Injection Attacks Using DAMN Vulnerable Thick Client App
Background:
In the previous article, we have seen some of the common data storage issues in Thick Client Applications specifically in DVTA. In this article, we will discuss some common injection attacks that exist in DVTA. We begin with CSV Injection followed by SQL Injection.
CSV Injection:
Comma Separated Vulnerabilities became popular lately. CSV injection is a formula injection technique, which can be used to exploit the export to spreadsheet functionality. The idea is to demonstrate the fact that DVTA application does not validate the data exported into the CSV file.
FREE role-guided training plans
It is a common functionality in web applications as well as thick clients. This enables users to export data into an Excel sheet in CSV/XLS format, which can later be used with applications such as Microsoft Excel.
Let's see how this works in DVTA.
Login as Rebecca and click View Expenses button to view the data associated with Rebecca's account.
Note: If it does not contain any data, you can add it through Add Expenses button and then view.
The following figure shows the expenses of Rebecca.
Please note the Backup Data to Excel button, which can be used to export these expenses to a CSV file.
This is where CSV injection comes into the picture.
Can we tamper the expenses and add malicious data here? If yes, is the data being validated, before exporting it to the CSV file?
Let's try to do it. Modify the value in price column and add a simple formula as shown in the figure below. Then, click Backup Data to Excel.
We should see the following confirmation window if everything went fine.
Perfect, now open up the CSV file using Microsoft Excel and notice the value in the price column. Excel has processed the formula placed while exporting the data.
To keep the example simple, we have placed a simple formula. However, you may try other exploitation techniques available online if you are interested in practicing it further.
SQL Injection
SQL Injection is one of the most common and dangerous vulnerabilities that we have been seeing for ages. Even today, developers are still making the same mistakes that cause SQL Injection vulnerabilities. DVTA also comes with an insecure code that causes SQL Injection vulnerabilities in it. Let us discuss how someone can exploit them in DVTA.
Let us see if we can use the most common SQL Injection string to bypass the authentication on the login page.
Please enter x' or 'x'='x in both the username and password fields as shown in the following figure and then click Login.
Bam! We are logged in as Raymond. Traditionally, this is how SQL Injection looks like.
Let us see why this application is vulnerable to SQL injection. Opening up DVTA's Github page and observing Login.cs will reveal the following.
It is clear that DVTA is receiving user input and passing it to a database handler using the function name checkLogin().
Next, open up DBAccess.cs as shown in the figure below.
As you can see, this is where the function definition for checkLogin is written. Again, it is taking the input supplied by the user and directly passing it to the SQL Query. So, we can confirm that Inline SQL Queries are written, and no input sanitization is performed during the login process.
Our next goal is to use this vulnerability to login to other users' accounts assuming that we know their usernames.
Enter the following string into the username field.
Username: rebecca' or 'x'='y'--
Enter any random value into the password field (This will not be executed as we are commenting it out in the username field).
Clicking Login button will show us the following window.
Excellent! We are logged in as Rebecca.
Can we use the same technique to login to Admin's account? Oh yes! Let's try it out.
Enter the following string into the username field.
Username: admin' or 'x'='y'--
Once again, enter any random value into the password field.
Click Login, and we should see the following window.
Similarly, we can get into any account and perform operations on behalf of them.
What should you learn next?
Conclusion:
In this article, we have discussed some commonly seen injection vulnerabilities in Thick Client Applications. We have seen how DVTA application can be exploited using CSV injection and then followed by SQL injection vulnerabilities. In the next article, we will discuss Reverse Engineering .NET applications and decrypting the database credentials hardcoded in the application.
In this Series
- Injection Attacks Using DAMN Vulnerable Thick Client App
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness