SQL Wildcard DoS - Hang Till Death

Summary

SQL Wildcard DoS is about forcing the database to carry out CPU-intensive queries by using several wildcards. This vulnerability generally exists in search functionalities of web applications or in the functionalities where the data gets stored for e.g. searches, comments, image names, messages etc. Successful exploitation of this attack will cause Denial of Service.

Description

I have found a SQL Wildcard denial of service vulnerability in one of the program where I injected a specially crafted SQL wildcard payload that caused the application to crash. There was a file upload functionality where I uploaded a file with the name %n[^n]y[^j]l[^k]d[^l]h[^z]t[^k]b[^q]t[^q][^n]!%.txt where the name contains the SQL Wildcard payload. The filename got stored in the database and it crashed the application and the path where the files were getting reflected after being uploaded. The report is still in the Triage state and they are working on a fix.

What are Wildcards ?

SQL wildcards are special characters used in SQL queries to represent one or more characters in a string. The most commonly used SQL wildcard characters are:

1. % (percent sign): represents any number of characters, including zero characters
2. _ (underscore): represents a single character

For example, the SQL query SELECT * FROM customers WHERE customer_name LIKE ‘J%’ will return all customers whose name starts with the letter “J”.

Explaining and Breaking the Payload

When an attacker injects the %n[^n]y[^j]l[^k]d[^l]h[^z]t[^k]b[^q]t[^q][^n]!% payload into an input field, the database parses the query and tries to match the pattern specified by the wildcard characters.

In this case, the query tries to match any string that starts with “n”, followed by any character except “n”, followed by “y”, followed by any character except “j”, and so on.

If the database has a large number of records, the query can take a long time to execute, leading to a slow response time or a complete DoS. The attacker can also modify the payload to target specific database tables, making the attack more effective.

Suppose there’s a vulnerable web application that allows users to search for products by name. The application uses an SQL query to retrieve the products from the database, as shown below:

SQL Query

An attacker can inject the %n[^n]y[^j]l[^k]d[^l]h[^z]t[^k]b[^q]t[^q][^n]!% payload into the search field and submit the form. The SQL query generated by the application will be:

Wildcard DoS Payload

If the database has a large number of records, the query can take a long time to execute, leading to a slow response time or a complete DoS.

The SQL wildcard DoS attack can be represented as follows:

CRASHED

How I found this vulnerability ?

1. I went to the file upload feature

File Upload Feature

2. I uploaded a normal text file with the name Test2.txt

Text file

3. I intercepted the request and sent it to repeater for checking a normal response time

Repeater

Response Time - 2479 milliseconds

4. Then I changed the file name to SQL Wildcard DoS payload: %n[^n]y[^j]l[^k]d[^l]h[^z]t[^k]b[^q]t[^q][^n]!%.txt and checked the response time

Response Time - 99680 milliseconds

5. I visited the page where the files were being uploaded and the page was not available

Application Crash

Timeout

Why it happened ?

In my opinion,

It happened because when I injected the SQL wildcard payload as a filename it got stored in the database which made database to execute a time-consuming search operation that utilizes the system’s resources and causes it to become unresponsive.

Sample Payloads

1. ‘%_[^!_%/%a?F%_D)_(F%)_%([)({}%){()}£$&N%_)$*£()$*R”_)][%](%[x])%a][$*”£$-9]_%’
2. ‘%64_[^!_%65/%aa?F%64_D)_(F%64)_%36([)({}%33){()}£$&N%55_)$*£()$*R”_)][%55](%66[x])%ba][$*”£$-9]_%54’ (bypasses mod-security)
3. _[r/a)_ _(r/b)_ _(r-d)_
4. %n[^n]y[^j]l[^k]d[^l]h[^z]t[^k]b[^q]t[^q][^n]!%
5. %_[aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[! -z]@$!_%

Impact

An attacker can easily make the page unresponsive to other users by simply injecting the payload. It might happen sometimes that the whole application becomes unresponsive if a single database is being used because the payload is stored.

NOTE: If the attack is self then there will be no impact. (for eg. the error only affects you not other users.)

Insights

Calculated CVSS

Vector String - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Score - 7.5 (High)

Mitigation

To prevent SQL wildcard denial of service, an application should use prepared statements or parameterized queries to ensure that user input is properly sanitized and validated before being used in an SQL query.