Security Breach: Detecting and Exploiting SQL Injection in Contact Groups

Slide Note
Embed
Share

Suspect a potential SQL injection in the macros used in Contact groups? Learn how to identify and exploit it through blind SQL injection techniques. Follow step-by-step instructions to execute a payload that alters user data and gain unauthorized access. Stay vigilant and proactively safeguard your data integrity.

ciara
ciara Follow

Uploaded on Apr 02, 2024 | 3 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  3. 1. Broken Access Control 3. Injection 4. Insecure Design

  4. { userId: 1, newPass: **** }

  10. We suspect that one of the macros used in Contact groups contains SQL injection, try to find and exploit it! This is a blind SQL injection - you won t see the result in response, but injected query will execute on background. If the query fails, it will be logged to Event log

  11. 1. Go to Contact Groups, create new group and go to Conditions. 2. Select 'Contact has value in field' macro. It allows us to insert arbitrary input before operator in where clause (e.g. WHERE <field> contains <value>). You can identify it by inserting `, recalculating group and then checking event log. 3. Final payload (change FirstName of the administrator account) 1=1; UPDATE CMS_User SET FirstName='Joe' WHERE UserID = 53-- Finish the WHERE clause of the original query with any True statement, e.g. 1=1 Add ; to finish first query Arbitrary query to drop table, dump data or anything Comment out everything else with --

  12. Event log user@localhost.local Pass.word1 Digital Channel Manager Users

  13. Users Roles Event log

  14. administrator Users

  15. Users email email queue

  16. Send us a message

  17. <img src=0 onerror=alert(1) /> Contact management

  18. http(s):// Forms application

  19. javascript:alert(document.cookie)

  21. file upload xml file Cafe

  22. /api/cmd allowedExtensions 3. Resend / edit change png to xml (/getmedia/.../payload.xml

  23. ../..

  24. ..\..\.

Related


Understanding PL/SQL Benefits and Objectives

Understanding PL/SQL Benefits and Objectives

omar_c
Turkish Statistical Institute SQL Fundamentals Overview

Turkish Statistical Institute SQL Fundamentals Overview

alm_sin
Understanding Alabama Data Breach Notification Act for County Governments

Understanding Alabama Data Breach Notification Act for County Governments

cromartie_l
Data Breach Occurrence at Illinois Department of Transportation

Data Breach Occurrence at Illinois Department of Transportation

dayn_766
Understanding Common Injection Attacks in Windows and Linux Systems

Understanding Common Injection Attacks in Windows and Linux Systems

kael_157
Longitudinal Top-Up Injection for Small Aperture Storage Rings

Longitudinal Top-Up Injection for Small Aperture Storage Rings

wesl_62
Python-Based Model for SQL Injection and Web Application Security

Python-Based Model for SQL Injection and Web Application Security

rebel
Effective Method to Protect Web Servers Against Breach Attacks

Effective Method to Protect Web Servers Against Breach Attacks

birr_tt
Introduction to PL/SQL: Oracle's Procedural Language Extension

Introduction to PL/SQL: Oracle's Procedural Language Extension

eli_hav
SQL Database Security Best Practices

SQL Database Security Best Practices

lamb_tif
Understanding Beam Lifetime and Injection Considerations at CEPC

Understanding Beam Lifetime and Injection Considerations at CEPC

mplat
Insights into Beam Injection Dynamics for Ultra Low Emittance Rings

Insights into Beam Injection Dynamics for Ultra Low Emittance Rings

williard_t
Understanding SQL: Major Aspects and Functionality in Database Applications

Understanding SQL: Major Aspects and Functionality in Database Applications

nojus
Comprehensive Overview of SQL: Commands and Categories

Comprehensive Overview of SQL: Commands and Categories

tika_3
Introduction to SQL: Learn the Basics and Beyond

Introduction to SQL: Learn the Basics and Beyond

ford
Comprehensive Overview of SQL Commands and Language Categories

Comprehensive Overview of SQL Commands and Language Categories

orin
Understanding Modern Performance in SQL Server

Understanding Modern Performance in SQL Server

les_la
Utilizing UK Spatial Data in SQL Server 2008 R2 Reporting Services

Utilizing UK Spatial Data in SQL Server 2008 R2 Reporting Services

kaer212
Understanding Active/Active SQL Clusters for High Availability

Understanding Active/Active SQL Clusters for High Availability

naim_n
Understanding SQL JOIN: A Comprehensive Guide

Understanding SQL JOIN: A Comprehensive Guide

anaell
Unorthodox SQL Techniques Unleashed: REVENGE: The SQL

Unorthodox SQL Techniques Unleashed: REVENGE: The SQL

ryng791
Building a Secure Access & SQL Server Solution with Anders Ebro

Building a Secure Access & SQL Server Solution with Anders Ebro

lyl_boy
Understanding Breach of Confidence and Privacy Rights in Legal Context

Understanding Breach of Confidence and Privacy Rights in Legal Context

harmo
Postsecondary Data Breach Exercise: Prepare for the Unexpected!

Postsecondary Data Breach Exercise: Prepare for the Unexpected!

althea

More Related Content