Appointment Write-up - Nikola's Digital Garden

#readwise # Appointment Write-up ![rw-book-cover](https://readwise-assets.s3.amazonaws.com/media/reader/parsed_document_assets/282413195/r6EZFc3kUVZx6l6GYLHaUHJ72wFO96fmH_Y-COrArcs-cove_ycUCHEj.png) ## Metadata - Author: [[Hack The Box]] - Full Title: Appointment Write-up - URL: https://readwise.io/reader/document_raw_content/282413195 ## Highlights SQL Injection is a common way of exploiting web pages that use SQL Statements that retrieve and store user input data. If configured incorrectly, one can use this attack to exploit the well-known SQL Injection vulnerability, which is very dangerous. There are many different techniques of protecting from SQL injections, some of them being input validation, parameterized queries, stored procedures, and implementing a WAF (Web Application Firewall) on the perimeter of the server's network. However, instances can be found where none of these fixes are in place, hence why this type of attack is prevalent, according to the [OWASP Top 10](https://owasp.org/www-project-top-ten/) list of web vulnerabilities. ([View Highlight](https://read.readwise.io/read/01jrmmy951mnxjdnbyqe1r16h5)) ^r4zupz --- Here is an example of how authentication works using PHP & SQL: ```php <?php mysql_connect("localhost", "db_username", "db_password"); # Connection to the SQL Database. mysql_select_db("users"); # Database table where user information is stored. $username=$_POST['username']; # User-specified username. $password=$_POST['password']; #User-specified password. $sql="SELECT * FROM users WHERE username='$username' AND password='$password'"; # Query for user/pass retrieval from the DB. $result=mysql_query($sql); # Performs query stored in $sql and stores it in $result. $count=mysql_num_rows($result); # Sets the $count variable to the number of rows stored in $result. if ($count==1){ # Checks if there's at least 1 result, and if yes: $_SESSION['username'] = $username; # Creates a session with the specified $username. $_SESSION['password'] = $password; # Creates a session with the specified $password. header("location:home.php"); # Redirect to homepage. } else { # If there's no singular result of a user/pass combination: header("location:login.php"); # No redirection, as the login failed in the case the $count variable is not equal to 1, HTTP Response code 200 OK. } ?> ``` ([View Highlight](https://read.readwise.io/read/01jrmnjsvdeb235wbtzv621qqy)) Notice how after the # symbol, everything turns into a comment? This is how the PHP language works. Keep that in mind for later. This code above is vulnerable to SQL Injection attacks, where you can modify the query (the `$sql` variable) through the log-in form on the web page to make the query do something that is not supposed to do - bypass the log-in altogether! Note that we can specify the username and password through the log-in form on the web page. However, it will be directly embedded in the $sql variable that performs the SQL query without input validation. Notice that no regular expressions or functions forbid us from inserting special characters such as a single quote or hashtag. This is a dangerous practice because those special characters can be used for modifying the queries. The pair of single quotes are used to specify the exact data that needs to be retrieved from the SQL Database, while the hashtag symbol is used to make comments. Therefore, we could manipulate the query command by inputting the following: ``` Username: admin'# ``` We will close the query with that single quote, allowing the script to search for the `admin` username. By adding the hashtag, we will comment out the rest of the query, which will make searching for a matching password for the specified username obsolete. If we look further down in the PHP code above, we will see that the code will only approve the log-in once there is precisely one result of our username and password combination. However, since we have skipped the password search part of our query, the script will now only search if any entry exists with the username `admin` . In this case, we got lucky. There is indeed an account called `admin` , which will validate our SQL Injection and return the 1 value for the `$count` variable, which will be put through the `if` statement , allowing us to log-in without knowing the password. If there was no `admin` account, we could try any other accounts until we found one that existed. (`administrator` , `root` , `john_doe` , etc.) Any valid, existing username would make our SQL Injection work. ([View Highlight](https://read.readwise.io/read/01jrmnp00r066bghgaak7q8nhm)) ---