So we're going to start the
topic, Lance from 801. With that, he's going to talking
about his SQL injection. Nemus: thank you, my name is Lance, I
also go by the handle Nemus, part of myself, I'm from the
local Def Con group from Salt Lake City Utah, from DC801. If
you want to chat with us during the day, I help the hacker
space, in downtown assault lake, I plan events, things like that,
my hobbies, during the day, I write software for payment
solutions, my code in php and thigh upon, mostly, I also do
c., and basically, just the whole gamut of programming,
languages, also, if you are interested in listening to me
more, I'm part of the web security podcast, it's a new
podcast we're putting together for people who are interested in
security.
It's mostly focused toward web developers and focuses on introduction security-related topics. All right. Quick disclaimer: I'm not responsible for anything you do with what I teach you. [laughter] That's you. I am not a lawyer, I can not tell you what is legal and what is not legal. That's what lawyers are for. All right. Prereqs, this is a 101 talk, so it's geared towards beginners, but you do need to understand basic Linux operating systems, basic php coding techniques, basically, you need to understand how to set up a lamp server, and get php working on it, and write php code, not a lot, just a little bit. I wrote this talk, it's geared towards, beginning php developers, so they can learn the basics, of php SQL injection security. If you are looking to get into coding or just want to learn more about SQL injection you can study up a little bit and come back to this talk.
So you don't have the prereqs, well, you will have a lot of fun coming back to it later. So why do we study atax, right? You hear the best defense is a good offense, right? But we can't attack other systems, we can't go out and defend against the world, it's basic lie, the world against us, we want to have our code visible and available to our users, and our clients, and basically the world, that's the way, the apps work, you set up an app application, and want as many customers as you can find, but the only way to secure it is understand how it's attacked, you will be able to understand your weaknesses, and find good solutions to mitigate those issues. So, basics of SQL injection what causes SQL injection? Any time you have one programming language, or you have one language writing code, or writing executable instructions for another language, are you going to have an injection flaw, it's inherit, it's the nature of the beast, in this case, we're going to focus on writing php writing SQL injection queries, if you have two, php writing php, which I will talk about going over web shells, are you going to have an injection problem, with that, you have to validate user input and you have to make sure that you are programming queries correctly, otherwise, the user will be able to manipulate the string generated by the metal wear and execute the code on the second layer.
In this scenario, I'm going to walk you through some php code, I posted it on the slide, very simple, broke it down, I tried to make it very concise so you can see, here's where the vulnerability and use it to debug why your php is not working -- then once we're finished with that, we're going to explore ways of uploading code and taking advantage of the server. So this is a basic lab set up, will you go over this real quick, you can back to this later, design my talks as a lab, so later if you want to come through and learn something and work through it.
So we're going to use curl. Curl is going to do our php requests, it's going to format -- I like command line, there is also zed, and burp suite, I don't have time to go over these steps, but they do basically the same thing, we need something to help us craft the php request so we're not hand coding it each time. So this is my simple curl test script, we're taking parameters, from the command line and feeding it to the variable, id, to the get script. The command there is git curl, one php request url, we will have it do data url encoding, which is how we wanted input formatted, so all of your tax, will be formatted correctly, and won't have issues of spacing, and special characters.
So when we're attacking lamp, we have to think about the architecture, most basic lamp applications, are going to start off on a single system, then the application is running on a single server, then the data running on another, in most cases, it will be running on the same server, this makes it easier for attacking, once we know we have found a vulnerability we can leverage the database or one server, and working with one system. It's more complicated when you get to an enterprise solution, so this, we see we have low bouncer, database clusters, if I run a data base, injection attack, I might run against the first, second, or third server, and I won't know where my code is executed, keep this in mind, you might have a vulnerability, or doing something with the operating system, if you are attacking the php code, you have to figure out which server is in the loop -- so if you have a SQL injection query and writing uploading shells, kit be pushing the shells to each one of the databases, and you have to figure out how to execute that code or the web shells on the different web servers, here's a test database, it's a simple orders database, with columns, we will create another database, with users, and put some users in there.
Using md5 hashes, here's our vulnerable simple code, at the top, I show the request as the server sees it, I have designed this to be what I would interpret would be out there when people first start writing php code, the easiest thing, they connect to my SQL injection database loop, just to get it running, we have code to check to see if the connection fails, then we run the query then we have the vulnerability, is that we're concatenating, the string, because we're taking two strings, and concatenating them, and not filtering the user input we have created a SQL injection problem, that will allow a user to take advantage of our database, which we did not attend. So how does the attacker, attest for the SQL injection? First we do anything, we want to verify that the injection exists, in this presentation, I will focus on blind SQL, I think for the most part, they have been turning off error reporting, which is a good thing, but makes SQL for difficult. Non blind are printed to the screen, you can use those for what you need to do to build your query.
So there is three different types of SQL injection attacks, what you are going to be doing is manipulating the strings, the numeric values, or doing evaluation, the classic example is where you take advantage of the login -- we know that the user is a valid user on the web application. So like I said, we will be doing numeric injection, here's the first test to the git curl script that will pass the id forward, then we're going to do select orders, for order numbers 1 and 1, and we get the first results, we do it again, and we get 1 and 0, we get no results, what the and is doing is a binary saying, if it's 1 and 1, it's true, so one, so return the first results, if it's 1 and 0, that 0 so look for the 0 results, there is no data there. So with this, we can say, seems like there could be a possible SQL injection vulnerability to do further testing, we do one and true.
True will be evaluated as one, and with one comes back at one, we get the first record, one and false, false is 0, and it come back with the record, do the same with minus, if it's minus one, minus true, we see the results, we don't, 0 record, then the dead give away, is if we can use multiplication, against the data SQL database, we know we have an injection flaw. We do one times, three, and on the third vulnerability, we know it exists, I don't have the third record displayed there, you don't see it f we got the first results back, we know, okay this probably is not a SQL injection within this code, now that we verified the injection exists, we need to verify, it's running lamp stack, we need to figure what the web application is running so we can attack it, so we're going to fingerprint the server by looking at web requests and figure out our architecture, so we can craft our queries.
The easiest thing you can do is curl-v, and look at the headers, that will tell you a lot about the application and the metal ware, and the apache -- or web application sorry the web server, I will tell you the web server, and the possible metal code that is running, these are the ones you can turn off, so it makes it harder to guess what is going on in the architecture, here we're blindly telling people, I'm running apache c.p. OS, and the operating system, and the server, m-map is identified as the apache, and s. OS, we do the OS fingerprinting, apache, sent OS. Another thing we can do is use signatures, to identify web servers, here we run the command against server on port 80s, it tells us, probability score, 76 confidence this is an apache web server, we can say with confidence that the web server is running apache, and we know what we're going up against. Next, we need to identify database. So we have identified we're running the Linux operating system, and we're running apache, as the web server, next we're going to do is identify what the database version is or you know determine if it's my SQL, postgre SQL or other stuff out there.
You can guess with a probability, they're running my SQL on the back end, to do this, we're going to use a union select poisoning query, we will take the original query that the developer wrote, mirror it with our own code, and match those up, so the result set is returned together, so what you do is write a select id, do union, select, then you got to figure out how many columns are in that query so that the union will match the original query.
So you start with one, and you numerate, 2, 3, 4, 5, once you get a valid result back, you can then know how many parameters that need to be in that union select, so it matches the original queries column count. So here, we have our union select, I used nulls, you can use 1's, you basically want to avoid things, that use special characters, so it can get passed filters and other things. That's a more complicated suggest, by passing, web filters, just to keep in mind, don't use ticks, use pretty safe SQL queries, here, we're using the user select with the original query, and match it up, so the last column, we're going to have the database version which is 5.540.
So next, what we're going to do is use the con cat function in SQL which is different between all of the different databases, so my SQL and oracle are similar, so we need to identify that it is a my SQL database, not oracle, database, here, we do dot one dot one dot one ticks, and when we get back here the line where the merge merges the query, the a.b. we know it worked. We don't get results, it returned 0, so we're fairly certain we have a my SQL database on the back end. At this point, we have the version number and all that version seems to correlate to my SQL.
We have a good understanding of what we're up against. Now we can start pulling data from the architecture. So at this point, you have the select statement, we're going to try and get as much data as we possibly can out of database. Your attacker, may select items, user names and passwords at this point, I will show you how your data will be stolen out of your database just from this one flaw. So first thing we're going to do is enumerate the user, of the my SQL database, not the my application, or the program. This is the database that maintains, access to the connections to the database. So we're going to use a union select we're going to select host, user, password, then null out the rest from my SQL dot user, so if the credentials, set up on the php are root, we will have access to this database.
If they secured their credentials, we don't have access to table, you can see here, I was able to determine the local host has a connection, use, then a patch word, hash, from the database, here we get the post name, from the user select, if you need to have more data in your union select then the column count has, you can use concat, to get more columns from different tables into one column, and get that returned with the union. Another interesting thing, you can use the u.u. id, function, to get the mac address, I did verify this, I didn't know if it works on all architectures, the first or last part, is the u.u.
Id, s., that is useful for attacking -- the database is connected to. Then with this command here, you can see it gets complicated, this dumps all of the tables and columns from the my SQL database that has access to, there is more information there. Then see we have our output, we have the order details, order number, tells us the column names, so we can go through this and see where the interesting points of data might be. Next what we will do is pull all of the users from the web application this is usually a table called logins or users, something like that in the web application itself is going to contain a clear text password, or assaulted hash password, we will pull that data and get users, to log into the web application. So we do that by just doing union select and pulling that information from this login table we had earlier. Now that we have hashes, and user names, with you thing we can do to attack this one by one application is crack these hashes, before you can do that, you need to identify what these hashes are.
And one cool you can use to do that is hash id, hash id is running in python three, so you will need to set up a python three environment to identify the hashes, just a quick thing on password hashing, don't use m.d. five, right? Easy, reversible, it's been around forever, the guy who wrote it, stop using it, to this day, I still find m.d. five hashes. If you can, use password hash, it's a php function and the newer versions of php, it will be included in default, if you are running an older version, you can use php pass, with crypt, and use the salt word pass for you, and takes the difficulty out of it, we used the same password twice, and generated a new password each time, if you are interested in passing hash or cracking, you can reference this information, hash cat is pretty good, john ripper is great.
SQL map which I will talk about a little bit later, it has a password crack in itself just a touch on rainbow tables, they liar password crackers, but they're stored in the database so you are not generating a new hash each time to compare it against, you want to use a combination of both password cracking and rainbow tables, testing the security of your hashes. Quick example; I ran md5s, through hash cat, with gpu's reminder, with the four gpu's, I was able to get the passwords, rock you list within 2 or 3 minutes. All right, now for more interesting stuff, we attacked the database, now what we're going to do is attack the operating system of the database, we are going to do that by looking at files on that system.
So going back to our architecture, if the database, and serve are sitting on the same system, you might be able to look at the code files on the system, using your SQL injection technique. By doing this, I load the file, then use union select, to push that file out, and I can view, hey, here's the user name and password for database, and I just gotten credentials that way. So this goes back to your web server set up -- your web server set up. Nothing is working, right? You odd 777, right? [laughter] Get it to work. This is why you don't want to do that, if that 777 in my SQL user can touch that and if there is a SQL injection vulnerability, I can overwrite that, which I will show later, this comes down to, if you have a my SQL database, and web application running on the same server, you want to make sure that the one by one application is not running with the same privileges of the database, you want them in completely separated, isolated environments, the default, set -- appear to have that separation, but a lot of times, administrators, will push everything as root users, then everything can touch, and cross contaminate, and you can modify files.
So here, by default, so this is my attack against the operating system and by default, I was able to pull epsy, password, as the my SQL database, I got a list of users, from the epsy, password file, luckily, I was not able to read the epsy, shadow files, from the database passwords, that is at least secure and blind from me on a default configuration, now I have user names, I can use for brute force or attack against other servers, here's interesting, readable files, you can get resolve.com message of the day sshd config other places, or the patch, you can figure out how the server is configured, at this point, you will be thinking, I got this select vulnerability so I want to modify the database, so it can be much easier to rewrite the hash on the login table and then login with a password that I already know, if you have a SQL injection, and you are using union select, I was not able to find a way to do insert, update, for a sub and nesting query.
That's when you have a query inside of a query, with the "where", statement, is the selecting item, is the query result returned from future query. So just a little bit more about subqueries. Like I said, I wasn't able to figure out, if someone can do that, I would be really interested in seeing your results. So bobby drop tables, right? We cannot have a talk about SQL injection without bobby-drop tables, it's not just not possible. So you are like, oh, I can modify the database, just using a semicolon and then [inaudible] the query, and running another query, if the up to date version of my SQL query, of php, it was not able to use query stacking, excuse me. So no bobby drop tables, unfortunately, there is a my SQL multiquery that gives you this functionality. Why would you use it? I don't know.
The problems with php, it lets you do all kinds of things, you probably shouldn't. Okay, some fun stuff, we will go going to go onto remote code execution, at this point, we got user names and pass ward words, and look at how we can attack this architecture. Web shells are great. What we're going to do with web shells is demonstrate how you can use php code to put a simple backdoor, that will be executed by the web server, and possibly, by the web server, operating system, user web shell functions, that php has. This is a good idea to disable these, if you don't need them, I can guarantee that you don't need them.
So we don't need execute, shell execute. If you are running shell execute, the only real example is if you are writing code for net gear or something like that, or one of those small home office, networking appliances, with operating system code, to do that, you need to make sure you are properly, escaping, or have injection problems, as an attacker, we can take advantage of this function to run code on this operating system. Eval. I hate eval. Don't use it php coder, please don't use eval.
I can't think of a reason to do it, what eval does is takes a string of code and executes it, so you can write php code, that exkites php code. I have seen weird stuff, I have seen developers, put php code, from strings in the database, and execute it, don't use eval. I can't stress this enough, disable it, get rid of it, one of the more hidden one is assert, it does the same thing, but it's used by developers, to test code, to make sure operations are running correctly, and their conditions are what they example them to do, so you got to make sure, if you are using assert, are you doing it directly, and you are not providing user input into the assert, that isn't sanitized or clean, we have the create function.
It's great, takes a string of code and turns it into a function you can call later, then using dynamic variables, in php, we can call any function in the code, another couple of dangerous functions is acollude. By default, you can start php code on a remote server, if you have access, to the function by dynamic variable code, remotely, so it's a good idea to disable that function.
We're going to call the system, pass in a git parameter, called the command, we call the url, by a curl, or the web browser, pass the command ls, or get the output, and see these files, shell.php is on the server, we can use a php eval to run php commands and do a little bit more discrete backdoor by running preg replace. It looks pretty benign. You are looking for the code, preg-replace, you can sneak that in there, passed your review, to get passed your code, I don't have time to go into super details, about shells, but iron geek, has web shells for pretty much any architecture, you can think of.
So remote code execution, there exists a multiple avenues of attack, we can attempt, first we will upload the php script, by the my SQL write function, if it has chmodo -- files, I can over rite by the file and web server on the system, I can upload code, using a feature, if the web application has a file of a picture upload, I can take a picture of that, and see if I can get it to pass to the file, and later execute it through the url, third is a last-ditch effort, a social engineering attack.
I will talk about wildcard poisoning. This is a vulnerability feature, it's been in Linux for a very long time, it's been on the full disclosure list, which is where I found it, basically, it takes advantage of the Linux star commands, to run commands, it's kind of an injection attack itself. So writing files. Here we're going to use the into/out file, which is going to take our php code and push it to slash ten. I know by default, most applications, can write to slash ten, so I look at the query runs, see it. There, it is. If I'm looking for right points, I can look at temp, cap, images, files and basically enumerate the web applications for weak permissions, writable files, by my SQL. This is the default. These are the only ones of interest I could find. So default install. It's kind of secure in the fact that my SQL user is a different user, that doesn't have permissions on the web server, like I said, again, if the web server, and database are running on the same system, and they have the same permissions, at this point, I can change those files.
Like I said, this is what I talked about earlier, here's more detail, about black cat presentation done a couple of years ago, it's got more detail, on remote code -- excuse me, and remote code filing, so application feature. What we're going to do if filtered, we will upload a php file. If not, we will try to manipulate a php file I so it can be uploaded.
Here's example of vulnerable code. All it does is take files turn them to user and upload them. So that's one-way. There is another examples you can look on there, and dig deeper, getting passed filters, stuff like that, that is a little bit more advanced. If you can't write files on the web server, and you can't upload files, one thing you could try is doing a wildcard poisoning attack on the system. So if my SQL user can write files, it can write to var-log SQL, so one thing you can do to attack the system, is fill up the disk with my SQL general log. (no audio) Off the system, so using wildcard poisoning, we have the ls command, the ls-l and ls-star. If I have a file on the operating system, that is-l, and I do an ls-star, that dash l is interpreted, as being passed to the ls command, we can take advantage of that, the purpose concept here is on the defensive code, I have provided the link, what this does is in this example is it takes advantage of s-copy, no, this takes advantage of tar, the other one is s-copy.
The might tar up the file, tar has a parameter that will pass it, so you can execute code, you can upload file names, set them up correctly this is something you want to test because the order is important, you want to make sure the file is in the correct order, then the administrator comes in, to s-copy or tar up this file, they're going to run this vulnerable code and possibly get a shell or get access to the system, here's the s-copy example, that uses the dash 0 command to run a script. So a little bit about reverse shells, last year, I did a Def Con talk about intro to backdoors, we talked about shells, and netcat, stuff like that, if you are interested, this is a basic php reverse shell taken from pentestmonkey.net, you can do a php-r., and get remote code on the system, you can set up remote cat on the listener, bam, you got commands you can run. All right, so what we have seen from this is through just a simple vulnerability, somebody barely learning php code has completely left their system unsecured, we're able to steal a lot of data, we're able to take advantage of the system, and possibly gain control of the system, just a little bit of recap, the epsy passwords -- you have a good understand of injection, a lot of this is built into the SQL map tool, with this you can run the queries, and run the tool better, I encourage you to get in there, run the SQL map and learn how it works, here's injection resources too, if you are interested.
Other thing you might want to research too is privilege escalation, by default, these systems, the apache service and the my SQL service is not running with root privileges, if you want to get full access to the system, you will need to do privilege escalation. Here's examples of php secure code, if you want to write php secure code, filter input, php has a great filter input library. Just set your variable length, when you are talking it in, one thing you can to limit the damage, if you have a string that is not supposed to be more than characters, cut it off.
My SQL has user define functions this is pretty cool. If you want to get into advanced stuff to take advantage of the my SQL system. Here's some security guides on how to harden your lamp stack. Then for some code review and analysis, here's free tools, the rip scanner is kind of old, but kind of gives you an insight where you might have vulnerabilities, in your php code. Here's my credits, from icon archive, and the background is from pand the background is from ppt backgrounds. Thank you. [applause] .
It's mostly focused toward web developers and focuses on introduction security-related topics. All right. Quick disclaimer: I'm not responsible for anything you do with what I teach you. [laughter] That's you. I am not a lawyer, I can not tell you what is legal and what is not legal. That's what lawyers are for. All right. Prereqs, this is a 101 talk, so it's geared towards beginners, but you do need to understand basic Linux operating systems, basic php coding techniques, basically, you need to understand how to set up a lamp server, and get php working on it, and write php code, not a lot, just a little bit. I wrote this talk, it's geared towards, beginning php developers, so they can learn the basics, of php SQL injection security. If you are looking to get into coding or just want to learn more about SQL injection you can study up a little bit and come back to this talk.
So you don't have the prereqs, well, you will have a lot of fun coming back to it later. So why do we study atax, right? You hear the best defense is a good offense, right? But we can't attack other systems, we can't go out and defend against the world, it's basic lie, the world against us, we want to have our code visible and available to our users, and our clients, and basically the world, that's the way, the apps work, you set up an app application, and want as many customers as you can find, but the only way to secure it is understand how it's attacked, you will be able to understand your weaknesses, and find good solutions to mitigate those issues. So, basics of SQL injection what causes SQL injection? Any time you have one programming language, or you have one language writing code, or writing executable instructions for another language, are you going to have an injection flaw, it's inherit, it's the nature of the beast, in this case, we're going to focus on writing php writing SQL injection queries, if you have two, php writing php, which I will talk about going over web shells, are you going to have an injection problem, with that, you have to validate user input and you have to make sure that you are programming queries correctly, otherwise, the user will be able to manipulate the string generated by the metal wear and execute the code on the second layer.
In this scenario, I'm going to walk you through some php code, I posted it on the slide, very simple, broke it down, I tried to make it very concise so you can see, here's where the vulnerability and use it to debug why your php is not working -- then once we're finished with that, we're going to explore ways of uploading code and taking advantage of the server. So this is a basic lab set up, will you go over this real quick, you can back to this later, design my talks as a lab, so later if you want to come through and learn something and work through it.
So we're going to use curl. Curl is going to do our php requests, it's going to format -- I like command line, there is also zed, and burp suite, I don't have time to go over these steps, but they do basically the same thing, we need something to help us craft the php request so we're not hand coding it each time. So this is my simple curl test script, we're taking parameters, from the command line and feeding it to the variable, id, to the get script. The command there is git curl, one php request url, we will have it do data url encoding, which is how we wanted input formatted, so all of your tax, will be formatted correctly, and won't have issues of spacing, and special characters.
So when we're attacking lamp, we have to think about the architecture, most basic lamp applications, are going to start off on a single system, then the application is running on a single server, then the data running on another, in most cases, it will be running on the same server, this makes it easier for attacking, once we know we have found a vulnerability we can leverage the database or one server, and working with one system. It's more complicated when you get to an enterprise solution, so this, we see we have low bouncer, database clusters, if I run a data base, injection attack, I might run against the first, second, or third server, and I won't know where my code is executed, keep this in mind, you might have a vulnerability, or doing something with the operating system, if you are attacking the php code, you have to figure out which server is in the loop -- so if you have a SQL injection query and writing uploading shells, kit be pushing the shells to each one of the databases, and you have to figure out how to execute that code or the web shells on the different web servers, here's a test database, it's a simple orders database, with columns, we will create another database, with users, and put some users in there.
Using md5 hashes, here's our vulnerable simple code, at the top, I show the request as the server sees it, I have designed this to be what I would interpret would be out there when people first start writing php code, the easiest thing, they connect to my SQL injection database loop, just to get it running, we have code to check to see if the connection fails, then we run the query then we have the vulnerability, is that we're concatenating, the string, because we're taking two strings, and concatenating them, and not filtering the user input we have created a SQL injection problem, that will allow a user to take advantage of our database, which we did not attend. So how does the attacker, attest for the SQL injection? First we do anything, we want to verify that the injection exists, in this presentation, I will focus on blind SQL, I think for the most part, they have been turning off error reporting, which is a good thing, but makes SQL for difficult. Non blind are printed to the screen, you can use those for what you need to do to build your query.
So there is three different types of SQL injection attacks, what you are going to be doing is manipulating the strings, the numeric values, or doing evaluation, the classic example is where you take advantage of the login -- we know that the user is a valid user on the web application. So like I said, we will be doing numeric injection, here's the first test to the git curl script that will pass the id forward, then we're going to do select orders, for order numbers 1 and 1, and we get the first results, we do it again, and we get 1 and 0, we get no results, what the and is doing is a binary saying, if it's 1 and 1, it's true, so one, so return the first results, if it's 1 and 0, that 0 so look for the 0 results, there is no data there. So with this, we can say, seems like there could be a possible SQL injection vulnerability to do further testing, we do one and true.
True will be evaluated as one, and with one comes back at one, we get the first record, one and false, false is 0, and it come back with the record, do the same with minus, if it's minus one, minus true, we see the results, we don't, 0 record, then the dead give away, is if we can use multiplication, against the data SQL database, we know we have an injection flaw. We do one times, three, and on the third vulnerability, we know it exists, I don't have the third record displayed there, you don't see it f we got the first results back, we know, okay this probably is not a SQL injection within this code, now that we verified the injection exists, we need to verify, it's running lamp stack, we need to figure what the web application is running so we can attack it, so we're going to fingerprint the server by looking at web requests and figure out our architecture, so we can craft our queries.
The easiest thing you can do is curl-v, and look at the headers, that will tell you a lot about the application and the metal ware, and the apache -- or web application sorry the web server, I will tell you the web server, and the possible metal code that is running, these are the ones you can turn off, so it makes it harder to guess what is going on in the architecture, here we're blindly telling people, I'm running apache c.p. OS, and the operating system, and the server, m-map is identified as the apache, and s. OS, we do the OS fingerprinting, apache, sent OS. Another thing we can do is use signatures, to identify web servers, here we run the command against server on port 80s, it tells us, probability score, 76 confidence this is an apache web server, we can say with confidence that the web server is running apache, and we know what we're going up against. Next, we need to identify database. So we have identified we're running the Linux operating system, and we're running apache, as the web server, next we're going to do is identify what the database version is or you know determine if it's my SQL, postgre SQL or other stuff out there.
You can guess with a probability, they're running my SQL on the back end, to do this, we're going to use a union select poisoning query, we will take the original query that the developer wrote, mirror it with our own code, and match those up, so the result set is returned together, so what you do is write a select id, do union, select, then you got to figure out how many columns are in that query so that the union will match the original query.
So you start with one, and you numerate, 2, 3, 4, 5, once you get a valid result back, you can then know how many parameters that need to be in that union select, so it matches the original queries column count. So here, we have our union select, I used nulls, you can use 1's, you basically want to avoid things, that use special characters, so it can get passed filters and other things. That's a more complicated suggest, by passing, web filters, just to keep in mind, don't use ticks, use pretty safe SQL queries, here, we're using the user select with the original query, and match it up, so the last column, we're going to have the database version which is 5.540.
So next, what we're going to do is use the con cat function in SQL which is different between all of the different databases, so my SQL and oracle are similar, so we need to identify that it is a my SQL database, not oracle, database, here, we do dot one dot one dot one ticks, and when we get back here the line where the merge merges the query, the a.b. we know it worked. We don't get results, it returned 0, so we're fairly certain we have a my SQL database on the back end. At this point, we have the version number and all that version seems to correlate to my SQL.
We have a good understanding of what we're up against. Now we can start pulling data from the architecture. So at this point, you have the select statement, we're going to try and get as much data as we possibly can out of database. Your attacker, may select items, user names and passwords at this point, I will show you how your data will be stolen out of your database just from this one flaw. So first thing we're going to do is enumerate the user, of the my SQL database, not the my application, or the program. This is the database that maintains, access to the connections to the database. So we're going to use a union select we're going to select host, user, password, then null out the rest from my SQL dot user, so if the credentials, set up on the php are root, we will have access to this database.
If they secured their credentials, we don't have access to table, you can see here, I was able to determine the local host has a connection, use, then a patch word, hash, from the database, here we get the post name, from the user select, if you need to have more data in your union select then the column count has, you can use concat, to get more columns from different tables into one column, and get that returned with the union. Another interesting thing, you can use the u.u. id, function, to get the mac address, I did verify this, I didn't know if it works on all architectures, the first or last part, is the u.u.
Id, s., that is useful for attacking -- the database is connected to. Then with this command here, you can see it gets complicated, this dumps all of the tables and columns from the my SQL database that has access to, there is more information there. Then see we have our output, we have the order details, order number, tells us the column names, so we can go through this and see where the interesting points of data might be. Next what we will do is pull all of the users from the web application this is usually a table called logins or users, something like that in the web application itself is going to contain a clear text password, or assaulted hash password, we will pull that data and get users, to log into the web application. So we do that by just doing union select and pulling that information from this login table we had earlier. Now that we have hashes, and user names, with you thing we can do to attack this one by one application is crack these hashes, before you can do that, you need to identify what these hashes are.
And one cool you can use to do that is hash id, hash id is running in python three, so you will need to set up a python three environment to identify the hashes, just a quick thing on password hashing, don't use m.d. five, right? Easy, reversible, it's been around forever, the guy who wrote it, stop using it, to this day, I still find m.d. five hashes. If you can, use password hash, it's a php function and the newer versions of php, it will be included in default, if you are running an older version, you can use php pass, with crypt, and use the salt word pass for you, and takes the difficulty out of it, we used the same password twice, and generated a new password each time, if you are interested in passing hash or cracking, you can reference this information, hash cat is pretty good, john ripper is great.
SQL map which I will talk about a little bit later, it has a password crack in itself just a touch on rainbow tables, they liar password crackers, but they're stored in the database so you are not generating a new hash each time to compare it against, you want to use a combination of both password cracking and rainbow tables, testing the security of your hashes. Quick example; I ran md5s, through hash cat, with gpu's reminder, with the four gpu's, I was able to get the passwords, rock you list within 2 or 3 minutes. All right, now for more interesting stuff, we attacked the database, now what we're going to do is attack the operating system of the database, we are going to do that by looking at files on that system.
So going back to our architecture, if the database, and serve are sitting on the same system, you might be able to look at the code files on the system, using your SQL injection technique. By doing this, I load the file, then use union select, to push that file out, and I can view, hey, here's the user name and password for database, and I just gotten credentials that way. So this goes back to your web server set up -- your web server set up. Nothing is working, right? You odd 777, right? [laughter] Get it to work. This is why you don't want to do that, if that 777 in my SQL user can touch that and if there is a SQL injection vulnerability, I can overwrite that, which I will show later, this comes down to, if you have a my SQL database, and web application running on the same server, you want to make sure that the one by one application is not running with the same privileges of the database, you want them in completely separated, isolated environments, the default, set -- appear to have that separation, but a lot of times, administrators, will push everything as root users, then everything can touch, and cross contaminate, and you can modify files.
So here, by default, so this is my attack against the operating system and by default, I was able to pull epsy, password, as the my SQL database, I got a list of users, from the epsy, password file, luckily, I was not able to read the epsy, shadow files, from the database passwords, that is at least secure and blind from me on a default configuration, now I have user names, I can use for brute force or attack against other servers, here's interesting, readable files, you can get resolve.com message of the day sshd config other places, or the patch, you can figure out how the server is configured, at this point, you will be thinking, I got this select vulnerability so I want to modify the database, so it can be much easier to rewrite the hash on the login table and then login with a password that I already know, if you have a SQL injection, and you are using union select, I was not able to find a way to do insert, update, for a sub and nesting query.
That's when you have a query inside of a query, with the "where", statement, is the selecting item, is the query result returned from future query. So just a little bit more about subqueries. Like I said, I wasn't able to figure out, if someone can do that, I would be really interested in seeing your results. So bobby drop tables, right? We cannot have a talk about SQL injection without bobby-drop tables, it's not just not possible. So you are like, oh, I can modify the database, just using a semicolon and then [inaudible] the query, and running another query, if the up to date version of my SQL query, of php, it was not able to use query stacking, excuse me. So no bobby drop tables, unfortunately, there is a my SQL multiquery that gives you this functionality. Why would you use it? I don't know.
The problems with php, it lets you do all kinds of things, you probably shouldn't. Okay, some fun stuff, we will go going to go onto remote code execution, at this point, we got user names and pass ward words, and look at how we can attack this architecture. Web shells are great. What we're going to do with web shells is demonstrate how you can use php code to put a simple backdoor, that will be executed by the web server, and possibly, by the web server, operating system, user web shell functions, that php has. This is a good idea to disable these, if you don't need them, I can guarantee that you don't need them.
So we don't need execute, shell execute. If you are running shell execute, the only real example is if you are writing code for net gear or something like that, or one of those small home office, networking appliances, with operating system code, to do that, you need to make sure you are properly, escaping, or have injection problems, as an attacker, we can take advantage of this function to run code on this operating system. Eval. I hate eval. Don't use it php coder, please don't use eval.
I can't think of a reason to do it, what eval does is takes a string of code and executes it, so you can write php code, that exkites php code. I have seen weird stuff, I have seen developers, put php code, from strings in the database, and execute it, don't use eval. I can't stress this enough, disable it, get rid of it, one of the more hidden one is assert, it does the same thing, but it's used by developers, to test code, to make sure operations are running correctly, and their conditions are what they example them to do, so you got to make sure, if you are using assert, are you doing it directly, and you are not providing user input into the assert, that isn't sanitized or clean, we have the create function.
It's great, takes a string of code and turns it into a function you can call later, then using dynamic variables, in php, we can call any function in the code, another couple of dangerous functions is acollude. By default, you can start php code on a remote server, if you have access, to the function by dynamic variable code, remotely, so it's a good idea to disable that function.
We're going to call the system, pass in a git parameter, called the command, we call the url, by a curl, or the web browser, pass the command ls, or get the output, and see these files, shell.php is on the server, we can use a php eval to run php commands and do a little bit more discrete backdoor by running preg replace. It looks pretty benign. You are looking for the code, preg-replace, you can sneak that in there, passed your review, to get passed your code, I don't have time to go into super details, about shells, but iron geek, has web shells for pretty much any architecture, you can think of.
So remote code execution, there exists a multiple avenues of attack, we can attempt, first we will upload the php script, by the my SQL write function, if it has chmodo -- files, I can over rite by the file and web server on the system, I can upload code, using a feature, if the web application has a file of a picture upload, I can take a picture of that, and see if I can get it to pass to the file, and later execute it through the url, third is a last-ditch effort, a social engineering attack.
I will talk about wildcard poisoning. This is a vulnerability feature, it's been in Linux for a very long time, it's been on the full disclosure list, which is where I found it, basically, it takes advantage of the Linux star commands, to run commands, it's kind of an injection attack itself. So writing files. Here we're going to use the into/out file, which is going to take our php code and push it to slash ten. I know by default, most applications, can write to slash ten, so I look at the query runs, see it. There, it is. If I'm looking for right points, I can look at temp, cap, images, files and basically enumerate the web applications for weak permissions, writable files, by my SQL. This is the default. These are the only ones of interest I could find. So default install. It's kind of secure in the fact that my SQL user is a different user, that doesn't have permissions on the web server, like I said, again, if the web server, and database are running on the same system, and they have the same permissions, at this point, I can change those files.
Like I said, this is what I talked about earlier, here's more detail, about black cat presentation done a couple of years ago, it's got more detail, on remote code -- excuse me, and remote code filing, so application feature. What we're going to do if filtered, we will upload a php file. If not, we will try to manipulate a php file I so it can be uploaded.
Here's example of vulnerable code. All it does is take files turn them to user and upload them. So that's one-way. There is another examples you can look on there, and dig deeper, getting passed filters, stuff like that, that is a little bit more advanced. If you can't write files on the web server, and you can't upload files, one thing you could try is doing a wildcard poisoning attack on the system. So if my SQL user can write files, it can write to var-log SQL, so one thing you can do to attack the system, is fill up the disk with my SQL general log. (no audio) Off the system, so using wildcard poisoning, we have the ls command, the ls-l and ls-star. If I have a file on the operating system, that is-l, and I do an ls-star, that dash l is interpreted, as being passed to the ls command, we can take advantage of that, the purpose concept here is on the defensive code, I have provided the link, what this does is in this example is it takes advantage of s-copy, no, this takes advantage of tar, the other one is s-copy.
The might tar up the file, tar has a parameter that will pass it, so you can execute code, you can upload file names, set them up correctly this is something you want to test because the order is important, you want to make sure the file is in the correct order, then the administrator comes in, to s-copy or tar up this file, they're going to run this vulnerable code and possibly get a shell or get access to the system, here's the s-copy example, that uses the dash 0 command to run a script. So a little bit about reverse shells, last year, I did a Def Con talk about intro to backdoors, we talked about shells, and netcat, stuff like that, if you are interested, this is a basic php reverse shell taken from pentestmonkey.net, you can do a php-r., and get remote code on the system, you can set up remote cat on the listener, bam, you got commands you can run. All right, so what we have seen from this is through just a simple vulnerability, somebody barely learning php code has completely left their system unsecured, we're able to steal a lot of data, we're able to take advantage of the system, and possibly gain control of the system, just a little bit of recap, the epsy passwords -- you have a good understand of injection, a lot of this is built into the SQL map tool, with this you can run the queries, and run the tool better, I encourage you to get in there, run the SQL map and learn how it works, here's injection resources too, if you are interested.
Other thing you might want to research too is privilege escalation, by default, these systems, the apache service and the my SQL service is not running with root privileges, if you want to get full access to the system, you will need to do privilege escalation. Here's examples of php secure code, if you want to write php secure code, filter input, php has a great filter input library. Just set your variable length, when you are talking it in, one thing you can to limit the damage, if you have a string that is not supposed to be more than characters, cut it off.
My SQL has user define functions this is pretty cool. If you want to get into advanced stuff to take advantage of the my SQL system. Here's some security guides on how to harden your lamp stack. Then for some code review and analysis, here's free tools, the rip scanner is kind of old, but kind of gives you an insight where you might have vulnerabilities, in your php code. Here's my credits, from icon archive, and the background is from pand the background is from ppt backgrounds. Thank you. [applause] .