the Lab:
- Use the administrator's credentials obtained from the exploit to log in and solve the lab.
Conclusion: This hands-on lab exercise provides practical insights into exploiting SQL injection vulnerabilities with filter bypass using XML encoding. By following this step-by-step guide, users can enhance their understanding of advanced SQL injection techniques and the importance of secure coding practices. Stay informed, keep learning, and continue exploring the dynamic field of cybersecurity to contribute to a more secure online environment.
Reference: