Pivot SQL Injection Into RCE

Pivot SQL Injection Into RCE

In this article, we will discuss how a CVE in PTMS was pivoted into RCE. Park Ticketing Management System is one of the most popular and productive systems to manage, supervise, and record activities of the ticketing system. It is widely used to increase the efficiency of the ticketing system as it covers all aspects of this workflow. 

 

This system is self-explanatory, it’s used to manage a ticketing system with loads of customization for personalization of the work.

 

Park Ticketing Management System

 

The technology stack of PTMS uses PHP programming language and takes advantage of the MySQL database. The user interface design is based upon HTML, CSS, and JQUERY.

 

PTMS SQL Injection

We will discuss the vulnerable code where the vulnerability lies and how to prevent such attacks with code examples. As this system uses MySQL, SQL injection is a particular code injection technique that is used to target data-driven applications in which malicious SQL statements and codes are inserted into the execution input field.

 

 

If we open the new-normal-ticker.php file and scroll down to line 65, we can see that there is a $vid parameter which is being fetched from the GET request parameter viewid and there is $ret variable which executes the SQL commands with the $vid variable value as the integer ID.

 

The problem which makes this code terrible is viewid parameter from the GET request, which has not been parameterized properly, thus executes the direct GET parameter without sanitizing it properly which causes SQL injection attack.

 

PTMS System

This System is based on PHP and MySQL. SQL’s full abbreviation is structured query language and it is used for database communications as the standard language for relation-based database systems. SQL can be used for updating data, proof data, and extracting data from databases.

 

Most database systems use SQL. They do have their proprietary extensions and interpreter which are typically used only on their framework.

 

SQL injection into RCE

Here I will explain how security researchers pivot SQL injection into RCE. If you find SQL Injection in any program or product always check for the current database user role. If the user is a root and has the file write permission, we can upload a malicious file via SQL statement with the help of INTO_OUTFILE.

 

 

Executing the above on a vulnerable version will write the file with the name shell.php in PTMS root directory and we can upload a reverse shell or web-shell and take over the server. There are some other functions like LOAD_FILE which can be used to read a specific system file or any file on the web-server.

 

There are numerous functions and commands of SQL which can be used while testing for SQL Injection vulnerabilities, and there’s always research into this. 

 

Defensive Approach of SQL Injection

As we know how crucial and important it is to prevent and save our database from black hat hackers, as it can be leveraged to provide all the confidential data of our users or customers.

 

The question arises on how we can prevent our database from any type of SQL injection. To prevent SQL injections, we should limit the use of string concatenation in our queries and use parameterized queries instead. 

 

 

String concatenation is harmful because it can lead to queries returning the data information which it should not, so it is better to use parameterized and escaped strings instructions like below.

 

 

Types Of SQL Injections

There are many types of SQL Injections but, the most popular are authentication bypass SQL Injection and UNION SQL Injection below with code examples, we can use this approach to understand the logic of the SQL statements which are very dangerous to use.

 

Authentication Bypass with SQL Injection

Let us assume a web-application with login functionality and runs the following query on the SQL server to detect if the user exists for authentication otherwise the login is failed.

 

 

We can log in as any user without a password with SQL comment sequence , this will ignore the password check in the query and our query will look like this.

 

The query above means to select everything from the user’s table where the username is Admin. The rest of the query has been commented with SQL comment sequence, which means the query will return the user whose username is Admin and we will be logged in as that user.

 

UNION SQL Injection

This type of SQL Injection is easy to exploit and it can retrieve data from other tables within the database, UNION lets us execute an additional SELECT query which will append the original query with it.

 

Let us say there is a web-application that executes the following query with the user input TaskId

 

 

An attacker can submit the following query to return all the data in the user’s table

 

 

Impact of SQL Injections

The attacker can read and write the source code files in the database server and the attacker can also add, edit, read, and delete the data contained in the database. 

 

If the attacker accesses confidential files and data then it can lead to many vulnerabilities. However, the risk is not limited only to damage that can be done through SQL injection and can be worse depending on the attacker’s skills.

 

Summary

SQL injections were first documented in 1998 and are still considered the most severe security vulnerability and rated at top 10 by OWASP. 

 

We should understand the importance of parameterizing the SQL statements in any web-application, desktop-application, or any other type of application. SQL injections can be pivoted into RCE, which has caused multiple data breaches in big corporations like Facebook and Yahoo. 

 

In 2019, for example, an incident took place at Facebook where millions of records were breached. These types of security breaches can have widespread consequences, which is why it’s important to stay on top of the latest data. 

 

 

 

 

Michael Hollander

Michael Hollander / About Author

Michael is a Senior Product Manager and the Data Protection Officer at WhiteSource. Before joining WhiteSource, Michael was a Product Manager at GE Digital, and he previously held a number of software development positions spanning over 10 years. Michael is currently leading WhiteSource for Developers, a suite of native developer integrations empowering developers to secure products faster without slowing down development. LinkedIn | Twitter