Injection flaw teaser

4,799 views

Published on

Published in: Technology
1 Comment
1 Like
Statistics
Notes
  • How can you say that injection is mostly possible only in username field? is there any reason why it can't be done in password field?
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
4,799
On SlideShare
0
From Embeds
0
Number of Embeds
103
Actions
Shares
0
Downloads
104
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide
  • Is following exercise ready? Not sure what it has to do with this slideExercise: SQL Injection in cookies
  • MS-SQL escape quotes by doubling themWhat’s the problem? Orderby part does not require string to be vulnerable
  • Run through Instructor Introduction first, having:- changed name on slide 2- ensured correct instructor slide unhidden
  • Injection flaw teaser

    1. 1. The Art Of ExploitingInjection FlawsSumit Siddharthsid@notsosecure.com
    2. 2. About the course Hands on 2 days training Require out of box thinking (strong coffeerecommended!) 20 exercises, 100 slides, 8 CTFs! Previous feedback: “ This was the best course I have ever been on. Since attendingthe course, I have identified so many issues which automatedtools have missed. Thanks a ton, Sid” “I have been pentesting for 4 years now, and thought I knew allabout SQLI. I guess I was wrong. If anyone knows this subjectwell, it is Sid”
    3. 3. About MeSumit “sid” Siddharth Speaker/Trainer at Black Hat, Def con,OWASP Appsec, HITB, Ruxcon etc My blog: www.notsosecure.com Specialist in Application & Database Security! More than 8 years of Pentesting! Co-author: SQL Injection, attacks and defense Head of Penetration testing@7Safe
    4. 4. Day 1: SQL Injection
    5. 5. Exploiting SQL Injections Authentication Bypass Extracting Data Error Message Enabled Error Message Disabled Union Injection Blind Injection Time Delays Out Of Band Channels Privilege Escalation OS code execution
    6. 6. Exercise 9.8 – SQL Injection: OS commandexecution http://hacklab.net/hackme_7.5/ Objective Exploit SQL injection to run OS commands on the databaseserver CTF : What are the contents of C:secret.txt on the server Time 10 mins
    7. 7. Advanced SQL Injection Insanely Blind SQL Injection Application returns same response Injection point in INSERT/UPDATE statement
    8. 8. Encoding/Decoding User Input Base64 decoding user input Hex decoding user input Real world examples WordPress Admin-Ajax.php unauthenticated SQL injection PHP-Nuke auth.php$cookie=explode(„;‟, urldecode(empty($_POST[„cookie‟])))$admin=base64_decode($admin)
    9. 9. SQL Injection in SQL Names Consider the following:Dim cat, orderBy, querycat = Replace(Request.Form(“cat”), “‟”, “‟‟”)orderBy = Replace(Request.Form(“orderBy”), “‟”, “‟‟”)query = “SELECT * FROM prod WHERE cat = „” & cat &“‟ ORDER BY “ & orderBy
    10. 10. Hacking Oracle from Web Exploiting SQL Injection against oracle database How to extract data One Query to get them all! How to execute OS code What if we are not DBA Become DBA Execute OS code Drop DBA
    11. 11. Capture The Flag: SQL Injection http://hacklab.net/ctf.asp?data=foobar Objective• What’s in C:secret.txt Time 20 Mins! No instructions or hints this time!
    12. 12. Day 2: The Art of ExploitingLesser Known Injection FlawsORM InjectionLDAP InjectionAdvanced LDAP InjectionXPath InjectionXpath v2XML Entity InjectionCombining Xpath and XXECTFQ&A
    13. 13. Hibernate Query Language Injection User’s input to be passed directly to theunderlying SQL engineList<Event> result = session.createQuery("from Event e where e.title=" + param +"").list();
    14. 14. HACKING LDAPLDAP overviewLDAP injectionBlind LDAP injectionHacking LDAP in practiceSecuring Applications Against LDAPInjections
    15. 15. LDAP Injection: Authentication Bypass (&(user=username)(password=pwd)) Usually password is hashed and then matched with thestored value Injection is most likely to work only in username field (&(user=username)(password=*)) (&(user=username)(&))(password=pwd))Anything after first filter will beignored by OpenLDAP
    16. 16. Exercise 6 http://hacklab2.net:81/ldap/selfservice/ PHP/LDAP Find the telephone number of employee EricPhilip Time: 10 mins
    17. 17. XPATH Injection Agenda What is XPATH Exploiting XPATH Impact of XPATH exploitation Blind XPATH Injection Automating XPATH Injection XPATH v2 injection Insane XPATH Injection Defending against XPATH Injection
    18. 18. XPATH’s XML NomenclatureRoot nodeCommentNode nameAttribute valueNodeNode valueAttribute nameNode
    19. 19. Automating Xpath XPATH Explorer Demo time!
    20. 20.  Hugely increased feature set Regular expressions Unicode normalization String to code point conversion Remote document references All of these can be utilised to speed up documentretrieval and reduce the key space we have to search.XPath 2.0 Features..
    21. 21. XPATH 2.0 Allows to not just read the current XML file but anyarbitrary xml file on the file system.
    22. 22. Hacking Web Services with XML External Entity Not validating the xml files before processing it Attacker can inject an external entity <!ENTITY pwned SYSTEM "file:///c:/boot.ini" > Web service parse the entity and the parseraccess the local resource Unauthorized access to information Post scanning Denial of service attack Breaking the xml syntax Providing files like /dev/urandom
    23. 23. Combining XXE and Xpath Did I say, with Xpath 2.0 you can read arbitrary xmlfiles on the file system. I actually mean: with Xpath 2.0 you can read arbitrary xml files on the filesystem. Introducing Xcat
    24. 24. Thank You! Questions please... Sid@notsosecure.com Twitter: notsosecure

    ×