Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Injection flaw teaser


Published on

Published in: Technology
  • How can you say that injection is mostly possible only in username field? is there any reason why it can't be done in password field?
    Are you sure you want to  Yes  No
    Your message goes here

Injection flaw teaser

  1. 1. The Art Of ExploitingInjection FlawsSumit
  2. 2. About the course Hands on 2 days training Require out of box thinking (strong coffeerecommended!) 20 exercises, 100 slides, 8 CTFs! Previous feedback: “ This was the best course I have ever been on. Since attendingthe course, I have identified so many issues which automatedtools have missed. Thanks a ton, Sid” “I have been pentesting for 4 years now, and thought I knew allabout SQLI. I guess I was wrong. If anyone knows this subjectwell, it is Sid”
  3. 3. About MeSumit “sid” Siddharth Speaker/Trainer at Black Hat, Def con,OWASP Appsec, HITB, Ruxcon etc My blog: Specialist in Application & Database Security! More than 8 years of Pentesting! Co-author: SQL Injection, attacks and defense Head of Penetration testing@7Safe
  4. 4. Day 1: SQL Injection
  5. 5. Exploiting SQL Injections Authentication Bypass Extracting Data Error Message Enabled Error Message Disabled Union Injection Blind Injection Time Delays Out Of Band Channels Privilege Escalation OS code execution
  6. 6. Exercise 9.8 – SQL Injection: OS commandexecution Objective Exploit SQL injection to run OS commands on the databaseserver CTF : What are the contents of C:secret.txt on the server Time 10 mins
  7. 7. Advanced SQL Injection Insanely Blind SQL Injection Application returns same response Injection point in INSERT/UPDATE statement
  8. 8. Encoding/Decoding User Input Base64 decoding user input Hex decoding user input Real world examples WordPress Admin-Ajax.php unauthenticated SQL injection PHP-Nuke auth.php$cookie=explode(„;‟, urldecode(empty($_POST[„cookie‟])))$admin=base64_decode($admin)
  9. 9. SQL Injection in SQL Names Consider the following:Dim cat, orderBy, querycat = Replace(Request.Form(“cat”), “‟”, “‟‟”)orderBy = Replace(Request.Form(“orderBy”), “‟”, “‟‟”)query = “SELECT * FROM prod WHERE cat = „” & cat &“‟ ORDER BY “ & orderBy
  10. 10. Hacking Oracle from Web Exploiting SQL Injection against oracle database How to extract data One Query to get them all! How to execute OS code What if we are not DBA Become DBA Execute OS code Drop DBA
  11. 11. Capture The Flag: SQL Injection Objective• What’s in C:secret.txt Time 20 Mins! No instructions or hints this time!
  12. 12. Day 2: The Art of ExploitingLesser Known Injection FlawsORM InjectionLDAP InjectionAdvanced LDAP InjectionXPath InjectionXpath v2XML Entity InjectionCombining Xpath and XXECTFQ&A
  13. 13. Hibernate Query Language Injection User’s input to be passed directly to theunderlying SQL engineList<Event> result = session.createQuery("from Event e where e.title=" + param +"").list();
  14. 14. HACKING LDAPLDAP overviewLDAP injectionBlind LDAP injectionHacking LDAP in practiceSecuring Applications Against LDAPInjections
  15. 15. LDAP Injection: Authentication Bypass (&(user=username)(password=pwd)) Usually password is hashed and then matched with thestored value Injection is most likely to work only in username field (&(user=username)(password=*)) (&(user=username)(&))(password=pwd))Anything after first filter will beignored by OpenLDAP
  16. 16. Exercise 6 PHP/LDAP Find the telephone number of employee EricPhilip Time: 10 mins
  17. 17. XPATH Injection Agenda What is XPATH Exploiting XPATH Impact of XPATH exploitation Blind XPATH Injection Automating XPATH Injection XPATH v2 injection Insane XPATH Injection Defending against XPATH Injection
  18. 18. XPATH’s XML NomenclatureRoot nodeCommentNode nameAttribute valueNodeNode valueAttribute nameNode
  19. 19. Automating Xpath XPATH Explorer Demo time!
  20. 20.  Hugely increased feature set Regular expressions Unicode normalization String to code point conversion Remote document references All of these can be utilised to speed up documentretrieval and reduce the key space we have to search.XPath 2.0 Features..
  21. 21. XPATH 2.0 Allows to not just read the current XML file but anyarbitrary xml file on the file system.
  22. 22. Hacking Web Services with XML External Entity Not validating the xml files before processing it Attacker can inject an external entity <!ENTITY pwned SYSTEM "file:///c:/boot.ini" > Web service parse the entity and the parseraccess the local resource Unauthorized access to information Post scanning Denial of service attack Breaking the xml syntax Providing files like /dev/urandom
  23. 23. Combining XXE and Xpath Did I say, with Xpath 2.0 you can read arbitrary xmlfiles on the file system. I actually mean: with Xpath 2.0 you can read arbitrary xml files on the filesystem. Introducing Xcat
  24. 24. Thank You! Questions please... Twitter: notsosecure