Monday, 6 February 2012

SQL Injection Via XSS


One of the G4H member mandi from www.garage4hackers.com (my second home) asked few days before about xsssqli attack. He had a scenario where the main site is having a cross-site scripting vulnerability and the admin panel has SQL Injection. The page having sql injection in admin panel is only accessible to admin. The question was is it possible to use xss on main site to exploit sql injection on admin panel to get admin account pwned?

Here is my answer with following scenario:

There is a main site which is vulnerable to xss flaw (reflected/stored). The same site has a admin panel which is only accessible to admin users and one of the authenticated pages is vulnerable to sql injection. the admin panel can be a separate package like cpanel and the sql injection vulnerability will be already published (exploit-db FTW!!!).

This is how we can pwn admin account using sql injection via xss.
1. Attacker crafts a xss payload which is using AJAX to make a request with sql injection payload.
2. He sends the payload to admin user.
3. When admin user is logged in into admin panel and clicks the payload link from attacker, the sql injection in admin page is exploited and returns the username & password hashes from admin table.
4. Attacker then submit the returned data to his site using Ajax and will crack password hashes offline.

Video Demonstration:



Any suggestions, comments are welcome.

Update:
As rightly pointed by @antisnatchor on twitter, the issue having xss in main site and sql injeciton in admin panel can be exploited with BeEF Tunneling proxy technique as well. In tunneling proxy, BeEF will use hooked browser (in this case browser used by Admin) as proxy to access the authenticated sessions (in this case the admin panel).
Check BeEF Tunneling Proxy in action

4 comments:

  1. Hi, great video!!
    I was wondering...is it possible to have the source code? I'd like to try it by myself :)
    Thank you!

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Thanks again for this link. Great work done here (Y)

    ReplyDelete