In this post, we will look at a SQL injection vulnerability within the eTRAKiT web application without authenticating to the web application and resulting in obtaini...
Authored by RJ Stallkamp
In this post, we will look at a SQL injection vulnerability within the eTRAKiT web application without authenticating to the web application and resulting in obtaining a remote connection to the backend database.
What is eTRAKiT?
eTRAKiT is used by thousands of city, county and state governments and allows citizens to apply and search for permits, schedule and view home inspections, and search license information.
SQL injection
What is SQL injection? SQL injection is the process of getting a web application to give you information that it isn’t supposed to, by placing malicious code in SQL statements via web page input.
The Art of the Exploit
The scope of the external penetration test was straight forward, identify anything on the given external endpoints that might be susceptible to exposing sensitive information.
As testing began, I zeroed in on a web page hosting the eTRAKiT application. I pulled up Burp Suite and noticed login requests for the eTRAKiT system were URL encoded and one of the fields, “ucLogin_txtLogin_ClientState=”, consisted of a JSON string. As a penetration tester, I’ve always been told to “challenge your assumptions.” With respect to that advice, SQLMap confirmed my assumption that the JSON string was vulnerable to SQL injection.
By modifying the JSON string within the web request (image below), we successfully enabled xp_cmdshell on the backend host and executed “nslookup” to identify if the host had any strict egress filtering in place. We setup a DNS listener on our server and quickly received the request.
We then attempted to establish a remote session. Using Metasploit’s meterpreter handler, we generated a payload, URL encoded it, and placed it within the “ucLogin_txtLogin_ClientState=” field of the web request. A remote session staged a few seconds later and we were running as the “NT Service\MSSQLSERVER” account (JuicyPotato to privilege escalate, anyone?).
Remediation
We contacted the developer and they recommended anyone running a version <= 3.2.1.30 of eTRAKiT pay to upgrade to the newest version, as there will not be a security patch available outside of the paid upgrade. We also have recommendations listed below.
Vendor Recommendation:
- Use of Prepared Statements (with Parameterized Queries)
- Use of Stored Procedures
- Allow-list Input Validation
- Escaping All User Supplied Input
Internal IT Recommendation:
- Enforcing Least Privilege
- Implementing Application Whitelisting
- Create Strict Firewall Rules to Restrict Outside Connections to the Internal Environment
We have a series of webinars on Cybersecurity in the next month.
Want to learn more? Complete the form below and we'll be in touch. If you are unable to see the form below, please complete your submission here.Contact us