1. The Art Of Exploiting
Injection Flaws
Sumit Siddharth
sid@notsosecure.com

2. About the course
 Hands on 2 days training
 Require out of box thinking (strong coffee
recommended!)
 20 exercises, 100 slides, 8 CTFs!
 Previous feedback:
 “ This was the best course I have ever been on. Since attending
the course, I have identified so many issues which automated
tools have missed. Thanks a ton, Sid”
 “I have been pentesting for 4 years now, and thought I knew all
about SQLI. I guess I was wrong. If anyone knows this subject
well, it is Sid”

3. About Me
Sumit “sid” Siddharth
 Speaker/Trainer at Black Hat, Def con,
OWASP Appsec, HITB, Ruxcon etc
 My blog: www.notsosecure.com
 Specialist in Application & Database Security!
 More than 8 years of Pentesting!
 Co-author: SQL Injection, attacks and defense
 Head of Penetration testing@7Safe

4. Day 1: SQL Injection

5. Exploiting SQL Injections
 Authentication Bypass
 Extracting Data
 Error Message Enabled
 Error Message Disabled
 Union Injection
 Blind Injection
 Time Delays
 Out Of Band Channels
 Privilege Escalation
 OS code execution

6. Exercise 9.8 – SQL Injection: OS command
execution
 http://hacklab.net/hackme_7.5/
 Objective
 Exploit SQL injection to run OS commands on the database
server
 CTF : What are the contents of C:secret.txt on the server
 Time
 10 mins

7. Advanced SQL Injection
 Insanely Blind SQL Injection
 Application returns same response
 Injection point in INSERT/UPDATE statement

8. Encoding/Decoding User Input
 Base64 decoding user input
 Hex decoding user input
 Real world examples
 WordPress Admin-Ajax.php unauthenticated SQL injection
 PHP-Nuke auth.php
$cookie=explode(„;‟, urldecode(empty($_POST[„cookie‟])))
$admin=base64_decode($admin)

9. SQL Injection in SQL Names
 Consider the following:
Dim cat, orderBy, query
cat = Replace(Request.Form(“cat”), “‟”, “‟‟”)
orderBy = Replace(Request.Form(“orderBy”), “‟”, “‟‟”)
query = “SELECT * FROM prod WHERE cat = „” & cat &
“‟ ORDER BY “ & orderBy

10. Hacking Oracle from Web
 Exploiting SQL Injection against oracle database
 How to extract data
 One Query to get them all!
 How to execute OS code
 What if we are not DBA
 Become DBA
 Execute OS code
 Drop DBA

11. Capture The Flag: SQL Injection
 http://hacklab.net/ctf.asp?data=foobar
 Objective
• What’s in C:secret.txt
 Time
 20 Mins!
 No instructions or hints this time!

12. Day 2: The Art of Exploiting
Lesser Known Injection Flaws
ORM Injection
LDAP Injection
Advanced LDAP Injection
XPath Injection
Xpath v2
XML Entity Injection
Combining Xpath and XXE
CTF
Q&A

13. Hibernate Query Language Injection
 User’s input to be passed directly to the
underlying SQL engine
List<Event> result = session.createQuery(
"from Event e where e.title='" + param +
"'").list();

14. HACKING LDAP
LDAP overview
LDAP injection
Blind LDAP injection
Hacking LDAP in practice
Securing Applications Against LDAP
Injections

15. LDAP Injection: Authentication Bypass
 (&(user=username)(password=pwd))
 Usually password is hashed and then matched with the
stored value
 Injection is most likely to work only in username field
 (&(user=username)(password=*))
 (&(user=username)(&))(password=pwd))
Anything after first filter will be
ignored by OpenLDAP

16. Exercise 6
 http://hacklab2.net:81/ldap/selfservice/
 PHP/LDAP
 Find the telephone number of employee Eric
Philip
 Time: 10 mins

17. XPATH Injection
 Agenda
 What is XPATH
 Exploiting XPATH
 Impact of XPATH exploitation
 Blind XPATH Injection
 Automating XPATH Injection
 XPATH v2 injection
 Insane XPATH Injection
 Defending against XPATH Injection

18. XPATH’s XML Nomenclature
Root node
Comment
Node name
Attribute value
Node
Node value
Attribute name
Node

19. Automating Xpath
 XPATH Explorer
 Demo time!

20.  Hugely increased feature set
 Regular expressions
 Unicode normalization
 String to code point conversion
 Remote document references
 All of these can be utilised to speed up document
retrieval and reduce the key space we have to search.
XPath 2.0 Features..

21. XPATH 2.0
 Allows to not just read the current XML file but any
arbitrary xml file on the file system.

22. Hacking Web Services with XML External Entity
 Not validating the xml files before processing it
 Attacker can inject an external entity
 <!ENTITY pwned SYSTEM "file:///c:/boot.ini" >
 Web service parse the entity and the parser
access the local resource
 Unauthorized access to information
 Post scanning
 Denial of service attack
 Breaking the xml syntax
 Providing files like /dev/urandom

23. Combining XXE and Xpath
 Did I say, with Xpath 2.0 you can read arbitrary xml
files on the file system.
 I actually mean:
 with Xpath 2.0 you can read arbitrary xml files on the file
system.
 Introducing Xcat

24. Thank You!
 Questions please...
 Sid@notsosecure.com
 Twitter: notsosecure