Slideshows by User: chemai64

Slideshows by User: chemai64 http://www.slideshare.net/ http://www.slideshare.net/images/logo.gif Slideshows by User: chemai64 http://www.slideshare.net/ Sat, 12 Dec 2009 08:28:16 GMT SlideShare feed for Slideshows by User: chemai64 Wifi Segura con D-Link Windows Server 2008 R2 http://www.slideshare.net/chemai64/wifi-segura-con-dlink-windows-server-2008-r2
Sesión impartida por Francisco Nogal, de Informática 64, durante el SIMO Network 2009.]]>
Sesión impartida por Francisco Nogal, de Informática 64, durante el SIMO Network 2009.]]> Sat, 12 Dec 2009 08:28:16 GMT http://www.slideshare.net/chemai64/wifi-segura-con-dlink-windows-server-2008-r2 chemai64@slideshare.net(chemai64) Wifi Segura con D-Link Windows Server 2008 R2 chemai64 Sesión impartida por Francisco Nogal, de Informática 64, durante el SIMO Network 2009. <img src="http://cdn.slidesharecdn.com/simo12-dl-04wifiseguracond-linkwindowsnogal-091212023036-phpapp01-thumbnail-2?1260606733" alt ="" style="border:1px solid #C3E6D8;float:right;" /><br> Sesión impartida por Francisco Nogal, de Informática 64, durante el SIMO Network 2009. Wifi Segura con D-Link Windows Server 2008 R2

View more presentations from chemai64.

]]> 41 0 http://cdn.slidesharecdn.com/simo12-dl-04wifiseguracond-linkwindowsnogal-091212023036-phpapp01-thumbnail-2?1260606733 presentation http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

Switching D Link & NAP Windows Server 2008 R2 http://www.slideshare.net/chemai64/switching-d-link-nap-windows-server-2008-r2
Sesión impartida por Francisco Nogal, de Informática 64, durante el SIMO Network 2009.]]>
Sesión impartida por Francisco Nogal, de Informática 64, durante el SIMO Network 2009.]]> Sat, 12 Dec 2009 08:27:35 GMT http://www.slideshare.net/chemai64/switching-d-link-nap-windows-server-2008-r2 chemai64@slideshare.net(chemai64) Switching D Link & NAP Windows Server 2008 R2 chemai64 Sesión impartida por Francisco Nogal, de Informática 64, durante el SIMO Network 2009. <img src="http://cdn.slidesharecdn.com/simo11-dl-02switchingd-linknapwindowsnogal-091212022954-phpapp01-thumbnail-2?1260606629" alt ="" style="border:1px solid #C3E6D8;float:right;" /><br> Sesión impartida por Francisco Nogal, de Informática 64, durante el SIMO Network 2009. Switching D Link & NAP Windows Server 2008 R2

View more presentations from chemai64.

]]> 54 0 http://cdn.slidesharecdn.com/simo11-dl-02switchingd-linknapwindowsnogal-091212022954-phpapp01-thumbnail-2?1260606629 presentation http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

System Center Operation Manager 2007 R2 SCOM http://www.slideshare.net/chemai64/system-center-operation-manager-2007-r2-scom
Sesión impartida por Joshua Sáenz, de Informática 64, durante el SIMO Network 2009.]]>
Sesión impartida por Joshua Sáenz, de Informática 64, durante el SIMO Network 2009.]]> Sat, 12 Dec 2009 08:26:47 GMT http://www.slideshare.net/chemai64/system-center-operation-manager-2007-r2-scom chemai64@slideshare.net(chemai64) System Center Operation Manager 2007 R2 SCOM chemai64 Sesión impartida por Joshua Sáenz, de Informática 64, durante el SIMO Network 2009. <img src="http://cdn.slidesharecdn.com/simo10scom2007r2joshua-091212022757-phpapp01-thumbnail-2?1260606543" alt ="" style="border:1px solid #C3E6D8;float:right;" /><br> Sesión impartida por Joshua Sáenz, de Informática 64, durante el SIMO Network 2009. System Center Operation Manager 2007 R2 SCOM

View more presentations from chemai64.

]]> 79 0 http://cdn.slidesharecdn.com/simo10scom2007r2joshua-091212022757-phpapp01-thumbnail-2?1260606543 presentation http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

System Center Configuration Manager 2007 R2 SCCM http://www.slideshare.net/chemai64/system-center-configuration-manager-2007-r2-sccm
Sesión impartida por Joshua Sáenz, de Informática 64, durante el SIMO Network 2009.]]>
Sesión impartida por Joshua Sáenz, de Informática 64, durante el SIMO Network 2009.]]> Sat, 12 Dec 2009 08:26:43 GMT http://www.slideshare.net/chemai64/system-center-configuration-manager-2007-r2-sccm chemai64@slideshare.net(chemai64) System Center Configuration Manager 2007 R2 SCCM chemai64 Sesión impartida por Joshua Sáenz, de Informática 64, durante el SIMO Network 2009. <img src="http://cdn.slidesharecdn.com/simo09sccm2007r2joshua-091212022816-phpapp01-thumbnail-2?1260606537" alt ="" style="border:1px solid #C3E6D8;float:right;" /><br> Sesión impartida por Joshua Sáenz, de Informática 64, durante el SIMO Network 2009. System Center Configuration Manager 2007 R2 SCCM

View more presentations from chemai64.

]]> 97 0 http://cdn.slidesharecdn.com/simo09sccm2007r2joshua-091212022816-phpapp01-thumbnail-2?1260606537 presentation http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

Exchange Server 2010 http://www.slideshare.net/chemai64/exchange-server-2010
Sesión impartida por Joshua Sáenz, de Informática 64, durante el SIMO Network 2009.]]>
Sesión impartida por Joshua Sáenz, de Informática 64, durante el SIMO Network 2009.]]> Sat, 12 Dec 2009 08:25:31 GMT http://www.slideshare.net/chemai64/exchange-server-2010 chemai64@slideshare.net(chemai64) Exchange Server 2010 chemai64 Sesión impartida por Joshua Sáenz, de Informática 64, durante el SIMO Network 2009. <img src="http://cdn.slidesharecdn.com/simo08exc2010joshua-091212022648-phpapp02-thumbnail-2?1260606454" alt ="" style="border:1px solid #C3E6D8;float:right;" /><br> Sesión impartida por Joshua Sáenz, de Informática 64, durante el SIMO Network 2009. Exchange Server 2010

View more presentations from chemai64.

]]> 78 0 http://cdn.slidesharecdn.com/simo08exc2010joshua-091212022648-phpapp02-thumbnail-2?1260606454 presentation http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

Aplicación LOPD http://www.slideshare.net/chemai64/aplicacin-lopd
Sesión impartida por Juan Luís Rambla, de Informática 64, durante el SIMO Network 2009.]]>
Sesión impartida por Juan Luís Rambla, de Informática 64, durante el SIMO Network 2009.]]> Sat, 12 Dec 2009 08:25:00 GMT http://www.slideshare.net/chemai64/aplicacin-lopd chemai64@slideshare.net(chemai64) Aplicación LOPD chemai64 Sesión impartida por Juan Luís Rambla, de Informática 64, durante el SIMO Network 2009. <img src="http://cdn.slidesharecdn.com/simo07lopdjuanluis-091212022521-phpapp02-thumbnail-2?1260606372" alt ="" style="border:1px solid #C3E6D8;float:right;" /><br> Sesión impartida por Juan Luís Rambla, de Informática 64, durante el SIMO Network 2009. Aplicación LOPD

View more presentations from chemai64.

]]> 116 0 http://cdn.slidesharecdn.com/simo07lopdjuanluis-091212022521-phpapp02-thumbnail-2?1260606372 presentation http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

Forefront Threat Management Gateway TMG http://www.slideshare.net/chemai64/forefront-threat-management-gateway-tmg
Sesión impartida por Juan Luís Rambla, de Informática64, durante el SIMO Network 2009.]]>
Sesión impartida por Juan Luís Rambla, de Informática64, durante el SIMO Network 2009.]]> Sat, 12 Dec 2009 08:24:14 GMT http://www.slideshare.net/chemai64/forefront-threat-management-gateway-tmg chemai64@slideshare.net(chemai64) Forefront Threat Management Gateway TMG chemai64 Sesión impartida por Juan Luís Rambla, de Informática64, durante el SIMO Network 2009. <img src="http://cdn.slidesharecdn.com/simo06tmgjuanluis-091212022520-phpapp01-thumbnail-2?1260606370" alt ="" style="border:1px solid #C3E6D8;float:right;" /><br> Sesión impartida por Juan Luís Rambla, de Informática64, durante el SIMO Network 2009. Forefront Threat Management Gateway TMG

View more presentations from chemai64.

]]> 83 0 http://cdn.slidesharecdn.com/simo06tmgjuanluis-091212022520-phpapp01-thumbnail-2?1260606370 presentation http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

Análisis Forense http://www.slideshare.net/chemai64/anlisis-forense
Sesión impartida por Juan Luís Rambla, de Informática64, durante el SIMO Network 2009.]]>
Sesión impartida por Juan Luís Rambla, de Informática64, durante el SIMO Network 2009.]]> Sat, 12 Dec 2009 08:23:42 GMT http://www.slideshare.net/chemai64/anlisis-forense chemai64@slideshare.net(chemai64) Análisis Forense chemai64 Sesión impartida por Juan Luís Rambla, de Informática64, durante el SIMO Network 2009. <img src="http://cdn.slidesharecdn.com/simo05forensejuanluis-091212022439-phpapp02-thumbnail-2?1260606326" alt ="" style="border:1px solid #C3E6D8;float:right;" /><br> Sesión impartida por Juan Luís Rambla, de Informática64, durante el SIMO Network 2009. Análisis Forense

View more presentations from chemai64.

]]> 195 0 http://cdn.slidesharecdn.com/simo05forensejuanluis-091212022439-phpapp02-thumbnail-2?1260606326 presentation http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

Metadata Security: MetaShield Protector http://www.slideshare.net/chemai64/metadata-security-metashield-protector
Sesión impartida por Chema Alonso, de Informática64, durante el SIMO Network 2009.]]>
Sesión impartida por Chema Alonso, de Informática64, durante el SIMO Network 2009.]]> Sat, 12 Dec 2009 08:23:11 GMT http://www.slideshare.net/chemai64/metadata-security-metashield-protector chemai64@slideshare.net(chemai64) Metadata Security: MetaShield Protector chemai64 Sesión impartida por Chema Alonso, de Informática64, durante el SIMO Network 2009. <img src="http://cdn.slidesharecdn.com/simo04metashieldchema-091212022335-phpapp01-thumbnail-2?1260607929" alt ="" style="border:1px solid #C3E6D8;float:right;" /><br> Sesión impartida por Chema Alonso, de Informática64, durante el SIMO Network 2009. Metadata Security: MetaShield Protector

View more presentations from chemai64.

]]> 61 0 http://cdn.slidesharecdn.com/simo04metashieldchema-091212022335-phpapp01-thumbnail-2?1260607929 presentation http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

Windows Server 2008 & Windows 7 http://www.slideshare.net/chemai64/windows-server-2008-windows-7
Sesión impartida por Julián Blázquez, de Informática64, durante el SIMO Network 2009.]]>
Sesión impartida por Julián Blázquez, de Informática64, durante el SIMO Network 2009.]]> Sat, 12 Dec 2009 08:22:23 GMT http://www.slideshare.net/chemai64/windows-server-2008-windows-7 chemai64@slideshare.net(chemai64) Windows Server 2008 & Windows 7 chemai64 Sesión impartida por Julián Blázquez, de Informática64, durante el SIMO Network 2009. <img src="http://cdn.slidesharecdn.com/simo03escritorioremotojulin-091212022611-phpapp02-thumbnail-2?1260606439" alt ="" style="border:1px solid #C3E6D8;float:right;" /><br> Sesión impartida por Julián Blázquez, de Informática64, durante el SIMO Network 2009. Windows Server 2008 & Windows 7

View more presentations from chemai64.

]]> 112 0 http://cdn.slidesharecdn.com/simo03escritorioremotojulin-091212022611-phpapp02-thumbnail-2?1260606439 presentation http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

Windows Server 2008 R2 Brand Cache http://www.slideshare.net/chemai64/windows-server-2008-r2-brand-cache
Sesión impartida por Julián Blázquez, de Informática64, durante el SIMO Network 2009.]]>
Sesión impartida por Julián Blázquez, de Informática64, durante el SIMO Network 2009.]]> Sat, 12 Dec 2009 08:21:26 GMT http://www.slideshare.net/chemai64/windows-server-2008-r2-brand-cache chemai64@slideshare.net(chemai64) Windows Server 2008 R2 Brand Cache chemai64 Sesión impartida por Julián Blázquez, de Informática64, durante el SIMO Network 2009. <img src="http://cdn.slidesharecdn.com/simo02branchcachejulin-091212022241-phpapp01-thumbnail-2?1260607135" alt ="" style="border:1px solid #C3E6D8;float:right;" /><br> Sesión impartida por Julián Blázquez, de Informática64, durante el SIMO Network 2009. Windows Server 2008 R2 Brand Cache

View more presentations from chemai64.

]]> 89 0 http://cdn.slidesharecdn.com/simo02branchcachejulin-091212022241-phpapp01-thumbnail-2?1260607135 presentation http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

No Lusers Volumen II http://www.slideshare.net/chemai64/no-lusers-volumen-ii-2580371
Volumen II de las tiras de No Lusers explicadas por el autor para que puedas entender todos los chistes malos. Sí, ya lo sé, si un chiste es malo, no veas tú encima cuando intentas explicarlo.]]>
Volumen II de las tiras de No Lusers explicadas por el autor para que puedas entender todos los chistes malos. Sí, ya lo sé, si un chiste es malo, no veas tú encima cuando intentas explicarlo.]]> Wed, 25 Nov 2009 09:28:16 GMT http://www.slideshare.net/chemai64/no-lusers-volumen-ii-2580371 chemai64@slideshare.net(chemai64) No Lusers Volumen II chemai64 Volumen II de las tiras de No Lusers explicadas por el autor para que puedas entender todos los chistes malos. Sí, ya lo sé, si un chiste es malo, no veas tú encima cuando intentas explicarlo. <img src="http://cdn.slidesharecdn.com/nolusers2-091125032818-phpapp02-thumbnail-2?1259141328" alt ="" style="border:1px solid #C3E6D8;float:right;" /><br> Volumen II de las tiras de No Lusers explicadas por el autor para que puedas entender todos los chistes malos. Sí, ya lo sé, si un chiste es malo, no veas tú encima cuando intentas explicarlo. No Lusers Volumen II

View more documents from chemai64.

]]> 288 0 http://cdn.slidesharecdn.com/nolusers2-091125032818-phpapp02-thumbnail-2?1259141328 document http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

No Lusers Volumen I http://www.slideshare.net/chemai64/no-lusers-volumen-i
Volumen I de las tiras de No Lusers explicadas por el autor para que puedas entender todos los chistes malos. Sí, ya lo sé, si un chiste es malo, no veas tú encima cunado intentas explicarlo.]]>
Volumen I de las tiras de No Lusers explicadas por el autor para que puedas entender todos los chistes malos. Sí, ya lo sé, si un chiste es malo, no veas tú encima cunado intentas explicarlo.]]> Sun, 22 Nov 2009 10:29:38 GMT http://www.slideshare.net/chemai64/no-lusers-volumen-i chemai64@slideshare.net(chemai64) No Lusers Volumen I chemai64 Volumen I de las tiras de No Lusers explicadas por el autor para que puedas entender todos los chistes malos. Sí, ya lo sé, si un chiste es malo, no veas tú encima cunado intentas explicarlo. <img src="http://cdn.slidesharecdn.com/nolusers1-091122042943-phpapp02-thumbnail-2?1259138700" alt ="" style="border:1px solid #C3E6D8;float:right;" /><br> Volumen I de las tiras de No Lusers explicadas por el autor para que puedas entender todos los chistes malos. Sí, ya lo sé, si un chiste es malo, no veas tú encima cunado intentas explicarlo. No Lusers Volumen I

View more documents from chemai64.

]]> 539 0 http://cdn.slidesharecdn.com/nolusers1-091122042943-phpapp02-thumbnail-2?1259138700 document http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

No Lusers Volumen II http://www.slideshare.net/chemai64/no-lusers-volumen-ii
Volumen II de las tiras de No Lusers explicadas por el autor para que puedas entender todos los chistes malos. Sí, ya lo sé, si un chiste es malo, no veas tú encima cuando intentas explicarlo.]]>
Volumen II de las tiras de No Lusers explicadas por el autor para que puedas entender todos los chistes malos. Sí, ya lo sé, si un chiste es malo, no veas tú encima cuando intentas explicarlo.]]> Sun, 22 Nov 2009 10:29:28 GMT http://www.slideshare.net/chemai64/no-lusers-volumen-ii chemai64@slideshare.net(chemai64) No Lusers Volumen II chemai64 Volumen II de las tiras de No Lusers explicadas por el autor para que puedas entender todos los chistes malos. Sí, ya lo sé, si un chiste es malo, no veas tú encima cuando intentas explicarlo. <img src="http://cdn.slidesharecdn.com/nolusers2-091122042934-phpapp02-thumbnail-2?1259139902" alt ="" style="border:1px solid #C3E6D8;float:right;" /><br> Volumen II de las tiras de No Lusers explicadas por el autor para que puedas entender todos los chistes malos. Sí, ya lo sé, si un chiste es malo, no veas tú encima cuando intentas explicarlo. No Lusers Volumen II

View more documents from chemai64.

]]> 43 0 http://cdn.slidesharecdn.com/nolusers2-091122042934-phpapp02-thumbnail-2?1259139902 document http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

How "·$% developers defeat the web vulnerability scanners http://www.slideshare.net/chemai64/how-developers-defeat-the-web-vulnerability-scanners-2546881
Share Favorite Favorited X Download More... Favorited! Want to add tags? Have an opinion? Make a quick comment as well. Cancel Edit your favorites Cancel Send to your Group / Event Select Group / Event Add your message Cancel Post toBlogger WordPress Twitter Facebook Deliciousmore share options .Embed For WordPress.com Without related presentations 0 commentsPost a comment Post a comment .. Embed Video Subscribe to follow-up comments Unsubscribe from followup comments . Edit your comment Cancel .Notes on slide 1 no notes for slide #1 no notes for slide #1 ..Favorites, Groups & Events more How "·$% developers defeat the web vulnerability scanners - Presentation Transcript 1.How ?¿$·& developers defeat the most famous web vulnerability scanners …or how to recognize old friends Chema Alonso Informática64 José Parada Microsoft Ibérica 2.Agenda 1.- Introduction 2.- Inverted Queries 3.- Arithmetic Blind SQL Injection 4.- Time-Based Blind SQL Injection using Heavey Queries 5.- Conclusions 3.1.-Introduction 4.SQL Injection is still here among us 5.Web Application Security Consortium: Comparision http://projects.webappsec.org/Web-Application-Security-Statistics 12.186 sites 97.554 bugs 6.Need to Improve Automatic Scanning Not always a manual scanning is possible Time Confidentiality Money, money, money… Need to study new ways to recognize old fashion vulnerabilities to improve automatic scanning tools. 7.2.-Inverted Queries 8. 9.Homers, how are they? Lazy Bad trainined Poor Experience in security stuff Don´t like working Don´t like computing Don´t like coding Don´t like you! 10.Flanders are Left-handed 11.Right SELECT UID FROM USERS WHERE NAME=‘V_NAME’ AND PASSWORD=‘V_PASSW’; 12.Wrong? SELECT UID FROM USERS WHERE ‘V_NAME’=NAME AND ‘ V_PASSW’=PASSWORD 13.Login Inverted Query Select uid From users where ‘v_name’=name and ‘v_pass’=password http://www.web.com/login.php?v_name=Robert&v_pass=Kubica’ or '1'='1 Select uid From users where ‘Robert’=name and ‘Kubica’ or ‘1’=‘1’=password  FAIL 14.Login Inverted SQL Injection an example Select uid From users where ‘v_name’=name and ‘v_pass’=password http://www.web.com/login.php?v_name=Robert&v_pass=’=‘’ or ‘1’=‘1’ or ‘Kubica Select uid From users where ‘Robert’=name and ’’=‘’ or ‘1’=‘1’ or ‘Kubica’=password  Success 15.Blind Attacks Attacker injects code but can´t access directly to the data. However this injection changes the behavior of the web application. Then the attacker looks for differences between true code injections (1=1) and false code injections (1=2) in the response pages to extract data. Blind SQL Injection Biind Xpath Injection Blind LDAP Injection 16.Blind SQL Injection Attacks Attacker injects: “ True where clauses” “ False where clauses“ Ex: Program.php?id=1 and 1=1 Program.php?id=1 and 1=2 Program doesn’t return any visible data from database or data in error messages. The attacker can´t see any data extracted from the database. 17.Blind SQL Injection Attacks Attacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”: Different hashes Different html structure Different patterns (keywords) Different linear ASCII sums “ Different behavior” By example: Response Time 18.Blind SQL Injection Attacks If any difference exists, then: Attacker can extract all information from database How? Using “booleanization” MySQL: Program.php?id=1 and 100>(ASCII(Substring(user(),1,1))) “ True-Answer Page” or “False-Answer Page”? MSSQL: Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers) Oracle: Program.php?id=1 and 100>(Select ASCII(Substr(username,1,1))) from all_users where rownum<=1) 19.Blind Inverted Query Select product From products Where v_value=id; http://www.web.com/products.php?v_value= 2 and 1=1 Select product From products Where 2 and 1=1=id; -> FAIL 20.The MySQL Case 1 is True 1=1=1 ->True 1=1=(1+1-1)=abs(1)=1 -> True 2=2=2 ->False -> 2=2 becomes True -> True=2 -> True is equals to 1 then 1=2 is False Select product From products Where v_value=id; http://www.web.com/products.php?v_value= 1 and 1=1 Select product From products Where 1 and 1=1=id; -> SUCCES (if there is a Id=1) 21.Web Scanner behaviors Acunetix Paros AppScan W3af Wapiti Proxy Strike 22.Acunetix & Homer 23.Acunetix & Flanders 24.AppScan & Homer 25.AppScan & Flanders 26.Paros & Homer 27.Paros & Flanders 28.W3af & Homer 29.W3af & Flanders 30.Wapiti & Homer 31.Wapiti & Flanders 32.Demo W3af Wapiti Proxy Strike 33.Results Normal Inverted MySQL MS SQL Server MySQL MS SQL Server Numeric String Numeric String Numeric String Numeric String Paros AppScan Acunetix w3af wapiti Proxy Strike 34.In the end… OUCH!!! Thank God for keep me safe 35.Solutions? Concat string injection Arithmetic Blind SQL Injection Time-Based Blind SQL injection Delay Functions Heavy queries 36.3.- Arithmetic 37.What about this queries? How to detect/exploit this Blind SQLinjection vulnerability? The query forces the parameter to be numeric SELECT field FROM table WHERE id=abs( param ) Ex: Get Param( ID ) Select ….. Where att1=abs( ID ) Select ….. Where att2=k1- ID Print response Not AND or OR operators can be used. Boolean logic needs to be created with math operations 38.Arithmetic Blind SQL Injection Divide by zero (David Litchfield) Id=A+(1/(ASCII(B)-C)) A-> Param value originally used in the query. B -> Value we are searching for, e.g.: Substring(passwd,1,1) C-> Counter [0..255] TRUE: When ASCII(B)=C, the DB will generate a divide by zero exception. 39.Arithmetic Blind SQL Injection Sums and subtractions Id=A+ASCII(B)-C A-> Param value originally used in the query. B -> Value we are searching for, e.g.: Substring(passwd,1,1) C-> Counter [0..255] When ASCII(B)=C, then the response page of id=A+ASCII(B)-C will be the same as id=A 40.Arithmetic Blind SQL Injection Value type overflow Id=A+((C/ASCII(B))*(K)) A-> Param value originally used in the query. B -> Value we are searching for, e.g.: Substring(passwd,1,1) C-> Counter [0..255] K-> Value that overflows the type defined for A (e.g. if A is integer, then K=2^ 32 ) When C/ASCII(B)==1, K*1 overflows the data type 41.Demo: Divide by zero Sums and subtractions Integer overflow 42.Conclusions Arithmetic Blind SQL Injection allows to construct binary logic without “AND” and “OR”. detects bugs in this kind of queries… And also in Inverted queries in which a numeric value is used Almost none of the vulnerability scanners are using this method 43.4.-Time-based Blind SQL Injection using heavy queries 44.Time-Based Blind SQL Injection In scenarios with no differences between “True-Answer Page” and “False-Answer Page”, time delays can be used. Injection forces a delay in the response page when the condition injected is True. - Delay functions: SQL Server: waitfor Oracle: dbms_lock.sleep MySQL: sleep or Benchmark Function Postgres: pg_sleep Ex: ; if (exists(select * from users)) waitfor delay '0:0:5’ 45.Time-Based Blind SQL Injection What about DBs without delay functions, i.e.: Oracle connections MS Access DB2 without PL/SQL injection Can we still perform an exploitation of Time-Based Blind SQL Injection Attacks? 46. 47.“ Where-Clause” execution order Select “whatever “ From whatever Where condition1 and condition2 - Condition1 lasts 10 seconds - Condition2 lasts 100 seconds Which condition should be executed first? 48.The heavy condition first Condition2 (100 sec) Condition1 (10 sec) Condition2 & condition1 Response Time TRUE FALSE FALSE 110 sec TRUE TRUE TRUE 110 sec FALSE Not evaluated FALSE 100 sec 49.The light condition first Condition1 (10 sec) Condition2 (100 sec) Condition1 & condition2 Response Time TRUE FALSE FALSE 110 sec TRUE TRUE TRUE 110 sec FALSE Not evaluated FALSE 10 sec 50.Time-Based Blind SQL Injection using Heavy Queries Attacker can perform an exploitation delaying the “True-answer page” using a heavy query. It depends on how the database engine evaluates the where clauses in the query. There are two types of database engines: Databases without optimization process Databases with optimization process 51.Time-Based Blind SQL Injection using Heavy Queries Attacker could inject a heavy Cross-Join condition for delaying the response page in True-Injections. The Cross-join injection must be heavier than the other condition. Attacker only have to know or to guess the name of a table with select permission in the database. Example in MSSQL: Program.php?id=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1 ascii(substring(name,1,1)) from sysusers) 52.“ Default” tables to construct a heavy query Microsoft SQL Server sysusers Oracle all_users MySQL (versión 5) information_schema.columns Microsoft Access MSysAccessObjects (97 & 2000 versions) MSysAccessStorage (2003 & 2007) 53.“ Default” tables to construct a heavy query … or whatever you can guess Clients Customers News Logins Users Providers … .Use your imagination… 54.Ex 1: MS SQL Server Query takes 14 seconds -> True-Answer 55.Ex 1: MS SQL Server Query takes 1 second -> False-Answer 56.Ex 2: Oracle Query Takes 22 seconds –> True-Answer 57.Ex 2: Oracle Query Takes 1 second –> False-Answer 58.Ex 3: Access 2007 Query Takes 39 seconds –> True-Answer 59.Ex 3: Access 2007 Query Takes 1 second –> False-Answer 60.Marathon Tool Automates Time-Based Blind SQL Injection Attacks using Heavy Queries in SQL Server, MySQL, MS Access and Oracle Databases. Schema Extraction from known databases Extract data using heavy queries not matter in which database engine (without schema) Developed in .NET Source code available http://www.codeplex.com/marathontool 61.Demo: Marathon Tool 62.5.- Conclusions 63.The real world has plenty kinds of developers… 64.References Inverted SQL queries (Spanish) http://elladodelmal.blogspot.com/2009/09/inverted-sql-queries-ii-de-ii.html Arithemtic Blind SQL Injection (spanish) http://elladodelmal.blogspot.com/2009/07/arithmetic-blind-sql-injection-i-de-ii.html Time-Based Blind SQL Injection Using heavy queries & Marathon Tool http://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdf Marathon Tool http://www.codeplex.com/marathontool Connection String Attacks (spanish) http://www.slideshare.net/chemai64/connection-string-parameter-pollution 65.Don´t complain about your job!! 66.Thanks! Chema Alonso ( [email_address] ) José Parada ( [email_address] ) + chemai64, 20 hours ago Embed custom .Without related presentations For WordPress.com 173 views, 0 favs, 3 embeds more stats Session deliverd by José Parada & Chema Alonso in more Session deliverd by José Parada & Chema Alonso in CONFidence VI Edition - Warszawa 2009 about How How "·$% developers defeat the web vulnerability scanners. SQL injection Tips & Tricks. That´s all folks!]]>
Share Favorite Favorited X Download More... Favorited! Want to add tags? Have an opinion? Make a quick comment as well. Cancel Edit your favorites Cancel Send to your Group / Event Select Group / Event Add your message Cancel Post toBlogger WordPress Twitter Facebook Deliciousmore share options .Embed For WordPress.com Without related presentations 0 commentsPost a comment Post a comment .. Embed Video Subscribe to follow-up comments Unsubscribe from followup comments . Edit your comment Cancel .Notes on slide 1 no notes for slide #1 no notes for slide #1 ..Favorites, Groups & Events more How "·$% developers defeat the web vulnerability scanners - Presentation Transcript 1.How ?¿$·& developers defeat the most famous web vulnerability scanners …or how to recognize old friends Chema Alonso Informática64 José Parada Microsoft Ibérica 2.Agenda 1.- Introduction 2.- Inverted Queries 3.- Arithmetic Blind SQL Injection 4.- Time-Based Blind SQL Injection using Heavey Queries 5.- Conclusions 3.1.-Introduction 4.SQL Injection is still here among us 5.Web Application Security Consortium: Comparision http://projects.webappsec.org/Web-Application-Security-Statistics 12.186 sites 97.554 bugs 6.Need to Improve Automatic Scanning Not always a manual scanning is possible Time Confidentiality Money, money, money… Need to study new ways to recognize old fashion vulnerabilities to improve automatic scanning tools. 7.2.-Inverted Queries 8. 9.Homers, how are they? Lazy Bad trainined Poor Experience in security stuff Don´t like working Don´t like computing Don´t like coding Don´t like you! 10.Flanders are Left-handed 11.Right SELECT UID FROM USERS WHERE NAME=‘V_NAME’ AND PASSWORD=‘V_PASSW’; 12.Wrong? SELECT UID FROM USERS WHERE ‘V_NAME’=NAME AND ‘ V_PASSW’=PASSWORD 13.Login Inverted Query Select uid From users where ‘v_name’=name and ‘v_pass’=password http://www.web.com/login.php?v_name=Robert&v_pass=Kubica’ or '1'='1 Select uid From users where ‘Robert’=name and ‘Kubica’ or ‘1’=‘1’=password  FAIL 14.Login Inverted SQL Injection an example Select uid From users where ‘v_name’=name and ‘v_pass’=password http://www.web.com/login.php?v_name=Robert&v_pass=’=‘’ or ‘1’=‘1’ or ‘Kubica Select uid From users where ‘Robert’=name and ’’=‘’ or ‘1’=‘1’ or ‘Kubica’=password  Success 15.Blind Attacks Attacker injects code but can´t access directly to the data. However this injection changes the behavior of the web application. Then the attacker looks for differences between true code injections (1=1) and false code injections (1=2) in the response pages to extract data. Blind SQL Injection Biind Xpath Injection Blind LDAP Injection 16.Blind SQL Injection Attacks Attacker injects: “ True where clauses” “ False where clauses“ Ex: Program.php?id=1 and 1=1 Program.php?id=1 and 1=2 Program doesn’t return any visible data from database or data in error messages. The attacker can´t see any data extracted from the database. 17.Blind SQL Injection Attacks Attacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”: Different hashes Different html structure Different patterns (keywords) Different linear ASCII sums “ Different behavior” By example: Response Time 18.Blind SQL Injection Attacks If any difference exists, then: Attacker can extract all information from database How? Using “booleanization” MySQL: Program.php?id=1 and 100>(ASCII(Substring(user(),1,1))) “ True-Answer Page” or “False-Answer Page”? MSSQL: Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers) Oracle: Program.php?id=1 and 100>(Select ASCII(Substr(username,1,1))) from all_users where rownum<=1) 19.Blind Inverted Query Select product From products Where v_value=id; http://www.web.com/products.php?v_value= 2 and 1=1 Select product From products Where 2 and 1=1=id; -> FAIL 20.The MySQL Case 1 is True 1=1=1 ->True 1=1=(1+1-1)=abs(1)=1 -> True 2=2=2 ->False -> 2=2 becomes True -> True=2 -> True is equals to 1 then 1=2 is False Select product From products Where v_value=id; http://www.web.com/products.php?v_value= 1 and 1=1 Select product From products Where 1 and 1=1=id; -> SUCCES (if there is a Id=1) 21.Web Scanner behaviors Acunetix Paros AppScan W3af Wapiti Proxy Strike 22.Acunetix & Homer 23.Acunetix & Flanders 24.AppScan & Homer 25.AppScan & Flanders 26.Paros & Homer 27.Paros & Flanders 28.W3af & Homer 29.W3af & Flanders 30.Wapiti & Homer 31.Wapiti & Flanders 32.Demo W3af Wapiti Proxy Strike 33.Results Normal Inverted MySQL MS SQL Server MySQL MS SQL Server Numeric String Numeric String Numeric String Numeric String Paros AppScan Acunetix w3af wapiti Proxy Strike 34.In the end… OUCH!!! Thank God for keep me safe 35.Solutions? Concat string injection Arithmetic Blind SQL Injection Time-Based Blind SQL injection Delay Functions Heavy queries 36.3.- Arithmetic 37.What about this queries? How to detect/exploit this Blind SQLinjection vulnerability? The query forces the parameter to be numeric SELECT field FROM table WHERE id=abs( param ) Ex: Get Param( ID ) Select ….. Where att1=abs( ID ) Select ….. Where att2=k1- ID Print response Not AND or OR operators can be used. Boolean logic needs to be created with math operations 38.Arithmetic Blind SQL Injection Divide by zero (David Litchfield) Id=A+(1/(ASCII(B)-C)) A-> Param value originally used in the query. B -> Value we are searching for, e.g.: Substring(passwd,1,1) C-> Counter [0..255] TRUE: When ASCII(B)=C, the DB will generate a divide by zero exception. 39.Arithmetic Blind SQL Injection Sums and subtractions Id=A+ASCII(B)-C A-> Param value originally used in the query. B -> Value we are searching for, e.g.: Substring(passwd,1,1) C-> Counter [0..255] When ASCII(B)=C, then the response page of id=A+ASCII(B)-C will be the same as id=A 40.Arithmetic Blind SQL Injection Value type overflow Id=A+((C/ASCII(B))*(K)) A-> Param value originally used in the query. B -> Value we are searching for, e.g.: Substring(passwd,1,1) C-> Counter [0..255] K-> Value that overflows the type defined for A (e.g. if A is integer, then K=2^ 32 ) When C/ASCII(B)==1, K*1 overflows the data type 41.Demo: Divide by zero Sums and subtractions Integer overflow 42.Conclusions Arithmetic Blind SQL Injection allows to construct binary logic without “AND” and “OR”. detects bugs in this kind of queries… And also in Inverted queries in which a numeric value is used Almost none of the vulnerability scanners are using this method 43.4.-Time-based Blind SQL Injection using heavy queries 44.Time-Based Blind SQL Injection In scenarios with no differences between “True-Answer Page” and “False-Answer Page”, time delays can be used. Injection forces a delay in the response page when the condition injected is True. - Delay functions: SQL Server: waitfor Oracle: dbms_lock.sleep MySQL: sleep or Benchmark Function Postgres: pg_sleep Ex: ; if (exists(select * from users)) waitfor delay '0:0:5’ 45.Time-Based Blind SQL Injection What about DBs without delay functions, i.e.: Oracle connections MS Access DB2 without PL/SQL injection Can we still perform an exploitation of Time-Based Blind SQL Injection Attacks? 46. 47.“ Where-Clause” execution order Select “whatever “ From whatever Where condition1 and condition2 - Condition1 lasts 10 seconds - Condition2 lasts 100 seconds Which condition should be executed first? 48.The heavy condition first Condition2 (100 sec) Condition1 (10 sec) Condition2 & condition1 Response Time TRUE FALSE FALSE 110 sec TRUE TRUE TRUE 110 sec FALSE Not evaluated FALSE 100 sec 49.The light condition first Condition1 (10 sec) Condition2 (100 sec) Condition1 & condition2 Response Time TRUE FALSE FALSE 110 sec TRUE TRUE TRUE 110 sec FALSE Not evaluated FALSE 10 sec 50.Time-Based Blind SQL Injection using Heavy Queries Attacker can perform an exploitation delaying the “True-answer page” using a heavy query. It depends on how the database engine evaluates the where clauses in the query. There are two types of database engines: Databases without optimization process Databases with optimization process 51.Time-Based Blind SQL Injection using Heavy Queries Attacker could inject a heavy Cross-Join condition for delaying the response page in True-Injections. The Cross-join injection must be heavier than the other condition. Attacker only have to know or to guess the name of a table with select permission in the database. Example in MSSQL: Program.php?id=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1 ascii(substring(name,1,1)) from sysusers) 52.“ Default” tables to construct a heavy query Microsoft SQL Server sysusers Oracle all_users MySQL (versión 5) information_schema.columns Microsoft Access MSysAccessObjects (97 & 2000 versions) MSysAccessStorage (2003 & 2007) 53.“ Default” tables to construct a heavy query … or whatever you can guess Clients Customers News Logins Users Providers … .Use your imagination… 54.Ex 1: MS SQL Server Query takes 14 seconds -> True-Answer 55.Ex 1: MS SQL Server Query takes 1 second -> False-Answer 56.Ex 2: Oracle Query Takes 22 seconds –> True-Answer 57.Ex 2: Oracle Query Takes 1 second –> False-Answer 58.Ex 3: Access 2007 Query Takes 39 seconds –> True-Answer 59.Ex 3: Access 2007 Query Takes 1 second –> False-Answer 60.Marathon Tool Automates Time-Based Blind SQL Injection Attacks using Heavy Queries in SQL Server, MySQL, MS Access and Oracle Databases. Schema Extraction from known databases Extract data using heavy queries not matter in which database engine (without schema) Developed in .NET Source code available http://www.codeplex.com/marathontool 61.Demo: Marathon Tool 62.5.- Conclusions 63.The real world has plenty kinds of developers… 64.References Inverted SQL queries (Spanish) http://elladodelmal.blogspot.com/2009/09/inverted-sql-queries-ii-de-ii.html Arithemtic Blind SQL Injection (spanish) http://elladodelmal.blogspot.com/2009/07/arithmetic-blind-sql-injection-i-de-ii.html Time-Based Blind SQL Injection Using heavy queries & Marathon Tool http://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdf Marathon Tool http://www.codeplex.com/marathontool Connection String Attacks (spanish) http://www.slideshare.net/chemai64/connection-string-parameter-pollution 65.Don´t complain about your job!! 66.Thanks! Chema Alonso ( [email_address] ) José Parada ( [email_address] ) + chemai64, 20 hours ago Embed custom .Without related presentations For WordPress.com 173 views, 0 favs, 3 embeds more stats Session deliverd by José Parada & Chema Alonso in more Session deliverd by José Parada & Chema Alonso in CONFidence VI Edition - Warszawa 2009 about How How "·$% developers defeat the web vulnerability scanners. SQL injection Tips & Tricks. That´s all folks!]]> Fri, 20 Nov 2009 16:42:42 GMT http://www.slideshare.net/chemai64/how-developers-defeat-the-web-vulnerability-scanners-2546881 chemai64@slideshare.net(chemai64) How "·$% developers defeat the web vulnerability scanners chemai64 Share Favorite Favorited X Download More... Favorited! Want to add tags? Have an opinion? Make a quick comment as well. Cancel Edit your favorites Cancel Send to your Group / Event Select Group / Event Add your message Cancel Post toBlogger WordPress Twitter Facebook Deliciousmore share options .Embed For WordPress.com Without related presentations 0 commentsPost a comment Post a comment .. Embed Video Subscribe to follow-up comments Unsubscribe from followup comments . Edit your comment Cancel .Notes on slide 1 no notes for slide #1 no notes for slide #1 ..Favorites, Groups & Events more How "·$% developers defeat the web vulnerability scanners - Presentation Transcript 1.How ?¿$·& developers defeat the most famous web vulnerability scanners …or how to recognize old friends Chema Alonso Informática64 José Parada Microsoft Ibérica 2.Agenda 1.- Introduction 2.- Inverted Queries 3.- Arithmetic Blind SQL Injection 4.- Time-Based Blind SQL Injection using Heavey Queries 5.- Conclusions 3.1.-Introduction 4.SQL Injection is still here among us 5.Web Application Security Consortium: Comparision http://projects.webappsec.org/Web-Application-Security-Statistics 12.186 sites 97.554 bugs 6.Need to Improve Automatic Scanning Not always a manual scanning is possible Time Confidentiality Money, money, money… Need to study new ways to recognize old fashion vulnerabilities to improve automatic scanning tools. 7.2.-Inverted Queries 8. 9.Homers, how are they? Lazy Bad trainined Poor Experience in security stuff Don´t like working Don´t like computing Don´t like coding Don´t like you! 10.Flanders are Left-handed 11.Right SELECT UID FROM USERS WHERE NAME=‘V_NAME’ AND PASSWORD=‘V_PASSW’; 12.Wrong? SELECT UID FROM USERS WHERE ‘V_NAME’=NAME AND ‘ V_PASSW’=PASSWORD 13.Login Inverted Query Select uid From users where ‘v_name’=name and ‘v_pass’=password http://www.web.com/login.php?v_name=Robert&v_pass=Kubica’ or &apos;1&apos;=&apos;1 Select uid From users where ‘Robert’=name and ‘Kubica’ or ‘1’=‘1’=password  FAIL 14.Login Inverted SQL Injection an example Select uid From users where ‘v_name’=name and ‘v_pass’=password http://www.web.com/login.php?v_name=Robert&v_pass=’=‘’ or ‘1’=‘1’ or ‘Kubica Select uid From users where ‘Robert’=name and ’’=‘’ or ‘1’=‘1’ or ‘Kubica’=password  Success 15.Blind Attacks Attacker injects code but can´t access directly to the data. However this injection changes the behavior of the web application. Then the attacker looks for differences between true code injections (1=1) and false code injections (1=2) in the response pages to extract data. Blind SQL Injection Biind Xpath Injection Blind LDAP Injection 16.Blind SQL Injection Attacks Attacker injects: “ True where clauses” “ False where clauses“ Ex: Program.php?id=1 and 1=1 Program.php?id=1 and 1=2 Program doesn’t return any visible data from database or data in error messages. The attacker can´t see any data extracted from the database. 17.Blind SQL Injection Attacks Attacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”: Different hashes Different html structure Different patterns (keywords) Different linear ASCII sums “ Different behavior” By example: Response Time 18.Blind SQL Injection Attacks If any difference exists, then: Attacker can extract all information from database How? Using “booleanization” MySQL: Program.php?id=1 and 100>(ASCII(Substring(user(),1,1))) “ True-Answer Page” or “False-Answer Page”? MSSQL: Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers) Oracle: Program.php?id=1 and 100>(Select ASCII(Substr(username,1,1))) from all_users where rownum&lt;=1) 19.Blind Inverted Query Select product From products Where v_value=id; http://www.web.com/products.php?v_value= 2 and 1=1 Select product From products Where 2 and 1=1=id; -> FAIL 20.The MySQL Case 1 is True 1=1=1 ->True 1=1=(1+1-1)=abs(1)=1 -> True 2=2=2 ->False -> 2=2 becomes True -> True=2 -> True is equals to 1 then 1=2 is False Select product From products Where v_value=id; http://www.web.com/products.php?v_value= 1 and 1=1 Select product From products Where 1 and 1=1=id; -> SUCCES (if there is a Id=1) 21.Web Scanner behaviors Acunetix Paros AppScan W3af Wapiti Proxy Strike 22.Acunetix & Homer 23.Acunetix & Flanders 24.AppScan & Homer 25.AppScan & Flanders 26.Paros & Homer 27.Paros & Flanders 28.W3af & Homer 29.W3af & Flanders 30.Wapiti & Homer 31.Wapiti & Flanders 32.Demo W3af Wapiti Proxy Strike 33.Results Normal Inverted MySQL MS SQL Server MySQL MS SQL Server Numeric String Numeric String Numeric String Numeric String Paros AppScan Acunetix w3af wapiti Proxy Strike 34.In the end… OUCH!!! Thank God for keep me safe 35.Solutions? Concat string injection Arithmetic Blind SQL Injection Time-Based Blind SQL injection Delay Functions Heavy queries 36.3.- Arithmetic 37.What about this queries? How to detect/exploit this Blind SQLinjection vulnerability? The query forces the parameter to be numeric SELECT field FROM table WHERE id=abs( param ) Ex: Get Param( ID ) Select ….. Where att1=abs( ID ) Select ….. Where att2=k1- ID Print response Not AND or OR operators can be used. Boolean logic needs to be created with math operations 38.Arithmetic Blind SQL Injection Divide by zero (David Litchfield) Id=A+(1/(ASCII(B)-C)) A-> Param value originally used in the query. B -> Value we are searching for, e.g.: Substring(passwd,1,1) C-> Counter [0..255] TRUE: When ASCII(B)=C, the DB will generate a divide by zero exception. 39.Arithmetic Blind SQL Injection Sums and subtractions Id=A+ASCII(B)-C A-> Param value originally used in the query. B -> Value we are searching for, e.g.: Substring(passwd,1,1) C-> Counter [0..255] When ASCII(B)=C, then the response page of id=A+ASCII(B)-C will be the same as id=A 40.Arithmetic Blind SQL Injection Value type overflow Id=A+((C/ASCII(B))*(K)) A-> Param value originally used in the query. B -> Value we are searching for, e.g.: Substring(passwd,1,1) C-> Counter [0..255] K-> Value that overflows the type defined for A (e.g. if A is integer, then K=2^ 32 ) When C/ASCII(B)==1, K*1 overflows the data type 41.Demo: Divide by zero Sums and subtractions Integer overflow 42.Conclusions Arithmetic Blind SQL Injection allows to construct binary logic without “AND” and “OR”. detects bugs in this kind of queries… And also in Inverted queries in which a numeric value is used Almost none of the vulnerability scanners are using this method 43.4.-Time-based Blind SQL Injection using heavy queries 44.Time-Based Blind SQL Injection In scenarios with no differences between “True-Answer Page” and “False-Answer Page”, time delays can be used. Injection forces a delay in the response page when the condition injected is True. - Delay functions: SQL Server: waitfor Oracle: dbms_lock.sleep MySQL: sleep or Benchmark Function Postgres: pg_sleep Ex: ; if (exists(select * from users)) waitfor delay &apos;0:0:5’ 45.Time-Based Blind SQL Injection What about DBs without delay functions, i.e.: Oracle connections MS Access DB2 without PL/SQL injection Can we still perform an exploitation of Time-Based Blind SQL Injection Attacks? 46. 47.“ Where-Clause” execution order Select “whatever “ From whatever Where condition1 and condition2 - Condition1 lasts 10 seconds - Condition2 lasts 100 seconds Which condition should be executed first? 48.The heavy condition first Condition2 (100 sec) Condition1 (10 sec) Condition2 & condition1 Response Time TRUE FALSE FALSE 110 sec TRUE TRUE TRUE 110 sec FALSE Not evaluated FALSE 100 sec 49.The light condition first Condition1 (10 sec) Condition2 (100 sec) Condition1 & condition2 Response Time TRUE FALSE FALSE 110 sec TRUE TRUE TRUE 110 sec FALSE Not evaluated FALSE 10 sec 50.Time-Based Blind SQL Injection using Heavy Queries Attacker can perform an exploitation delaying the “True-answer page” using a heavy query. It depends on how the database engine evaluates the where clauses in the query. There are two types of database engines: Databases without optimization process Databases with optimization process 51.Time-Based Blind SQL Injection using Heavy Queries Attacker could inject a heavy Cross-Join condition for delaying the response page in True-Injections. The Cross-join injection must be heavier than the other condition. Attacker only have to know or to guess the name of a table with select permission in the database. Example in MSSQL: Program.php?id=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1 ascii(substring(name,1,1)) from sysusers) 52.“ Default” tables to construct a heavy query Microsoft SQL Server sysusers Oracle all_users MySQL (versión 5) information_schema.columns Microsoft Access MSysAccessObjects (97 & 2000 versions) MSysAccessStorage (2003 & 2007) 53.“ Default” tables to construct a heavy query … or whatever you can guess Clients Customers News Logins Users Providers … .Use your imagination… 54.Ex 1: MS SQL Server Query takes 14 seconds -> True-Answer 55.Ex 1: MS SQL Server Query takes 1 second -> False-Answer 56.Ex 2: Oracle Query Takes 22 seconds –> True-Answer 57.Ex 2: Oracle Query Takes 1 second –> False-Answer 58.Ex 3: Access 2007 Query Takes 39 seconds –> True-Answer 59.Ex 3: Access 2007 Query Takes 1 second –> False-Answer 60.Marathon Tool Automates Time-Based Blind SQL Injection Attacks using Heavy Queries in SQL Server, MySQL, MS Access and Oracle Databases. Schema Extraction from known databases Extract data using heavy queries not matter in which database engine (without schema) Developed in .NET Source code available http://www.codeplex.com/marathontool 61.Demo: Marathon Tool 62.5.- Conclusions 63.The real world has plenty kinds of developers… 64.References Inverted SQL queries (Spanish) http://elladodelmal.blogspot.com/2009/09/inverted-sql-queries-ii-de-ii.html Arithemtic Blind SQL Injection (spanish) http://elladodelmal.blogspot.com/2009/07/arithmetic-blind-sql-injection-i-de-ii.html Time-Based Blind SQL Injection Using heavy queries & Marathon Tool http://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdf Marathon Tool http://www.codeplex.com/marathontool Connection String Attacks (spanish) http://www.slideshare.net/chemai64/connection-string-parameter-pollution 65.Don´t complain about your job!! 66.Thanks! Chema Alonso ( [email_address] ) José Parada ( [email_address] ) + chemai64, 20 hours ago Embed custom .Without related presentations For WordPress.com 173 views, 0 favs, 3 embeds more stats Session deliverd by José Parada & Chema Alonso in more Session deliverd by José Parada & Chema Alonso in CONFidence VI Edition - Warszawa 2009 about How How "·$% developers defeat the web vulnerability scanners. SQL injection Tips & Tricks. That´s all folks! <img src="http://cdn.slidesharecdn.com/confidence2009public-091120104250-phpapp01-thumbnail-2?1258735439" alt ="" style="border:1px solid #C3E6D8;float:right;" /><br> Share Favorite Favorited X Download More... Favorited! Want to add tags? Have an opinion? Make a quick comment as well. Cancel Edit your favorites Cancel Send to your Group / Event Select Group / Event Add your message Cancel Post toBlogger WordPress Twitter Facebook Deliciousmore share options .Embed For WordPress.com Without related presentations 0 commentsPost a comment Post a comment .. Embed Video Subscribe to follow-up comments Unsubscribe from followup comments . Edit your comment Cancel .Notes on slide 1 no notes for slide #1 no notes for slide #1 ..Favorites, Groups & Events more How "·$% developers defeat the web vulnerability scanners - Presentation Transcript 1.How ?¿$·& developers defeat the most famous web vulnerability scanners …or how to recognize old friends Chema Alonso Informática64 José Parada Microsoft Ibérica 2.Agenda 1.- Introduction 2.- Inverted Queries 3.- Arithmetic Blind SQL Injection 4.- Time-Based Blind SQL Injection using Heavey Queries 5.- Conclusions 3.1.-Introduction 4.SQL Injection is still here among us 5.Web Application Security Consortium: Comparision http://projects.webappsec.org/Web-Application-Security-Statistics 12.186 sites 97.554 bugs 6.Need to Improve Automatic Scanning Not always a manual scanning is possible Time Confidentiality Money, money, money… Need to study new ways to recognize old fashion vulnerabilities to improve automatic scanning tools. 7.2.-Inverted Queries 8. 9.Homers, how are they? Lazy Bad trainined Poor Experience in security stuff Don´t like working Don´t like computing Don´t like coding Don´t like you! 10.Flanders are Left-handed 11.Right SELECT UID FROM USERS WHERE NAME=‘V_NAME’ AND PASSWORD=‘V_PASSW’; 12.Wrong? SELECT UID FROM USERS WHERE ‘V_NAME’=NAME AND ‘ V_PASSW’=PASSWORD 13.Login Inverted Query Select uid From users where ‘v_name’=name and ‘v_pass’=password http://www.web.com/login.php?v_name=Robert&v_pass=Kubica’ or &apos;1&apos;=&apos;1 Select uid From users where ‘Robert’=name and ‘Kubica’ or ‘1’=‘1’=password  FAIL 14.Login Inverted SQL Injection an example Select uid From users where ‘v_name’=name and ‘v_pass’=password http://www.web.com/login.php?v_name=Robert&v_pass=’=‘’ or ‘1’=‘1’ or ‘Kubica Select uid From users where ‘Robert’=name and ’’=‘’ or ‘1’=‘1’ or ‘Kubica’=password  Success 15.Blind Attacks Attacker injects code but can´t access directly to the data. However this injection changes the behavior of the web application. Then the attacker looks for differences between true code injections (1=1) and false code injections (1=2) in the response pages to extract data. Blind SQL Injection Biind Xpath Injection Blind LDAP Injection 16.Blind SQL Injection Attacks Attacker injects: “ True where clauses” “ False where clauses“ Ex: Program.php?id=1 and 1=1 Program.php?id=1 and 1=2 Program doesn’t return any visible data from database or data in error messages. The attacker can´t see any data extracted from the database. 17.Blind SQL Injection Attacks Attacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”: Different hashes Different html structure Different patterns (keywords) Different linear ASCII sums “ Different behavior” By example: Response Time 18.Blind SQL Injection Attacks If any difference exists, then: Attacker can extract all information from database How? Using “booleanization” MySQL: Program.php?id=1 and 100>(ASCII(Substring(user(),1,1))) “ True-Answer Page” or “False-Answer Page”? MSSQL: Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers) Oracle: Program.php?id=1 and 100>(Select ASCII(Substr(username,1,1))) from all_users where rownum&lt;=1) 19.Blind Inverted Query Select product From products Where v_value=id; http://www.web.com/products.php?v_value= 2 and 1=1 Select product From products Where 2 and 1=1=id; -> FAIL 20.The MySQL Case 1 is True 1=1=1 ->True 1=1=(1+1-1)=abs(1)=1 -> True 2=2=2 ->False -> 2=2 becomes True -> True=2 -> True is equals to 1 then 1=2 is False Select product From products Where v_value=id; http://www.web.com/products.php?v_value= 1 and 1=1 Select product From products Where 1 and 1=1=id; -> SUCCES (if there is a Id=1) 21.Web Scanner behaviors Acunetix Paros AppScan W3af Wapiti Proxy Strike 22.Acunetix & Homer 23.Acunetix & Flanders 24.AppScan & Homer 25.AppScan & Flanders 26.Paros & Homer 27.Paros & Flanders 28.W3af & Homer 29.W3af & Flanders 30.Wapiti & Homer 31.Wapiti & Flanders 32.Demo W3af Wapiti Proxy Strike 33.Results Normal Inverted MySQL MS SQL Server MySQL MS SQL Server Numeric String Numeric String Numeric String Numeric String Paros AppScan Acunetix w3af wapiti Proxy Strike 34.In the end… OUCH!!! Thank God for keep me safe 35.Solutions? Concat string injection Arithmetic Blind SQL Injection Time-Based Blind SQL injection Delay Functions Heavy queries 36.3.- Arithmetic 37.What about this queries? How to detect/exploit this Blind SQLinjection vulnerability? The query forces the parameter to be numeric SELECT field FROM table WHERE id=abs( param ) Ex: Get Param( ID ) Select ….. Where att1=abs( ID ) Select ….. Where att2=k1- ID Print response Not AND or OR operators can be used. Boolean logic needs to be created with math operations 38.Arithmetic Blind SQL Injection Divide by zero (David Litchfield) Id=A+(1/(ASCII(B)-C)) A-> Param value originally used in the query. B -> Value we are searching for, e.g.: Substring(passwd,1,1) C-> Counter [0..255] TRUE: When ASCII(B)=C, the DB will generate a divide by zero exception. 39.Arithmetic Blind SQL Injection Sums and subtractions Id=A+ASCII(B)-C A-> Param value originally used in the query. B -> Value we are searching for, e.g.: Substring(passwd,1,1) C-> Counter [0..255] When ASCII(B)=C, then the response page of id=A+ASCII(B)-C will be the same as id=A 40.Arithmetic Blind SQL Injection Value type overflow Id=A+((C/ASCII(B))*(K)) A-> Param value originally used in the query. B -> Value we are searching for, e.g.: Substring(passwd,1,1) C-> Counter [0..255] K-> Value that overflows the type defined for A (e.g. if A is integer, then K=2^ 32 ) When C/ASCII(B)==1, K*1 overflows the data type 41.Demo: Divide by zero Sums and subtractions Integer overflow 42.Conclusions Arithmetic Blind SQL Injection allows to construct binary logic without “AND” and “OR”. detects bugs in this kind of queries… And also in Inverted queries in which a numeric value is used Almost none of the vulnerability scanners are using this method 43.4.-Time-based Blind SQL Injection using heavy queries 44.Time-Based Blind SQL Injection In scenarios with no differences between “True-Answer Page” and “False-Answer Page”, time delays can be used. Injection forces a delay in the response page when the condition injected is True. - Delay functions: SQL Server: waitfor Oracle: dbms_lock.sleep MySQL: sleep or Benchmark Function Postgres: pg_sleep Ex: ; if (exists(select * from users)) waitfor delay &apos;0:0:5’ 45.Time-Based Blind SQL Injection What about DBs without delay functions, i.e.: Oracle connections MS Access DB2 without PL/SQL injection Can we still perform an exploitation of Time-Based Blind SQL Injection Attacks? 46. 47.“ Where-Clause” execution order Select “whatever “ From whatever Where condition1 and condition2 - Condition1 lasts 10 seconds - Condition2 lasts 100 seconds Which condition should be executed first? 48.The heavy condition first Condition2 (100 sec) Condition1 (10 sec) Condition2 & condition1 Response Time TRUE FALSE FALSE 110 sec TRUE TRUE TRUE 110 sec FALSE Not evaluated FALSE 100 sec 49.The light condition first Condition1 (10 sec) Condition2 (100 sec) Condition1 & condition2 Response Time TRUE FALSE FALSE 110 sec TRUE TRUE TRUE 110 sec FALSE Not evaluated FALSE 10 sec 50.Time-Based Blind SQL Injection using Heavy Queries Attacker can perform an exploitation delaying the “True-answer page” using a heavy query. It depends on how the database engine evaluates the where clauses in the query. There are two types of database engines: Databases without optimization process Databases with optimization process 51.Time-Based Blind SQL Injection using Heavy Queries Attacker could inject a heavy Cross-Join condition for delaying the response page in True-Injections. The Cross-join injection must be heavier than the other condition. Attacker only have to know or to guess the name of a table with select permission in the database. Example in MSSQL: Program.php?id=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1 ascii(substring(name,1,1)) from sysusers) 52.“ Default” tables to construct a heavy query Microsoft SQL Server sysusers Oracle all_users MySQL (versión 5) information_schema.columns Microsoft Access MSysAccessObjects (97 & 2000 versions) MSysAccessStorage (2003 & 2007) 53.“ Default” tables to construct a heavy query … or whatever you can guess Clients Customers News Logins Users Providers … .Use your imagination… 54.Ex 1: MS SQL Server Query takes 14 seconds -> True-Answer 55.Ex 1: MS SQL Server Query takes 1 second -> False-Answer 56.Ex 2: Oracle Query Takes 22 seconds –> True-Answer 57.Ex 2: Oracle Query Takes 1 second –> False-Answer 58.Ex 3: Access 2007 Query Takes 39 seconds –> True-Answer 59.Ex 3: Access 2007 Query Takes 1 second –> False-Answer 60.Marathon Tool Automates Time-Based Blind SQL Injection Attacks using Heavy Queries in SQL Server, MySQL, MS Access and Oracle Databases. Schema Extraction from known databases Extract data using heavy queries not matter in which database engine (without schema) Developed in .NET Source code available http://www.codeplex.com/marathontool 61.Demo: Marathon Tool 62.5.- Conclusions 63.The real world has plenty kinds of developers… 64.References Inverted SQL queries (Spanish) http://elladodelmal.blogspot.com/2009/09/inverted-sql-queries-ii-de-ii.html Arithemtic Blind SQL Injection (spanish) http://elladodelmal.blogspot.com/2009/07/arithmetic-blind-sql-injection-i-de-ii.html Time-Based Blind SQL Injection Using heavy queries & Marathon Tool http://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdf Marathon Tool http://www.codeplex.com/marathontool Connection String Attacks (spanish) http://www.slideshare.net/chemai64/connection-string-parameter-pollution 65.Don´t complain about your job!! 66.Thanks! Chema Alonso ( [email_address] ) José Parada ( [email_address] ) + chemai64, 20 hours ago Embed custom .Without related presentations For WordPress.com 173 views, 0 favs, 3 embeds more stats Session deliverd by José Parada & Chema Alonso in more Session deliverd by José Parada & Chema Alonso in CONFidence VI Edition - Warszawa 2009 about How How "·$% developers defeat the web vulnerability scanners. SQL injection Tips & Tricks. That´s all folks! How "·$% developers defeat the web vulnerability scanners

View more presentations from chemai64.

]]> 354 0 http://cdn.slidesharecdn.com/confidence2009public-091120104250-phpapp01-thumbnail-2?1258735439 presentation http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

Forefront Threat Management Gateway http://www.slideshare.net/chemai64/forefront-threat-management-gateway
Sesión impartida por Juan Luís García Rambla sobre Forefront Threat Management Gateway en el evento del décimo aniversario de Informática64. El pasado 1 de Octubre de 2009.]]>
Sesión impartida por Juan Luís García Rambla sobre Forefront Threat Management Gateway en el evento del décimo aniversario de Informática64. El pasado 1 de Octubre de 2009.]]> Thu, 05 Nov 2009 22:27:10 GMT http://www.slideshare.net/chemai64/forefront-threat-management-gateway chemai64@slideshare.net(chemai64) Forefront Threat Management Gateway chemai64 Sesión impartida por Juan Luís García Rambla sobre Forefront Threat Management Gateway en el evento del décimo aniversario de Informática64. El pasado 1 de Octubre de 2009. <img src="http://cdn.slidesharecdn.com/00ppts1eventotmgjuanluis-091105163006-phpapp02-thumbnail-2?1257460279" alt ="" style="border:1px solid #C3E6D8;float:right;" /><br> Sesión impartida por Juan Luís García Rambla sobre Forefront Threat Management Gateway en el evento del décimo aniversario de Informática64. El pasado 1 de Octubre de 2009. Forefront Threat Management Gateway

View more presentations from chemai64.

]]> 387 0 http://cdn.slidesharecdn.com/00ppts1eventotmgjuanluis-091105163006-phpapp02-thumbnail-2?1257460279 presentation http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

MetaShield Protector http://www.slideshare.net/chemai64/metashield-protector
Sesión impartida por Alejandro Martín Bailón sobre Metadata Security, La Foca y MetaShield Protector en el evento del décimo aniversario de Informática64. El pasado 1 de Octubre de 2009.]]>
Sesión impartida por Alejandro Martín Bailón sobre Metadata Security, La Foca y MetaShield Protector en el evento del décimo aniversario de Informática64. El pasado 1 de Octubre de 2009.]]> Thu, 05 Nov 2009 22:18:08 GMT http://www.slideshare.net/chemai64/metashield-protector chemai64@slideshare.net(chemai64) MetaShield Protector chemai64 Sesión impartida por Alejandro Martín Bailón sobre Metadata Security, La Foca y MetaShield Protector en el evento del décimo aniversario de Informática64. El pasado 1 de Octubre de 2009. <img src="http://cdn.slidesharecdn.com/presentacionalex-091105161813-phpapp02-thumbnail-2?1257459587" alt ="" style="border:1px solid #C3E6D8;float:right;" /><br> Sesión impartida por Alejandro Martín Bailón sobre Metadata Security, La Foca y MetaShield Protector en el evento del décimo aniversario de Informática64. El pasado 1 de Octubre de 2009. MetaShield Protector

View more presentations from chemai64.

]]> 194 0 http://cdn.slidesharecdn.com/presentacionalex-091105161813-phpapp02-thumbnail-2?1257459587 presentation http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

Exchange Server 2010 & Message Stats http://www.slideshare.net/chemai64/exchange-server-2010-message-stats
Sesión impartida por Joshua Sáenz Guijarro sobre Exhange Server 2010 y Quest Message Stats en el evento del décimo aniversario de Informática64. El pasado 1 de Octubre de 2009.]]>
Sesión impartida por Joshua Sáenz Guijarro sobre Exhange Server 2010 y Quest Message Stats en el evento del décimo aniversario de Informática64. El pasado 1 de Octubre de 2009.]]> Thu, 05 Nov 2009 22:17:42 GMT http://www.slideshare.net/chemai64/exchange-server-2010-message-stats chemai64@slideshare.net(chemai64) Exchange Server 2010 & Message Stats chemai64 Sesión impartida por Joshua Sáenz Guijarro sobre Exhange Server 2010 y Quest Message Stats en el evento del décimo aniversario de Informática64. El pasado 1 de Octubre de 2009. <img src="http://cdn.slidesharecdn.com/exchange2010messagestats-091105161748-phpapp02-thumbnail-2?1257459544" alt ="" style="border:1px solid #C3E6D8;float:right;" /><br> Sesión impartida por Joshua Sáenz Guijarro sobre Exhange Server 2010 y Quest Message Stats en el evento del décimo aniversario de Informática64. El pasado 1 de Octubre de 2009. Exchange Server 2010 & Message Stats

View more presentations from chemai64.

]]> 225 0 http://cdn.slidesharecdn.com/exchange2010messagestats-091105161748-phpapp02-thumbnail-2?1257459544 presentation http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

LDAP Injection & Blind LDAP Injection http://www.slideshare.net/chemai64/ldap-injection-blind-ldap-injection
This talk was delivered in BlackHat Europe 2009 by Chema Alonso & José Parada.]]>
This talk was delivered in BlackHat Europe 2009 by Chema Alonso & José Parada.]]> Fri, 09 Oct 2009 16:02:19 GMT http://www.slideshare.net/chemai64/ldap-injection-blind-ldap-injection chemai64@slideshare.net(chemai64) LDAP Injection & Blind LDAP Injection chemai64 This talk was delivered in BlackHat Europe 2009 by Chema Alonso & José Parada. <img src="http://cdn.slidesharecdn.com/diapositivasldapinjectionblindldapinjection-091009110224-phpapp01-thumbnail-2?1255104287" alt ="" style="border:1px solid #C3E6D8;float:right;" /><br> This talk was delivered in BlackHat Europe 2009 by Chema Alonso & José Parada. LDAP Injection & Blind LDAP Injection

View more presentations from chemai64.

]]> 307 0 http://cdn.slidesharecdn.com/diapositivasldapinjectionblindldapinjection-091009110224-phpapp01-thumbnail-2?1255104287 presentation http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

Connection String Parameter Pollution http://www.slideshare.net/chemai64/connection-string-parameter-pollution
Charla impartida por Chema Alonso en la Ekoparty 2009 sobre Connection String Parameter Pollution.]]>
Charla impartida por Chema Alonso en la Ekoparty 2009 sobre Connection String Parameter Pollution.]]> Thu, 17 Sep 2009 23:14:01 GMT http://www.slideshare.net/chemai64/connection-string-parameter-pollution chemai64@slideshare.net(chemai64) Connection String Parameter Pollution chemai64 Charla impartida por Chema Alonso en la Ekoparty 2009 sobre Connection String Parameter Pollution. <img src="http://cdn.slidesharecdn.com/cspp-090917181402-phpapp02-thumbnail-2?1253229285" alt ="" style="border:1px solid #C3E6D8;float:right;" /><br> Charla impartida por Chema Alonso en la Ekoparty 2009 sobre Connection String Parameter Pollution. Connection String Parameter Pollution

View more presentations from chemai64.

]]> 2226 0 http://cdn.slidesharecdn.com/cspp-090917181402-phpapp02-thumbnail-2?1253229285 presentation http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

SlideShare

| Get your SlideShare Playlist

]]>

SlideShare

| Get your SlideShare Playlist

]]>

SlideShare

| Get your Presentation Pack

]]>

SlideShare

| Get your Presentation Pack

]]>

Get your own Widget

]]> http://public.slidesharecdn.com/images/userImage_SMALL.gif http://cdn.slidesharecdn.com/simo12-dl-04wifiseguracond-linkwindowsnogal-091212023036-phpapp01-thumbnail?1260606733 chemai64/wifi-segura-con-dlink-windows-server-2008-r2 Wifi Segura con D-Link... http://cdn.slidesharecdn.com/simo11-dl-02switchingd-linknapwindowsnogal-091212022954-phpapp01-thumbnail?1260606629 chemai64/switching-d-link-nap-windows-server-2008-r2 Switching D Link & NAP... http://cdn.slidesharecdn.com/simo10scom2007r2joshua-091212022757-phpapp01-thumbnail?1260606543 chemai64/system-center-operation-manager-2007-r2-scom System Center Operatio...