Skip to main content
HashnodeCyber SeklerCyber Sekler

Command Palette

Search for a command to run...

Unauthenticated SQL Injection Leading to Remote Command Execution in a Web Application

Updated
2 min read
Unauthenticated SQL Injection Leading to Remote Command Execution in a Web Application
C
Cyber Sekler

Overview

During a black-box web application penetration test, I identified an unauthenticated SQL injection vulnerability that could be escalated to remote command execution. Although SQL injection vulnerabilities are less common today, this finding demonstrated how severe the impact can still be. The issue allowed unauthenticated attackers to execute operating system commands on the underlying server.

Objective

The objective of the engagement was to assess the security of a web application from an external perspective. Testing was conducted in a black-box context, without credentials or prior knowledge of the application’s internal functionality.

Discovery

While testing the web application from an unauthenticated perspective, I focused on input handling within the login functionality. Testing for SQL injection using basic payloads intended to alter query logic or trigger database errors. These attempts did not return useful feedback. Based on this, I shifted to testing for blind SQL injection using time-based techniques.

I injected a time delay payload into the request and observed the server response consistently matching the specified delay, confirming blind SQL injection.

Example payload used:

WAITFOR DELAY '0:0:10'

To rule out normal latency, I repeated the test multiple times using different delay values. In each case, the response time consistently matched the injected delay, confirming the presence of a time-based SQL injection vulnerability on the login endpoint.

Once the SQL injection was confirmed, I used SQLMap to further validate and demonstrate the impact of the vulnerability. SQLMap was configured to proxy traffic through Burp Suite so that the generated SQL queries could be reviewed.

SQLMap successfully identified the injection point and confirmed database interaction. I briefly enumerated database metadata to demonstrate impact but intentionally avoided dumping sensitive data.

To further assess severity, I used SQLMap’s operating system shell functionality. This allowed the execution of operating system commands through the database using xp_cmdshell. While command execution was slow due to the time-based nature of the injection, it was reliable and confirmed remote command execution on the host.

Example command:

sqlmap -u "https://example.com/" --data "txtUserID=*" --dbms "<database_type>" --os-shell

At this stage, the vulnerability had escalated from an unauthenticated SQL injection to full command execution. I stopped further exploitation after collecting sufficient evidence and notified the customer immediately.

Takeaway

SQL injection vulnerabilities can have a catastrophic impact when they exist, and a single injection point can quickly lead to full server compromise.

#sqlinjection#hacking#pentesting#penetration-testing#cybersecurity-1

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

C

Cyber Sekler

7 posts