AdSense

Monday, April 2, 2018

XML Injection


XML INJECTION

 - Layout for this exercise:



1 - Introduction

 - An XML (Extensible Markup Language) database is a data persistence software system that allows data to be specified, stored and retrieved in XML format. 

 https://en.wikipedia.org/wiki/XML_database

 - This data can be queried, transformed, exported and returned to a calling system. 

 - XML databases are a flavor of document-oriented databases which are in turn a category of NoSQL database.

 - When the data in a website is stored in a XML database, then this data is accessed by using a method known as XPath query generation. 

 - In this method, an XPath query is generated after the user provides the input to the system and the required data is accessed. 

 - The problem arises when the input provided by the user is not properly filtered or validated by the system.

 - The prevention of XML injection can be done by properly managing and sanitizing any user input before it is allowed to reach the main program code. 

 https://blog.udemy.com/xml-injection/

- The best method is to consider all the user input as unsafe and to properly monitor this input. 
- Most types of the XML injection attacks can be prevented by simply removing all the single and double quotes from the user input. 


 2 - XML injection scenario

 - In this exercise the OWASP WebGoat v5.4 version is used, loaded at the Windows  10 machine:

 - Going to AJAX Security -> XML Injection:



- The scenario of this exercise consists of a web application that offers rewards based on the number of points accumulated by the user.

 - In particular, the user whose account has the ID 836239 holds a balance of 100 points, enough to get the first three products from the following list (note that the last two products require a number of points much higher than the 100 available):

- By entering the user ID, the three products will be sent to the user's address:



- The XML file that stores such information about the user is the following:
- Regarding the rewards:


- The first XPATH query to fetch the user corresponding to the entered ID would be:


- The second XPATH query to detect the records of gifts with less than 100 points would be:

3 - Launching the XML injection

- Using the browser Firefox, enabling the Proxy server at Kali Linux:


- Enabling Burp interception at Kali Linux, for requests and responses between the attacker and the victim:



- The user tries to use his points:


- Forwarding with Burp:


- Intercepting the answer: 






- Now, the response is altered injecting these two extra lines, or two extra XML nodes, including the max rewards of 2000 and 3000 points, respectively:

- Forwarding with Burp:


- The user receives the option to adquire all the items, though he has not got enough points for it:


- Checking the rewards and Submitting a new request:


- The XML injection is successful (the five items are shipped to the user's address) because the server has not properly validated the request:







Posted by at
Labels:

SQL Injection (V): Automation with SQLMAP


SQL INJECTION (V): AUTOMATION WITH SQLMAP

 - Layout for this exercise:

1 - SQLMAP

 - SQLMAP is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers:

 http://sqlmap.org/

 - It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

- Let's explore somo SQLMAP options with -h (help):



- Option -u provides the URL target:



- Option --cookie specifies a cookie for connecting to the target:






- By default, let's use 1 for level and risks of the test:


- Enumeration is an ongoing process that can be run over databases, tables, columns, users, schemas, passwords, etc ...:



2 - Preparing the attack environment

 - For this exercise let's use the vulnerable DVWA web application over XAMPP web server running on a Windows 10 machine.

 - Taking the SQL Injection as vulnerability:


- Configuring the proxy:



- Using Burp to intercept the submission of the User ID=1:


- These two lines will be useful later, when launching the attack:





3 - Launching the attack

 - Enumerating the databases with paramenter --dbs:




- Enumerating tables (--tables) at database dvwa (-D):




- Enumerating columns (--columns):




- Enumerating users, user identifiers and passwords, and giving default answers:













- The INFO notification indicates the file where the output  is dumped:











Posted by at
Labels:

SQL Injection - Blind (IV): Time delay based attacks


SQL INJECTION - BLIND (II): TIME DELAY BASED ATTACKS

- Layout for this exercise:




1 - Introduction 

- The Time Delay Blind SQL injection relies on the database pausing for a specified amount of time and then returning the results indicating successful SQL query executing. 

 https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Time_delay_Exploitation_technique

 - This type of attack uses database commands like sleep() or benchmark() to delay answers in conditional queries. 

 - sleep(time) suspends the execution of a command for time seconds.

 - benchmark(count, expression) repeatedly executes an expression by count times

 - This attack would be useful when the attacker doesn’t have any kind of answer (result / output / error) from the application because the input validation has been sanitized.

 - Using this method an attacker could enumerate many elements of the database. 

 - For instance, using sleep(10) and a conditional loop for the 1st letter of the database's being 'A', if  the answer comes after 10 seconds, we can conclude that the condition is true; otherwise the application would not respond


 2 - Examples of  Time Delay Blind SQL injection

- These SQL injection time delay based exercises will be performed from a Kali Linux device against a DVWA version 1.0.8 MySQL database, with a setup of "medium"security level, stored at an Ubuntu Linux device running the XAMPP web server.








- Going to the SQL Injection (Blind) tab, the following SQL entries (written in green) will be introduced at the user ID form.


2.1) Finding whether the application is responsive to time based attacks

 1 UNION SELECT IF (1=1, SLEEP(10), NULL), NULL




- Let's notice the Connecting notification lasting for 10 seconds, so we can conclude that te application is responsive to this type of attack:








- The real SQL query would be:

 SELECT first_name,last_name FROM users WHERE ID=1
UNION
SELECT IF (1=1,SLEEP(10),NULL),NULL

2.2) Finding whether the database version is 5

 1 UNION SELECT IF (SUBSTRING(VERSION), 1, 1) = 5, SLEEP(10), NULL), NULL



- Again, the result is obtained after waiting for 10 seconds:




- We can conclude that the version is actually 5 (conditional loop) because there is no error message answer and the query injection is successful.

 - The real SQL query would be:

 SELECT first_name,last_name FROM users WHERE ID=1
UNION
SELECT IF (SUBSTRING(version(),1,1)=5, SLEEP(10),NULL),NULL

 - The second part of the command consists of IF(condition, true statement, false statement), where:

  • condition= SUBSTRING(version(),1,1)=5
  • true statement=SLEEP(10)
  • false statement=NULL


 - SUBSTRING (text, start, length) returns a substring starting from the position "start" of text and of length "length".

 - In this case the conditional loop SUBSTRING(version(),1,1)=5 is TRUE because the database version starts by 5, actually 5.5.27, and as a consequence the SLEEP(10) true statement is successfully performed.
Posted by at
Labels:
Subscribe to: Posts (Atom)