API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Sep 17th, 2012
24
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.54 KB | None | 0 0
raw download clone embed print report
  1. 00:03:50 <hatter> ok guys
  2. 00:03:54 <hatter> we'll go ahead and start now
  3. 00:04:04 <hatter> I'm going to assume everyone in here knows what an HTTP input is
  4. 00:04:19 <hatter> For those who do not, they are GET, COOKIE, POST, and other request header parameters
  5. 00:04:26 <hatter> We are not going to touch on those very much
  6. 00:04:39 <hatter> If you don't understand this, the http rfc will describe it much better than I can
  7. 00:05:34 <hatter> so -
  8. 00:06:05 <hatter> sql injection is classified as a format or escape sequence based vulnerability, due to formatting or type handling
  9. 00:06:26 <hatter> However, it does actually remotely interpret SQL code
  10. 00:07:01 <hatter> Therefore I move we refer to this as a remote code "interpretation" vulnerability triggered by a format string or escape sequence due to improper format or type handling
  11. 00:07:07 <hatter> At any rate
  12. 00:07:15 <hatter> Lets move onto some of the things we can do for testing
  13. 00:08:01 <hatter> (This class also supposes that you know the basics of database navigation. For those who don't, please see http://blackhatlibrary.net/SQL_orientation
  14. 00:08:04 <hatter> )
  15. 00:08:25 <hatter> THe classic type of injection is known as "where clause" injection
  16. 00:08:33 <hatter> this is similar to
  17. 00:08:42 <hatter> select * from table where id=?
  18. 00:08:53 <hatter> where id is the input passed by the parameter
  19. 00:09:07 <hatter> So, because this is an advanced session and I'd like to get the basics out of the way
  20. 00:09:20 <hatter> suppose our url is /article.php?id=1
  21. 00:09:39 <hatter> Yall are about to learn a hell of a lot about a sql where clause
  22. 00:10:53 * fxm gives hatter a $_COOKIE
  23. 00:11:06 <foo> RFC 2109 - HTTP State Management Mechanism https://www.ietf.org/rfc/rfc2109.txt
  24. 00:11:22 <hatter> So
  25. 00:11:45 <hatter> I'm going to throw out some tests that could be used to determine whether or not injection is possible
  26. 00:11:58 <hatter> /article.php?id=-1
  27. 00:12:02 <hatter> /article.php?id=1'
  28. 00:12:11 <hatter> /article.php?id=(3-2)
  29. 00:12:24 <hatter> /article.php?id=(select%0a1)
  30. 00:12:33 <hatter> Are there any questions so far?
  31. 00:12:50 <Atlas> Yes, what would =(3-2) and (select%0a1) return?
  32. 00:12:54 <hatter> well
  33. 00:12:56 <Apollo> what would the result be if it is not vulnerable?
  34. 00:12:58 <hatter> 3-2 = 1
  35. 00:12:59 <hatter> therefore
  36. 00:13:07 <hatter> 3-2 would return the page as id=1
  37. 00:13:16 <hatter> select%0a1
  38. 00:13:17 <hatter> is actually
  39. 00:13:21 <hatter> select\n1
  40. 00:13:33 <hatter> \n is a valid "space" character
  41. 00:13:40 <hatter> Any other questions?
  42. 00:14:02 <Apollo> if injection is not possible what is returned?
  43. 00:14:29 <Apollo> ah
  44. 00:15:21 <hatter> If an injection is not possible
  45. 00:15:28 <hatter> the correct page is *NOT* what get returns
  46. 00:16:01 <hatter> If an injection is not possible
  47. 00:16:02 <hatter> CHeck this
  48. 00:16:11 <hatter> /article.php?id=asidufhiawuehfiweuh
  49. 00:16:15 <hatter> will be the same as
  50. 00:16:25 <hatter> /article.php?id=(3-2)
  51. 00:16:27 <hatter> now
  52. 00:16:43 <hatter> Here's a trick - you can determine whether or not certain characters are sanitized
  53. 00:16:48 <hatter> here we go -
  54. 00:16:57 <hatter> /article.php?id=1
  55. 00:17:01 <hatter> /article.php?id=-1
  56. 00:17:07 <hatter> the -1 may throw an error
  57. 00:17:12 <hatter> but not be vulnerable
  58. 00:17:15 <hatter> does anyone know why?
  59. 00:17:35 <hatter> -1 throws and error
  60. 00:17:38 <hatter> so its not sanitized
  61. 00:17:43 <d4rch0n> nothing at that index?
  62. 00:17:52 <hatter> Well, the kicker here
  63. 00:18:01 <hatter> is that php usually uses (int) to cast to an integer
  64. 00:18:07 <hatter> the reason it could throw an error but not be vulnerable
  65. 00:18:13 <hatter> is because -1 is in fact an integer
  66. 00:18:24 <hatter> if you want to avoid this behavior doing development
  67. 00:18:29 <hatter> just abs((int)$var)
  68. 00:18:38 <hatter> so you get its absolute value
  69. 00:18:46 <hatter> rather than strictly an integer, this will force a positive one
  70. 00:19:14 <Atlas> I don't understand why it would error out
  71. 00:19:23 <hatter> select * from table where id = -1
  72. 00:19:26 <hatter> there is no id -1
  73. 00:19:32 <hatter> thats why it would error out
  74. 00:20:52 <hatter> So
  75. 00:20:54 <hatter> moving forwards
  76. 00:21:29 <hatter> you could do (3-2) to generate a 1 and (3-1) would give you an id of 2
  77. 00:21:53 <hatter> so you'd be able to determine vulnerability based on
  78. 00:22:47 <hatter> an arithmetic test
  79. 00:22:48 <hatter> now -
  80. 00:22:54 <hatter> This will work on 9/10 of your
  81. 00:22:56 <hatter> sql backends
  82. 00:23:02 <hatter> but there are some cases where that just won't work
  83. 00:23:08 <hatter> for one reason or another
  84. 00:23:09 <hatter> however
  85. 00:23:15 <hatter> one test that is guaranteed to work
  86. 00:23:23 <hatter> with the fewest possible syntax characters
  87. 00:23:28 <hatter> is the between ... and ... test
  88. 00:23:59 <hatter> many web application firewalls do not have a signature for this type of testing
  89. 00:24:11 <hatter> /article.php?id=1 and 2 between 1 and 5
  90. 00:24:14 <hatter> would be true
  91. 00:24:14 <hatter> while
  92. 00:24:20 <hatter> /article.php?id=1 and -2 between 1 and 5
  93. 00:24:22 <hatter> would be false
  94. 00:24:32 <hatter> the between ... and ... test is version independant
  95. 00:24:44 <hatter> that is to say, it is 100% compatible with all versions of sql I've run into (that'd be a lot of them)
  96. 00:24:51 <Atlas> Is it possible to filter out "and"?
  97. 00:24:58 <hatter> sure
  98. 00:25:06 <hatter> but anyone filtering out
  99. 00:25:09 <hatter> the word "and"
  100. 00:25:33 <hatter> is also filtering out a bunch of other potentially legitimate traffic.
  101. 00:25:38 <d4rch0n> would false return a 500 page? and true return the id 1?
  102. 00:26:49 <hatter> d4rch0n: false would return likely either 500, 404, 30[12] redirect to 404
  103. 00:27:05 <hatter> Or in some cases
  104. 00:27:09 <hatter> it'd just be a blank page
  105. 00:27:15 <hatter> or a page with all the layout and missing body text
  106. 00:27:54 <hatter> essentially, missing data
  107. 00:27:57 <hatter> now you have
  108. 00:28:06 <hatter> 4 or 5 constants we should talk about
  109. 00:28:08 <hatter> we have "true"
  110. 00:28:14 <hatter> we have "error"
  111. 00:28:18 <hatter> we have "false"
  112. 00:28:22 <hatter> we have "filtered"
  113. 00:28:25 <hatter> and we have "404"
  114. 00:28:35 <hatter> e.g. no data found
  115. 00:28:59 <hatter> a lot of times its easy to confuse 404 with filtered false and error
  116. 00:29:00 <hatter> one of those
  117. 00:29:03 <hatter> will be constant
  118. 00:29:05 <hatter> no matter what
  119. 00:29:14 <hatter> e.g. false will always return the same data in some cases
  120. 00:29:16 <hatter> or true will.
  121. 00:29:30 <hatter> its very rare, but it can happen, that dynamic content messes up automated stuff
  122. 00:29:35 <hatter> but any by hand inspection
  123. 00:30:33 <hatter> should pretty much always identify the issues
  124. 00:30:45 <hatter> now we've talked a little bit about true and false testing -
  125. 00:31:21 <hatter> lets talk about some more advanced stuff - moving on
  126. 00:31:27 <hatter> suppose we've tghe following url
  127. 00:31:43 <hatter> /search.php?q=isearched&page=3&perpage=25
  128. 00:32:31 <hatter> can anyone identify the clauses involved in the inputs in this url?
  129. 00:33:20 <Atlas> Do you mean "and" and "filter"?
  130. 00:33:25 <hatter> no
  131. 00:33:32 <Apollo> input was isearched, formatted 25 per page, display page 3
  132. 00:33:34 <pseudo> q,page,perpage?
  133. 00:33:38 <hatter> i mean things lke "where" clause
  134. 00:33:55 <hatter> which inputs get plugged into which SQL clauses?
  135. 00:34:50 <pseudo> q: select, page: where, perpage: ?
  136. 00:35:10 <hatter> q goes into LIKE clause
  137. 00:35:17 <hatter> page doesn't go into any clause.
  138. 00:35:22 <hatter> perpage goes into the limit clause
  139. 00:35:25 <hatter> I'll explain.
  140. 00:35:31 <hatter> In SQL we have a LIMIT and an offset
  141. 00:35:42 <hatter> e.g. page 3 25 per page
  142. 00:35:47 <hatter> would be results 75 - 100
  143. 00:35:49 <hatter> so
  144. 00:36:10 <hatter> limit 25 offset 75
  145. 00:36:10 <hatter> or
  146. 00:36:19 <hatter> limit 25 offset $page*$limit
  147. 00:36:38 <hatter> so, because that must be precalculated
  148. 00:36:47 <hatter> the page parameter will likely never be passed directly to sql
  149. 00:36:59 <hatter> unless sql is being used to do the math involved
  150. 00:37:11 <hatter> e.g. select ($page * $limit)
  151. 00:37:13 <hatter> quite bad form imo
  152. 00:37:29 <hatter> in any case this would be something like
  153. 00:38:14 <hatter> select * from page where thing like '%$q%' limit $perpage offset $offset
  154. 00:38:27 <hatter> so perpage is going to be in your limit clause
  155. 00:39:13 <hatter> because that's easily deduced, and we know limits aren't wrapped in quotes
  156. 00:39:22 <hatter> we can test this with a simple character test
  157. 00:39:33 <hatter> /search.php?q=isearched&page=3&perpage=25o
  158. 00:39:46 <hatter> this would generate an error ^ in the sql backend
  159. 00:39:52 <hatter> however,
  160. 00:40:22 <hatter> you can tell easily that its casted to an integer when it still displays 25 results
  161. 00:42:25 <hatter> you can determine the number of % in a like statement
  162. 00:42:43 <hatter> by looking at the shortest result when searching for a % character. You may need to urlencode this to %25
  163. 00:42:47 <hatter> additionally, you may find that
  164. 00:42:49 <hatter> when searching for records
  165. 00:42:56 <hatter> %25 is a nice way to make it spill everything
  166. 00:43:13 <hatter> if you look at the number of letters in the search results
  167. 00:43:45 <hatter> the shortest number of characters may be 1 if there are no % characters in the like statement, 3 if you are surrounded on either side.
  168. 00:43:57 <hatter> Usually "Begins with" searches go like 'starts with%' in sql
  169. 00:44:02 <hatter> while ends with may look like
  170. 00:44:04 <hatter> '%ends with'
  171. 00:44:16 <hatter> in some cases you may get 'starts with%%ends with'
  172. 00:44:34 <hatter> in some cases, these wildcard characters can be used for enumeration
  173. 00:44:46 <hatter> this is pretty advanced/extreme exploitation, and usually limited in scope
  174. 00:44:48 <hatter> but its possible.
  175. 00:45:07 <hatter> so, last one..
  176. 00:45:19 <hatter> say we have the following url:
  177. 00:45:53 <hatter> /usersview.php?category=players&sort=rank
  178. 00:46:10 <hatter> in this particular case, it may look something like :
  179. 00:46:48 <hatter> select * from users where category='players' order by rank desc limit 10 offset 0
  180. 00:47:20 <hatter> This is where it gets interesting.
  181. 00:47:30 <hatter> You've got an ORDER BY clause injection along with a where clause injection
  182. 00:47:49 <Atlas> Sorry, "desc"?
  183. 00:47:54 <hatter> to test for vulnerability, you can add comment notation to the end of the url to throw an error
  184. 00:48:01 <hatter> Atlas: descending, as opposed to 'asc'
  185. 00:48:15 <hatter> /usersview.php?category=players&sort=rank--
  186. 00:48:18 <hatter> would throw an error in some cases
  187. 00:48:31 <hatter> because there is no direction defined in the order statement
  188. 00:48:32 <hatter> additionally
  189. 00:48:38 <hatter> you could also just add another random character there
  190. 00:48:44 <hatter> /usersview.php?category=players&sort=rank2387
  191. 00:48:58 <hatter> the odds of an arbitrary sql table having a columned named such is doubtful
  192. 00:49:05 <hatter> now, lets focus on that category input
  193. 00:49:25 <hatter> there are 6 tests you should administer to a string
  194. 00:49:34 <hatter> /usersview.php?category=play'ers&sort=rank
  195. 00:49:39 <hatter> /usersview.php?category=play`ers&sort=rank
  196. 00:49:46 <hatter> /usersview.php?category=play"ers&sort=rank
  197. 00:49:53 <hatter> /usersview.php?category=play$$ers&sort=rank
  198. 00:50:12 <hatter> /usersview.php?category=play%bf'ers&sort=rank
  199. 00:50:21 <hatter> /usersview.php?category=play%bf"ers&sort=rank
  200. 00:50:38 <hatter> Are there any questions at the moment?
  201. 00:50:44 <Atlas> " ' ` $$ %bf' %bf"
  202. 00:51:13 <Atlas> Is the injection arbitrary?
  203. 00:51:32 <d4rch0n> would you want to sort with other guess column names to determine columns in the table?
  204. 00:51:34 <Atlas> i.e. play ers = pla yers
  205. 00:51:46 <hatter> d4rch0n: no
  206. 00:52:07 <hatter> d4rch0n: only if you're on a legacy database where mysql.user etc is not possible to access
  207. 00:52:18 <hatter> like
  208. 00:52:25 <hatter> there are cases when that may be necessary
  209. 00:52:41 <hatter> but most modern systems have an internal index of tables and column names
  210. 00:52:47 <hatter> within their storage engines
  211. 00:53:49 <hatter> if you're interested in that, check out http://blackhatlibrary.net/SQL_injection/Target_Environments/Mapping
  212. 00:54:31 <hatter> Next up?
  213. 00:54:52 <hatter> Atlas: yes the injection is arbitrary
  214. 00:54:58 <hatter> you are just trying to cause an error with those
  215. 00:55:03 <hatter> they may not be verbose
  216. 00:55:06 <hatter> but you'll be able to tell
  217. 00:55:07 <hatter> :3
  218. 00:56:44 <hatter> at any rate
  219. 00:56:55 <hatter> THere is one last type of injection testin for us to go over
  220. 00:57:03 <Apollo> why would you need to test if ',`," etc produce an error, just to see if they're sanitized?
  221. 00:57:07 <hatter> and that's full blind injection testing
  222. 00:57:12 <hatter> Apollo: you wouldnt
  223. 00:57:20 <hatter> Apollo: this is for if one fails, try the next.
  224. 00:58:11 <hatter> Full blind (not partially blind) injection is usually only in logging mechanisms but can be found in other types of injection vulnerabilities
  225. 00:58:31 <hatter> lets take our first example :
  226. 00:58:36 <hatter> /article.php?id=1
  227. 00:59:13 <hatter> in mysql, sleep() always returns null
  228. 00:59:21 <hatter> so
  229. 00:59:22 <hatter> you can do
  230. 00:59:34 <hatter> /article.php?id=1 and sleep(30) is null
  231. 00:59:52 <hatter> you'll get a nice
  232. 00:59:54 <hatter> 30 second page load
  233. 01:00:05 <hatter> if the site is vulnerable
  234. 01:00:06 <hatter> additionally
  235. 01:00:09 <hatter> you can also do
  236. 01:00:18 <hatter> /article.php?id=sleep(30)
  237. 01:00:31 <hatter> /article.php?id=pg_sleep(30)
  238. 01:00:35 <hatter> (that was postgres)
  239. 01:01:00 <hatter> /article.php?id=1 wait for delay 00:00:30
  240. 01:01:06 <hatter> (mssql)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!