In continuing our VERT Vuln School series on SQL Injection vulnerabilities, we’re going to take a look at how attackers can leverage this vulnerability to steal and exfilitrate data.
Once we views bob’s account balance page, we notice that there’s another input-field that might be of interest, the GET variable “cc”. A common way to test for SQL injection vulnerabilities is to insert a single-quote into a field and observe the result from the webserver:
Because the Bank of VERT website is configured to display errors, we see an explicit MySQL error message. In this case, injecting a single-quote broke the syntax of the query. Such an error message, if caused by malformed user-input, almost always indicates a SQL injection vulnerability. Let’s inject some syntactically-correct pieces of SQL and observe the behavior of the application:
By injecting 8507692614026575′ and ‘1’=’1 we no longer see the error message. Let’s see what happens if we inject 8507692614026575′ and ‘1’=’2