Penetration testing

Manual Web Application Penetration Testing – Suffix & Prefix in Fuzzing

Chintan Gurjar
February 10, 2014 by
Chintan Gurjar

Introduction

In this series of articles, last time we talked about fuzzing and various SQL statement special characters which can be used in fuzzing a web application. In this article, I am going to focus on various prefixes and suffixes of fuzzing in order to fuzz the target web application.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Syntax

Suffix Syntax – AlphabeticsSpecialcharacters means alphabetic followed by special characters. We put special characters at the end, and that is why it is called a suffix.

E.g: jonnybravo' (Where jonnybravo is a character and ' is a special character.)

Prefix Syntax – SpecialcharactersAlphabetics means special characters followed by alphabetics. We put special characters at the start, and that is why it is called a prefix.

E.g: 'jonnybravo (Where jonnybravo is a character and ' is a special character.)

Analysis

Pick the suffix in the example, give it to the authentication, and watch the result. The picture below shows the result when I gave jonnybravo' in the username.

Figure 1 My input string jonnybravo'

GET /chintan/index.php?page=user-info.php&username=jonnybravo%27&password=&user-info-php-submit-button=View+Account+Details HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://localhost/chintan/index.php?page=user-info.php

Cookie: showhints=0; PHPSESSID=39hb01vtdib9sov8rmmfok7kn2

Connection: keep-alive

Encoding of Special Characters in URL

After giving that input string, I intercepted the request and came to know that the browser encoded my input as in the specific format of the URL. So ' changed to %27 and then it was sent to a server via browser. Likewise, here is the list of all those special characters from your keyboards and their relevant conversation in specific browser URL format.

! - %21

@ - %40

# - %23

$ - %24

^ - %5e

& - %26

* - %2a

( - %28

) - %29

{ - %7b

} - %7d

- - %2d

+ - 2b

[ - %5b

] - %5d

; - %3b

: - %3a

- %5c

| - %7c

, - %2c

< - %3c

. - %2e

> - %3e

/ - %2f

? - %3f

Once I forwarded the request, I got an error page, as the username is not legitimate. Here is the page:

So from the above error page, we can identify in message boxes that jonnybravo' is our injection. Let us analyze the Query which is shown in the message box. The query is as follows:

Query: SELECT username FROM accounts WHERE username='jonnybravo'';

By looking at this query, we may straightaway come to know that we need a suffix and prefix in order to finish the query itself. Let me illustrate this by writing this query in the below format:

Query: SELECT username FROM accounts WHERE username='jonnybravo'';

We are giving ' in order to complete the SQL statement. So once I give jonnybravo' then the suffix ' and the ' which comes before jonnybravo completes the syntax format. You can clearly see that starting and ending ' are provided by the server query, but we want to add one more so that our ' finishes the statement query and then the remaining additional one lies as it is, which may cause an error while executing this query because it is not being used and it is not correct as per the SQL query syntax. So the one we put after jonnybravo finishes the query syntax by working with the initial one ' provided by the server before jonnybravo and the remaining one provided by the server is useless because the syntax is already finished with our one and that additional one causes an error.

"If we don't close, then no matter whatever you give in your injection, it will never work out and you will get an error page."

This is the only username lookup page, so you may get this query in the backend to run. Let us move on to the authentication page so we may see the username and password field in a query. The query is as follows. I gave jonnybravo' as a username and momma as a password. So we add the suffix ' in this username and the password remained simple plain text. Sometimes we need both in order to pass our injection. Let us follow the below query.

Query: SELECT * FROM accounts WHERE username='jonnybravo'' AND password='momma'

Let us suppose that we want to get rid of the highlighted sentence which is AND password='momma'. So how can we do that? I am going to use ' as a prefix and (space)-- as a suffix. The main reason of using (space)-- is because this is a MYSQL server, so when we give (space)-- it is considered as a comment notation. So whatever we write after this will be considered as a comment and the server will ignore that part of the query.

Injection - ' --

Then we can add our payload in between, this such as or 1=1'. So our final injection will look like below.

Injection - ' or 1=1' --

Once I give this injection to the username field. The generated error looks like the below pic.

Analyzing our injection, we gave the first prefix ' which completes the username field. The username is passing ' ' from the server, but in between that we are giving our injection so it becomes ' ' or 1=1' -- ' where yellow marked quotes are passed by the server only and the red one is our injection. Now simplifying it, if we consider the first two ' ' then it completes the username field. ' ' or 1=1' -- '. So the predefined ' from the server and one of our ' makes the complete '' for the username field. Now analyzing further, the query is as follows.

Username=' ' or 1=1' -- ' AND password=' '. As I mentioned earlier, this is the MYSQL server so whatever comes after (space)--is considered a comment. So commenting a further query would look like below.

Username=' ' or 1=1' -- ' AND password=' '. Now simplifying this query: The only thing remaining in our query is 1=1' because after that everything is in the comment which is highlighted in cyan color and before that ' ' completes the sentence. So this is how you can use a suffix and prefix in SQL injection. Now I have put one more ' after 1=1 in order to bring error on the page. If I remove that extra ' then this injection will work and we will be able to inject the application successfully as everyone knows 1=1 so that logic cannot be refused by a server and the server will execute that query. So my final injection becomes ' or 1=1 -- and giving this query into the username field gave me the below result.

As you can see, the server executed our injection and it gave all the results stored in the database. It brings all the results from the entire table.

Conclusion

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

So, in this article I introduced you to suffix and prefix and how to use them in order to complete the SQL statement in order to get our injection executed by the server. It does not matter whether it is a MYSQL server or any other server. In my next article of this series, I will focus on getting our payload executed while playing with HTML tags.

Chintan Gurjar
Chintan Gurjar

Chintan Gurjar is a System Security Analyst and researcher from London working in Lucideus Tech Pvt Ltd. He has written articles for Europe based magazine namely “Hakin9”, "PentestMag" and India based magazine “Hacker5”. He has done a valuable research in cryptography overhead mechanism. Chintan Gurjar has completed B.Tech in computer science from India and currently pursuing his post graduate degree in computer security & forensics from London (UK). During his academics, he has submitted a small scale research paper on Cryptography Overhead Mechanism in IPsec Protocol. He has also submitted Network Security Auditing and Network services administration and management report. He is very keen to spread cyber awareness world wide. In future he would like to work for his Country’s government in a forensics investigation field.