KNOX D3: March 2014

A Tale Of A DOM Based XSS In Paypal

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkufYujP-e1K53Zy3Wa2Lkc-anLsMLtKV9xMh2kh25HzjIhtU4WiDMnVUHNusEZjhBSnwkbJQzPHdri_RI3vuO2-ahl85a9SklT9z1ServaWeiEKpJrjdhP_8X77-wwsSYyPt89MaJSis/s1600/DOMInatrixss.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkufYujP-e1K53Zy3Wa2Lkc-anLsMLtKV9xMh2kh25HzjIhtU4WiDMnVUHNusEZjhBSnwkbJQzPHdri_RI3vuO2-ahl85a9SklT9z1ServaWeiEKpJrjdhP_8X77-wwsSYyPt89MaJSis/s1600/DOMInatrixss.png" width="370" /></a></div><div class="separator" style="clear: both; text-align: left;"></div><h4>Introduction </h4><div class="separator" style="clear: both; text-align: left;">We have already disclosed lots of findings related to DOM Based XSS and this article talks about a pretty interesting DOM Based XSS vulnerability i found long time back inside paypal. A DOM Based xss vulnerability also known as the third type of XSS vulnerability or type 0. This vulnerability occurs due to the fact that developers don't sanitize the input before it reaches a sink. A Sink is defined as anything that generates HTML, not every sink is considered as dangerous, however there are some common sinks that should be avoided and are mentioned at DOM Based XSS wiki .</div><div class="separator" style="clear: both; text-align: left;"></div><a name='more'></a><br /><h4>Current Situation </h4><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">The situation with DOM Based xss is getting worse now a days, not only because of dynamic JS libraries such as YUI, Jquery, Jquery mobile etc, but also with programming languages such as PHP that are more natively supporting HTML 5 features. One of the aspects of a DOM Based XSS vulnerability that i discovered was with tracking scripts such as Eloqua, Sitestat, Omniture, etc as they often introduce dangerous sinks. Examples are<a href="http://www.rafayhackingarticles.net/2013/03/dom-based-xss-in-microsoft.html"> here</a> and <a href="http://www.rafayhackingarticles.net/2013/02/dom-based-xss-in-avg.html">here</a>. The same is the case with sharing buttons such as google plus, addthis etc. </div><div class="separator" style="clear: both; text-align: left;"><b><br /></b></div><div class="separator" style="clear: both; text-align: left;"></div><h4>A Vulnerable Example from W3schools </h4><div class="separator" style="clear: both; text-align: left;">The worsed part about DOM Based xss apart from it's complexity is the fact that lots of learning references and guides teach developers to code things in an insecure way i.e. in a way that would introduce vulnerabilities automatically. The following screenshot is taken from the jquery learning section of w3schools. The website needs no introduction, it is the most commonly referred websites for beginners to learn various programming language.</div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSDomBsY4k_erO9hqUnfAwD1A9dbODmK04vaQcxtf0GU20v7YdFw6IkivVOhE681N0kkG5LVzevNJaxuTK4V-othALL4BH-AV7XaNA2Bx-ckn5GPwmxEHSQRTbv8TpqUoS1OU45b7Ixtc/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSDomBsY4k_erO9hqUnfAwD1A9dbODmK04vaQcxtf0GU20v7YdFw6IkivVOhE681N0kkG5LVzevNJaxuTK4V-othALL4BH-AV7XaNA2Bx-ckn5GPwmxEHSQRTbv8TpqUoS1OU45b7Ixtc/s1600/4.png" width="577" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">The code uses the html() function inside of jquery to output html, however the problem is that html() is not a safe jquery function and is represented as a dangerous sink as per <a href="https://code.google.com/p/domxsswiki/wiki/jQuery" rel="nofollow" target="_blank">DOM Based XSS Wiki</a>. In case, where a user controlled input outputted through html() sink without sanitization would lead to a DOM Based xss. The html() function inside of jquery is the equivalent to the innerHTML function inside of javascript. The fundamental problem is that the developers are not advised to use a safe function. Therefore, in my opinion w3schools shall be renamed to w3fools. </div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"></div><h4>The Tale Of Paypal DOM Based XSS</h4><div class="separator" style="clear: both; text-align: left;"><b><br /></b></div><div class="separator" style="clear: both; text-align: left;">The <b>financing.paypal.com</b> subdomain was a subject of DOM Based xss vulnerability. The subdomain had a feature which triggered my interest, which allowed the users to create ad units of different sizes. The size of the ad was being handled on the client side with the help of jquery.</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><b>Example</b></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><b>https://financing.paypal.com/ppfinportal/adGenerator/webCopy?460 * 80</b></div><div class="separator" style="clear: both; text-align: left;"><b><br /></b></div><div class="separator" style="clear: both; text-align: left;">The above input would display "<b>460 * 80</b>" in front of the Selected Size Option, Changing the text with our own input would result in the same text being outputted on to the screen. This means that our input that is taken from a source is being passed through a sink to be displayed upon the screen. So, what happens if we change the input with our XSS payload, for example - <b><svg/onload=prompt(1)>.</b></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><span style="font-weight: bold;">https://financing.paypal.com/ppfinportal/adGenerator/webCopy?</span><b><svg/onload=prompt(1)></b></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0dCeLGKGE2Mc3dx5s9B1iRZBuroaC8eb7tZaANs1PwenyEdpq88cHKiwjL6vRXtDl9uydtQZOtpGzfAnqIsEkgLQOjfQEx1eN8X2yLigLXWwfT-RNtmP3MjR49i9cSJo8N8JTKlqNAqU/s1600/rafay2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="370" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0dCeLGKGE2Mc3dx5s9B1iRZBuroaC8eb7tZaANs1PwenyEdpq88cHKiwjL6vRXtDl9uydtQZOtpGzfAnqIsEkgLQOjfQEx1eN8X2yLigLXWwfT-RNtmP3MjR49i9cSJo8N8JTKlqNAqU/s1600/rafay2.png" width="577" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Unfortunately, the results were returned URL encoded. Now there could be two possibilities, whether the javascript is encoding our input before rendering it on the screen or it's a general browser behaviour. Turns out that Google Chrome and Firefox browsers encode everything sent after ?, but what about Internet explorer?, Internet explorer returns the characters as URL unencoded and therefore, we inside of internet explorer we are able to render our javascript. </div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWDuuAi4zeZT_vQgC8jd63rMsKtBjmjhJXqejdp995n7TA2Tc2Atg9nOYfVO-pw2WOY9IBCQN7RuJTovf8cydycx7E7tKZ_igIUS5-FT4v2dcKZm7WUoR8tXQJOsmTKb1870W2L78rvCA/s1600/5.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWDuuAi4zeZT_vQgC8jd63rMsKtBjmjhJXqejdp995n7TA2Tc2Atg9nOYfVO-pw2WOY9IBCQN7RuJTovf8cydycx7E7tKZ_igIUS5-FT4v2dcKZm7WUoR8tXQJOsmTKb1870W2L78rvCA/s1600/5.png" width="577" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">With that being said, as per DOM Based XSS wiki google chrome does not encode certain characters when passed after a hash. Therefore, we could add an additional hash after the ? mark to get our payload executed. </div><div class="separator" style="clear: both; text-align: left;"><b><br /></b></div><div class="separator" style="clear: both; text-align: left;"><b>Example</b></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><span style="font-weight: bold;">https://financing.paypal.com/ppfinportal/adGenerator/webCopy<span style="color: red;">?#</span></span><b><span style="color: red;"><svg/onload=prompt(1)></span></b></div><div class="separator" style="clear: both; text-align: left;"><b><span style="color: red;"><br /></span></b></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpHTRGUrz1FTkpnSitVC5SKpVwMmj-2R78ApE2nJnFJay9FLRS0b5_IXhkaDN0G1BLeU9cSyHeyuNSPI23CUxBdFGQbe2SXc_qpsTio486Hdp58ZwwSNQEppojijRJQ5Ntsn90iQ917pY/s1600/domxss.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="272" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpHTRGUrz1FTkpnSitVC5SKpVwMmj-2R78ApE2nJnFJay9FLRS0b5_IXhkaDN0G1BLeU9cSyHeyuNSPI23CUxBdFGQbe2SXc_qpsTio486Hdp58ZwwSNQEppojijRJQ5Ntsn90iQ917pY/s1600/domxss.png" width="577" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"></div><h4>Vulnerable Code</h4><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">With some debugging i was able to determine the exact cause of the vulnerability. The following screenshot highlights the line of code that was responsible for the cause of this vulnerability. </div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWHrIsMI-_48Zbw1uCTzvyec99VE3MTEdaTPhnpUGM4KXXqGQK41n17vpvvC_sOsCITVRlOUAQj0UxVuLF8h7nKXJEvfV1LsQ28BUNUo-mu8yvHSrrQmSXuDTKxiz9zdng2mz91y4ESpM/s1600/rafay3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="375" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWHrIsMI-_48Zbw1uCTzvyec99VE3MTEdaTPhnpUGM4KXXqGQK41n17vpvvC_sOsCITVRlOUAQj0UxVuLF8h7nKXJEvfV1LsQ28BUNUo-mu8yvHSrrQmSXuDTKxiz9zdng2mz91y4ESpM/s1600/rafay3.png" width="577" /></a></div><br />The line 517 represents the source being <b>document.url,</b> a split function is called which splits everything being sent after the ? mark and saves it inside a variable called <b>url</b>.<br /><br /><div class="separator" style="clear: both; text-align: left;"><b>Example</b></div><div class="separator" style="clear: both; text-align: left;"><b><br /></b></div><span style="font-weight: bold;">https://financing.paypal.com/ppfinportal/adGenerator/webCopy<span style="color: red;">?#</span></span><b><span style="color: red;"><svg/onload=prompt(1)></span></b><br /><div class="separator" style="clear: both; text-align: left;">The split function would return <b><svg/onload=prompt(1)> </b>from the url and then is saved inside a variable called <b>url.</b> Next inside the <b>521 line </b>we can see that html() function is used to output url variable, which in this case contains our xss paylaod. The payload would be outputted to the screen and hence would execute the javascript for us. </div><div class="separator" style="clear: both; text-align: left;"><h4>Conclusion</h4></div><div class="separator" style="clear: both; text-align: left;"><b><br /></b></div><div class="separator" style="clear: both; text-align: left;">DOM Based XSS are growing and would continue to grow as more and more people would start using dynamic javascript libraries and as more people more towards server side javascript i.e. node js, the impact would be much more high. This article demonstrates the importance of sanitizing the user supplied input not only on the server side but also on the client side. </div><div class="separator" style="clear: both; text-align: left;"><br /></div>Pass the comments!. </div>

A Tale Of A DOM Based XSS In Paypal

Introduction We have already disclosed lots of findings related to DOM Based XSS and this article talks about a pretty interesting DOM Base...

+ Read more »

Introduction To SQLmap And Firewall Bypassing

<div dir="ltr" style="text-align: left;" trbidi="on"><div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXp0hBjFIlNQhVoAcjABuX8_x_g3Ru3XMIrzBswLEx4K4IxmwXhfKgKADz1hwV4Jr5Kv2L9Xuw970DRrzbIy8Kt6c3zDhmngR71DRJ9T3eldRkBddd14XnvUYpmD2lCqXZ0qqAguSridY/s1600/sqlinjection+%25281%2529.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="309" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXp0hBjFIlNQhVoAcjABuX8_x_g3Ru3XMIrzBswLEx4K4IxmwXhfKgKADz1hwV4Jr5Kv2L9Xuw970DRrzbIy8Kt6c3zDhmngR71DRJ9T3eldRkBddd14XnvUYpmD2lCqXZ0qqAguSridY/s1600/sqlinjection+%25281%2529.jpg" width="577" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><b><br /></b><br /><h4>ABSTRACT</h4>Most cyber-attacks in the world that involve websites occurs due to lack of updates and the failure to validate the user input. Starting from buffer overflow vulnerability, which is a system level vulnerability up to the vulnerabilities that exist today, the fundamental problem has always been the input validation. One of the main threats is SQL Injection that left many worried about their application and databases. The problem is more then a decade old, but still is present inside lots of websites. SQL injection like all other major web application security problems fall in the category of input validation attacks.<br /><br /><a name='more'></a><br /><br /><h4 style="text-align: left;">CONTEXT</h4>Many web developers do not know how SQL queries can be handled and assume that an SQL query is a trusted command. This allows for SQL queries to circumvent access controls, thereby bypassing standard authentication and authorization checks. And sometimes SQL queries even may allow access to the command shell on the server operating system level.<br /><br />Direct injection of SQL commands is a technique where an attacker creates or alters existing SQL commands to expose hidden data or to override valuable data, and even to execute dangerous system level commands on the server.<br /><br /><h4 style="text-align: left;">INTRODUCTION</h4><br />Structured Query Language is the standard declarative language for relational databases. This allows for its simplicity and ease of use. SQL was originally developed in the early 70s at IBM labs. SQL Is used by applications communicate or speak with the database.<br /><br />SQL use the following four statements to communicate with the database.<br /><br /><b>SELECT – </b>Retrieve a record from the database.<br /><b>INSERT -</b>  Inserting a record inside the database.<br /><b>DELETE </b>– Deleting a record from database.<br /><b>UPDATE  </b>- Update or change a current record<br /><br />The  SQL Injection simply occurs when the user query is treated as the database query. Take an example of how a user is authenticated on a website. The user sends a "Username" and "Password", the username/password is checked against what is present inside the database. If that matches, the user is logged in, else the user is not logged. Here is an example of the basic SQL query that is constructed at the back end.<br /><b><br /></b><b>The Code:</b><br /><b><br /></b><b>SELECT * FROM user WHERE username = ‘<span style="color: red;">$username</span>’ AND password = ‘<span style="color: red;">$password</span>' </b><br /><br />The query simply says select all from the user table where the username is equal to what the user entered and the password being that the user entered. So, in case where the user supplies the username to be "admin" and password to be "12345". Here is how the SQL query is contructed.<br /><br /><b>SELECT * FROM user WHERE username = ‘<span style="color: red;">admin</span>’ AND password = ‘<span style="color: red;">12345</span>' </b><br /><b><br /></b><b>The Injection</b><br /><b><br /></b>So, what if a user enters something like ' or '1'='1, since the first quote would terminate the input string, the rest of the query would be executed as a SQL query and in a SQL query 1=1 is always a true statement. Which would enable us to bypass the login mechanism<br /><b><br /></b><b>SELECT * FROM user WHERE username = ‘<span style="color: red;">admin</span>’ AND password = ‘<span style="color: red;">’ or ‘1’=‘1</span>' – TRUE </b><br /><br /><br />The above demonstrates a simple example of SQL injection, however SQL injection in real world is really complicated sometimes and in our penetration tests, most of the times we have a very tight schedule. So therefore, we need an automated/context aware tool to perform the injection for us.<br />SQLMAP is a tool that can be used to exploit this type of vulnerability. It is Open source, and often is used for Penetration Testing that enable intrusions on fragile DBMS written in Python. It provides functions to detect and exploit vulnerabilities of SQLI. Let's use the example sqlmap.py, widely used in operating systems and databases.<br /><br /><h4 style="text-align: left;">STEP BY STEP</h4>Readers I will try to explain this in the simplest possible way.<br /><br />The most common way of testing a SQL injection vulnerability is by inputting a single quote (') inside the input and expect it to display an error. Some of the applications do not return an error. This is where we can utilize true/false statements to check if an application is vulnerable to a SQL injection attack or not.<br /><br />To find a random website vulnerable to SQL injection, you can utilize the following google dork Example: inurl: news.php id = 1?<br />There is a bank of google dorks data and several other possibilities that can be used to filter your search. So let's start with SQL map.<br /><br />Navigate to the following directory inside of backtrack:<br /><br /><b>cd /pentest/database/sqlmap</b><br /><br />We will now begin the game, to view the menu for sqlmap.py use the command ./sqlmap.py -h<br /><br />Let's run sqlmap.py, the parameter [--dbs], to search the all databases in DBMS.<br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirmPMfKwLLMuUSji2fA5p9CQmeUrSaO8B8davN_NC_VEdpD3nt7RazOvz6ZYdjRUDRdpncOq00k5KjZtD614VLwsqQrQZIxpQ04_hKzKI49o5Ccc8-XMs3wDOSLRmRZoWzwso7gyz0jno/s1600/untitled2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black;"><img border="0" height="340" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirmPMfKwLLMuUSji2fA5p9CQmeUrSaO8B8davN_NC_VEdpD3nt7RazOvz6ZYdjRUDRdpncOq00k5KjZtD614VLwsqQrQZIxpQ04_hKzKI49o5Ccc8-XMs3wDOSLRmRZoWzwso7gyz0jno/s1600/untitled2.JPG" width="577" /></span></a></div><br /><br />Or use the parameter --current-db to show the databases that are being used.<br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtctOLxgstzW2OaBCq8nmb_2yi2H7vstEaPGDw8Nvk5DzW2-T0wXqHbqkB58RX4cR5gWDaTCN7fpgyMu47tHBk-ITbPIY73QwUPCwkpL3IqxnXnV0O-x2CdRfHq_SjXiyVnvYJKKFffWQ/s1600/untitled3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black;"><img border="0" height="344" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtctOLxgstzW2OaBCq8nmb_2yi2H7vstEaPGDw8Nvk5DzW2-T0wXqHbqkB58RX4cR5gWDaTCN7fpgyMu47tHBk-ITbPIY73QwUPCwkpL3IqxnXnV0O-x2CdRfHq_SjXiyVnvYJKKFffWQ/s1600/untitled3.JPG" width="577" /></span></a></div><br /><br />The parameter -D is for the target of database and --tables is tables list.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdTHTrejztVFQWE4P6ldt6-PMPEBhBR23k7dg2ZV__XQtC0k0rHPizIjr79utN-lxFGICdaEh4R-OGBrAQigFxo1VDO6Chyphenhyphen5RY6KzrOGTH54li6GvCSUw4f9jHYQRS0n__KuBnrnxnCo4/s1600/untitled4.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black;"><img border="0" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdTHTrejztVFQWE4P6ldt6-PMPEBhBR23k7dg2ZV__XQtC0k0rHPizIjr79utN-lxFGICdaEh4R-OGBrAQigFxo1VDO6Chyphenhyphen5RY6KzrOGTH54li6GvCSUw4f9jHYQRS0n__KuBnrnxnCo4/s1600/untitled4.JPG" width="577" /></span></a></div><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMBDy30LuZOMbE79E8M-U0f2qVt7CVIRUdoAWSwexIAYPEjPYpJ5tONIUST9E0yNs34dCkd8KuEy6ublMNZWKVksaa8fx2PdZT9QbYgsDXzjw7fqqm2fy-0KXbdNtyt7HErlnD6FW1VHw/s1600/untitled5.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black;"><img border="0" height="299" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMBDy30LuZOMbE79E8M-U0f2qVt7CVIRUdoAWSwexIAYPEjPYpJ5tONIUST9E0yNs34dCkd8KuEy6ublMNZWKVksaa8fx2PdZT9QbYgsDXzjw7fqqm2fy-0KXbdNtyt7HErlnD6FW1VHw/s1600/untitled5.JPG" width="577" /></span></a></div><br /><br />We will verify the existence of interesting information in the table (admin_users), time to list the columns. The parameter is –columns.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEig8ZRQecDHGFtUG7xgTrWcRmH6bfNjEzF1BfvDyOQA1kHJRsXZ4bVm16YLYLjXmpSAshvxvLxe9CC4uUvd1ahOWGM2pzx5LB1w7XwrWA2oJINnxrwYUFxA-sABf9mSo9KPzKQhwc_Kt0g/s1600/untitled6.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black;"><img border="0" height="65" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEig8ZRQecDHGFtUG7xgTrWcRmH6bfNjEzF1BfvDyOQA1kHJRsXZ4bVm16YLYLjXmpSAshvxvLxe9CC4uUvd1ahOWGM2pzx5LB1w7XwrWA2oJINnxrwYUFxA-sABf9mSo9KPzKQhwc_Kt0g/s1600/untitled6.JPG" width="577" /></span></a></div><br /><br />It is important to always indicate the target database (-D) data before listing the tables because if you do not do this (without the -D) it will list all tables in all databases.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjb6N4iDmyJkw9hMWHAsbidS1CloSqvKg7ZqiPu1d1SBSpVuBVXVg06ZNpZ5MxZHEp0DwcBqR7Q9qxto_1oqqTwXjfFNhv69PN6q-pMRVAKLoBT85JJKSc9eEktQqsd-J2U0SmuI1u1v8o/s1600/untitled7.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black;"><img border="0" height="296" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjb6N4iDmyJkw9hMWHAsbidS1CloSqvKg7ZqiPu1d1SBSpVuBVXVg06ZNpZ5MxZHEp0DwcBqR7Q9qxto_1oqqTwXjfFNhv69PN6q-pMRVAKLoBT85JJKSc9eEktQqsd-J2U0SmuI1u1v8o/s1600/untitled7.JPG" width="577" /></span></a></div><br /><br />-T = target table<br />-C = target columns, can be more than one column to be chosen. Example: username, password.<br />--dump = obtain, extract data.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEEmmUMLGSt3YrF6vI5iyb3SgYhjZq1KnhugAt3j9Q6B5DfzgkqCX57e8SfoQHrCtdwCcBHUgrOnjznksn_O5WnX24S2bRkfccvhKindnYEy0sBlRqyxbhJUlLRk_AV9pU8cs_8gIoKTA/s1600/untitled8.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black;"><img border="0" height="145" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEEmmUMLGSt3YrF6vI5iyb3SgYhjZq1KnhugAt3j9Q6B5DfzgkqCX57e8SfoQHrCtdwCcBHUgrOnjznksn_O5WnX24S2bRkfccvhKindnYEy0sBlRqyxbhJUlLRk_AV9pU8cs_8gIoKTA/s1600/untitled8.JPG" width="577" /></span></a></div><br /><br />Important to remember the parameter --proxy: enables use of proxy. <br />Example:     /sqlmap.py --url "http://testphp.vulnweb.com/listproducts.php?cat=1" --dbs --proxy=http://183.223.10.108:80<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4dUZhKSbjzjnwAjTIP4dAz1U3J_bIV3mjwnko28Igqh9-ebhal8yUzfKKBUXQm_DaGPmseiMc-JXkS-ywxSqZ90AK_j29ImuLphlf29-h8ALeWekbGtYt7fEcbchQZzz17i87CvAWwBc/s1600/untitled9.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black;"><img border="0" height="275" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4dUZhKSbjzjnwAjTIP4dAz1U3J_bIV3mjwnko28Igqh9-ebhal8yUzfKKBUXQm_DaGPmseiMc-JXkS-ywxSqZ90AK_j29ImuLphlf29-h8ALeWekbGtYt7fEcbchQZzz17i87CvAWwBc/s1600/untitled9.JPG" width="577" /></span></a></div><br /><br />Readers, I think that's the basics for beginners. sqlmap.py also has many interesting functions, I suggest researching about --prefix=PREFIX, --postfix=POSTFIX and takeover options.<br />More information about the program and videos of them in action on the official site.<br /><br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEGgVQysZHx-k9cPArx93VazNi6abEXiLjUsKE4FnL-B82fxSBVWqpcrxrOGiWB9kC771Qd6u7gjddEnzv8x4-chGtLjrrSouBOhH9IoqZdmAeorRf6D_O37ur4nvzYBbMmprdef7F7Qc/s1600/untitled10.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black;"><img border="0" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEGgVQysZHx-k9cPArx93VazNi6abEXiLjUsKE4FnL-B82fxSBVWqpcrxrOGiWB9kC771Qd6u7gjddEnzv8x4-chGtLjrrSouBOhH9IoqZdmAeorRf6D_O37ur4nvzYBbMmprdef7F7Qc/s1600/untitled10.JPG" width="577" /></span></a></div><br /><br />--dump is to extract the data from the site but is not given any, this must be within the selected column, and you have to choosen what to extract from the column, where I extracted the logins and passwords are saved within the column.<br /><br />Generally, the field of "passwords" DBMS are encrypted. Most common encryptions used are SHA-1, MD5 hashes and most of the time the hashes are not salted, making it easier to crack. We then need to decrypt the passwords in order to access the target system. We can utilize online hash databases such as  http://www.md5decrypt.org, https://crackstation.net/,http://www.onlinehashcrack.com/ to name a few. The second option is to manually try bruteforcing the password or utilize a commonly known technique rainbow tables for cracking the password hashes. Furthur more you can also try utilizing your GPU power to fasten the process, but unfortunately that's not the scope of this article. <br /><br /><h4 style="text-align: left;">BEYOND THE BASICS</h4><br />Readers, lucky for us, there are some awesome tamper scripts for sqlmap, which can be found in the latest development version from the Subversion repository.<br /><br />svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev<br /><br />In fact the function of the tamper scripts is to modify the request in a way that will escape detection rules WAF (Web Application Firewall). In some cases it may be necessary to combine some tamper scripts together in order to fool the WAF. For a complete list of scripts for tampering, you may find https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/<br /><br />Many enterprises often overlook the current vulnerabilities and rely only on the firewall for protection. Unfortunately, most, if not all firewalls can be bypassed by simply utilizing some of the encoding techniques that a sql server understands. So gentlemen, I want to demonstrate how to use some of the new features of sqlmap to bypass WAF’s/IDS.<br /><br />Well, I'll demonstrate some important scripts that are c<b>harencode.py</b> and c<b>harcodeencode.py</b> to work with MySQL. The scripts can be found inside of /<b>pentest/web/scanners/sqlmap</b> directory inside of backtrack 5. <br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhREfGruVYv1VqK0OMQohT8VyUkEBZ6BjaVqAGypCbA0NvOvxDhxmVkdxJG-60tS8PMktQTt3u3PX1ll9Fzsy1XlzeuMM12t1SKMsQsZiDjM8tf0FGQoJA1HX4BclT84DTVmiZHy4fa-v0/s1600/untitled11.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black;"><img border="0" height="98" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhREfGruVYv1VqK0OMQohT8VyUkEBZ6BjaVqAGypCbA0NvOvxDhxmVkdxJG-60tS8PMktQTt3u3PX1ll9Fzsy1XlzeuMM12t1SKMsQsZiDjM8tf0FGQoJA1HX4BclT84DTVmiZHy4fa-v0/s1600/untitled11.JPG" width="577" /></span></a></div><br /><br />Hands-on: To begin using tamper scripts, you use the --tamper followed by the script name. Inside the screenshot, we have used the charencode command.<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiilQx8DOaaoNBB1aX4Eto1gPHPEfX8PpjE3ExIOOgvqx70nGdM6AwNt2aNdywtpUccg2X2kkbn0rY4ccyv3iPwGdzpBJDxoKR1-6TEjn8W4Aj7ulAR0VQ5kF2uJLz3KWDnC57lV2_Zyf8/s1600/untitled12.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black;"><img border="0" height="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiilQx8DOaaoNBB1aX4Eto1gPHPEfX8PpjE3ExIOOgvqx70nGdM6AwNt2aNdywtpUccg2X2kkbn0rY4ccyv3iPwGdzpBJDxoKR1-6TEjn8W4Aj7ulAR0VQ5kF2uJLz3KWDnC57lV2_Zyf8/s1600/untitled12.JPG" width="577" /></span></a></div><br /><br /><b>Summary of charencode.py</b><br /><b><br /></b>Quite simply, this script is useful for ignoring very weak web application firewalls (WAF) …<br />Another interesting function url-decode the request before processing it through their set of rules (:<br />The web server will anyway go to url-decoded back version, concluding, it should work against any DBMS.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMBn8Idp8ftqzXuliAPgs62b9VbfDwroymkrGlvSHdSDuNPbLAWxXmo5C_vaaR5cVSWzPR5vqRep80tYTYsANb5eiLBfHCeFbKYjN0pu3M4By_3rJ3QfuJGEM9nZuviYe7L67HWMl5d9k/s1600/untitled13.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black;"><img border="0" height="203" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMBn8Idp8ftqzXuliAPgs62b9VbfDwroymkrGlvSHdSDuNPbLAWxXmo5C_vaaR5cVSWzPR5vqRep80tYTYsANb5eiLBfHCeFbKYjN0pu3M4By_3rJ3QfuJGEM9nZuviYe7L67HWMl5d9k/s1600/untitled13.JPG" width="577" /></span></a></div><br /><br />Example to use:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFYlZNWAm3MzszqdThd5Et-fO9n7lx4EAf7USO_I5RJtLtDEn4oPkef_R94xLB_rFUIUd20rTxkHFOqyTckysvWopauWGJQ9W1Z6DqZ-62AjDwIyh_SgXWSdaizRuK8qzOAY6HFr0YYik/s1600/untitled14.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black;"><img border="0" height="253" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFYlZNWAm3MzszqdThd5Et-fO9n7lx4EAf7USO_I5RJtLtDEn4oPkef_R94xLB_rFUIUd20rTxkHFOqyTckysvWopauWGJQ9W1Z6DqZ-62AjDwIyh_SgXWSdaizRuK8qzOAY6HFr0YYik/s1600/untitled14.JPG" width="577" /></span></a></div><br /><br />Another great script is the <b>charunicodeencode.py, </b>during my penetration tests this particular script has really helped me in bypassing lots of firewall restrictions.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifZligeOewjEtwsG5uz3NYOxEr1mMGpDKm6HEqNBgkoj2fNG-RNke54DQ1ItS22zhbvuvwIQaD6s1OVltUEPMnm_NCnYevJJ14vaFYpIBi4TSrokkZkzRNGksqMOU0-AR6jciP-aVzHbY/s1600/untitled15.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black;"><img border="0" height="273" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifZligeOewjEtwsG5uz3NYOxEr1mMGpDKm6HEqNBgkoj2fNG-RNke54DQ1ItS22zhbvuvwIQaD6s1OVltUEPMnm_NCnYevJJ14vaFYpIBi4TSrokkZkzRNGksqMOU0-AR6jciP-aVzHbY/s1600/untitled15.JPG" width="577" /></span></a></div><br /><br />Guys, I have demonstrated just a few of the many tamper scripts. We highly recommend testing them out as each one can be used in different situations.<br /><br /><b>Notes: That's not a tool for "script kiddies" it is of utmost importance to make use of such a powerful tool responsibly and maturely.</b><br /><br />Caution if used in the wrong way, sqlmap generates many queries and can affect the performance of the database target, moreover strange entries and changes to the database schema are possible if the tool is not controlled and used extensively.<br /><br /><h4 style="text-align: left;">PARTLY ANONYMOUS</h4><br />Gentlemen I will demonstrate to you how to use sqlmap with The Onion Router for the protection of IP, DNS, etc... In your Linux, in the terminal type:<br />$ sudo apt-get install tor tor-geoip<br /><br />After enter the sqlmap folder and type:<br /><b>./sqlmap.py -u "http://www.targetvuln.com/index.php?cata_id=1" -b -a –tor --check-tor--user-agent="Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"</b><br /><br />The argument --tor invokes the Tor to be used and the --check-tor checks if Tor is being used properly, if not, you will receive an error message in red at the terminal. The User Agent is the googlebot, all your requests on the site will look like the Google bot doing a little visit.<br /><br />TOR at SQLMap, we can set your TOR proxy for hiding the source from where the traffic or request is generated.<br /><br /><b>–tor-port, –tor-type</b> :  the parameter can help you out to set the TOR proxy manually.<br />–check-tor : the parameter will check if the tor setup is appropriate and functional.<br /><br /><h4>CONCLUSION</h4><br />It is known that many targets have been explored through SQL Injection a few years ago when this threat was discovered, the injection form was "the nail". The pentester had to construct the SQL queries manually.<br /><br />Then came the development of programs that automated attack. Nowadays perhaps the best known of these programs is sqlmap.py. SQLMAP is a program of open source testing framework written in Python. It has full support for database systems: MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB and also supports 6 types of SQL Injection techniques.<br /><br /><h4 style="text-align: left;">SOLUTION</h4><br /><b>1.</b><span class="Apple-tab-span" style="white-space: pre;"> </span>Correct the SQL server regularly.<br /><b>2.</b><span class="Apple-tab-span" style="white-space: pre;"> </span>Limit the use of dynamic queries.<br /><b>3.</b><span class="Apple-tab-span" style="white-space: pre;"> </span>Escape input data from users.<br /><b>4.</b><span class="Apple-tab-span" style="white-space: pre;"> </span>Stores the credentials of the database in a separate file.<br /><b>5.<span class="Apple-tab-span" style="white-space: pre;"> </span></b>Use the principle of least privilege.<br /><b>6. </b>Use prepared statements<br /><br />A Big hug for my dear brother Rafay Baloch and all followers of the RHA.<br /><br /></div><h4 style="text-align: left;">ABOUT THE AUTHOR:</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW20uw8T8ysccUKPby8pUltzOvGP9SFROKU-o2mqHEuxLw9FUwB3OsaAAr535b818hL9f3KxihgWtIlfaPNaruznzRxx3X9NVNlCf8tFj19pIEDs2NMnIO2nT2U4oBsNSY23ZIVvbJfVZo/s200/desouze.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW20uw8T8ysccUKPby8pUltzOvGP9SFROKU-o2mqHEuxLw9FUwB3OsaAAr535b818hL9f3KxihgWtIlfaPNaruznzRxx3X9NVNlCf8tFj19pIEDs2NMnIO2nT2U4oBsNSY23ZIVvbJfVZo/s200/desouze.jpg" /></a></div><span style="background-color: white; color: #333333; font-family: Verdana; font-size: 12px; line-height: 19.1875px;">This is a guest post written by , </span><b style="background-color: white; color: #333333; font-family: Verdana; font-size: 12px; line-height: 19.1875px;">RAFAEL FONTES SOUZA</b><span style="background-color: white; color: #333333; font-family: Verdana; font-size: 12px; line-height: 19.1875px;">. He is the maintainer of the “</span><b style="background-color: white; color: #333333; font-family: Verdana; font-size: 12px; line-height: 19.1875px;">Project Backtrack Team Brazilian</b><span style="background-color: white; color: #333333; font-family: Verdana; font-size: 12px; line-height: 19.1875px;">”, He works at </span><a href="http://services.rafayhackingarticles.net/" style="background-color: white; color: #666666; font-family: Verdana; font-size: 12px; line-height: 19.1875px; text-decoration: none;" target="_blank">RHAinfosec </a><span style="background-color: white; color: #333333; font-family: Verdana; font-size: 12px; line-height: 19.1875px;">as a senior penetration tester. He is also the Founder of the "Wikileaks and Intelligence, Cypherpunks". Good communication in groups and the general public, attended college projects with a focus on business organization, he currently seeks work experience outside of brazil”. He frequently contributes at RHA and talks about various topics related to internet security. </span></div>

Introduction To SQLmap And Firewall Bypassing

ABSTRACT Most cyber-attacks in the world that involve websites occurs due to lack of updates and the failure to validate the user input. Sta...

+ Read more »