Injection flaw teaser
-
Upload
notsosecure -
Category
Technology
-
view
3.928 -
download
0
Transcript of Injection flaw teaser
The Art Of Exploiting Injection FlawsSumit [email protected]
About the course
Hands on 2 days trainingRequire out of box thinking (strong coffee
recommended!)20 exercises, 100 slides, 8 CTFs!Previous feedback:
“ This was the best course I have ever been on. Since attending the course, I have identified so many issues which automated tools have missed. Thanks a ton, Sid”
“I have been pentesting for 4 years now, and thought I knew all about SQLI. I guess I was wrong. If anyone knows this subject well, it is Sid”
About Me
Sumit “sid” Siddharth Speaker/Trainer at Black Hat, Def con,
OWASP Appsec, HITB, Ruxcon etc
My blog: www.notsosecure.com
Specialist in Application & Database Security!
More than 8 years of Pentesting!
Co-author: SQL Injection, attacks and defense
Head of Penetration testing@7Safe
Day 1: SQL Injection
Exploiting SQL Injections
Authentication Bypass Extracting Data
Error Message Enabled Error Message Disabled
Union Injection Blind Injection Time Delays Out Of Band Channels
Privilege Escalation OS code execution
Exercise 9.8 – SQL Injection: OS command execution
http://hacklab.net/hackme_7.5/
Objective Exploit SQL injection to run OS commands on the
database server CTF : What are the contents of C:\secret.txt on the
server
Time 10 mins
Advanced SQL Injection
Insanely Blind SQL Injection Application returns same response Injection point in INSERT/UPDATE statement
Encoding/Decoding User Input
Base64 decoding user inputHex decoding user inputReal world examples
WordPress Admin-Ajax.php unauthenticated SQL injection
PHP-Nuke auth.php
$cookie=explode(‘;’, urldecode(empty($_POST[‘cookie’])))
$admin=base64_decode($admin)
SQL Injection in SQL Names
Consider the following:
Dim cat, orderBy, querycat = Replace(Request.Form(“cat”), “’”, “’’”)orderBy = Replace(Request.Form(“orderBy”), “’”,
“’’”)query = “SELECT * FROM prod WHERE cat = ‘” & cat &
“’ ORDER BY “ & orderBy
Hacking Oracle from Web
Exploiting SQL Injection against oracle database How to extract data
One Query to get them all! How to execute OS code What if we are not DBA
Become DBA Execute OS code Drop DBA
Capture The Flag: SQL Injection
http://hacklab.net/ctf.asp?data=foobar Objective• What’s in C:\secret.txtTime
20 Mins!No instructions or hints this time!
Day 2: The Art of Exploiting Lesser Known
Injection Flaws
ORM InjectionLDAP InjectionAdvanced LDAP InjectionXPath InjectionXpath v2XML Entity InjectionCombining Xpath and XXECTFQ&A
Hibernate Query Language Injection
User’s input to be passed directly to the underlying SQL engine
List<Event> result = session.createQuery("from Event e where e.title='" + param + "'").list();
HACKING LDAP
LDAP overview
LDAP injection
Blind LDAP injection
Hacking LDAP in practice
Securing Applications Against LDAP Injections
LDAP Injection: Authentication Bypass
(&(user=username)(password=pwd)) Usually password is hashed and then matched
with the stored value Injection is most likely to work only in username
field
(&(user=username)(password=*))(&(user=username)(&))
(password=pwd))Anything after first filter will be ignored by OpenLDAP
Exercise 6
http://hacklab2.net:81/ldap/selfservice/PHP/LDAPFind the telephone number of employee
Eric PhilipTime: 10 mins
XPATH Injection
Agenda What is XPATH Exploiting XPATH Impact of XPATH exploitation Blind XPATH Injection Automating XPATH Injection XPATH v2 injection Insane XPATH Injection Defending against XPATH Injection
XPATH’s XML Nomenclature
Root node
Comment
Node name
Attribute value
Node
Node value
Attribute name
Node
Automating Xpath
XPATH ExplorerDemo time!
Hugely increased feature set Regular expressions Unicode normalization String to code point conversion Remote document references
All of these can be utilised to speed up document retrieval and reduce the key space we have to search.
XPath 2.0 Features..
XPATH 2.0
Allows to not just read the current XML file but any arbitrary xml file on the file system.
Hacking Web Services with XML External Entity
Not validating the xml files before processing it
Attacker can inject an external entity <!ENTITY pwned SYSTEM "file:///c:/boot.ini" >
Web service parse the entity and the parser access the local resource Unauthorized access to information Post scanning Denial of service attack
Breaking the xml syntax Providing files like /dev/urandom
Combining XXE and Xpath
Did I say, with Xpath 2.0 you can read arbitrary xml files on the file system.
I actually mean: with Xpath 2.0 you can read arbitrary xml files on the
file system. Introducing Xcat