Encode your SQL injection attacks

October 30th, 2015

Encoding SQL injection attacks is nothing new and automated tools like SQLmap will more than likely find flaws via this method.  That being said I was combing through some of my old docs and found what I think is a decent explanation how this type of attack leads to SQL injection.

I’ll be demonstrating this on an app called GetBoo that is installed on the OWASP broken web app project so feel free to download the virtual image they provide and begin playing with GetBoo and other similar broken applications.  Inside GetBoo we look for some SQL injection, unauthenticated vulnerabilities are always best if you can find them. Going to the home page of GetBoo we see there are comments posted to a bookmark. Hovering over the comment link and also clicking on the comment link takes us to http://172.16.114.218/getboo/comment.php?bID=2, keep in mind your IP address will be different. In Burp let’s send this request to repeater so that we can analyze if the bID parameter is vulnerable to SQL injection. First thing we’ll want to do is throw in the classic single quote, doing this responds back with a 500 server error.

getboo1

This does not mean the application is vulnerable to SQL injection but it is an indicator that the application can’t handle the single quote without failure. Let’s look at a request that handles the single quote just fine, at the home page you can click on “Popular Tags”, after that click on sort by “Popularity”. Send that request to repeater in Burp and instead of “popularity” for the sort parameter place a single quote in for the value of sort. You will notice that the application handles the request just fine with a 200 OK status.

getboo2

The other classic SQL injection string ‘ or 1=1 also gives us a 500 error, most of those classic ‘ or 1=1 attacks are followed by a – which is a comment in Microsoft SQL server. In this example we’re running MySQL so if we wanted to follow it up with a commend it would look like ‘ or 1=1#.

getboo3

Still getting a 500 error. Let’s try another technique which is to finish out or complete the request with a single or double quote after a valid parameter value.

getboo4

So finishing off the request with a single quote and appending the and 1=1 still results in the same error. You can try the same attack without the single quote to see the affect as well.

getboo5

Just because we get a 200 OK doesn’t mean that our SQL injection was successful, if you put other meaningless data besides 1=1 you may not notice a change.

getboo6

getboo7

Here we see it doesn’t matter what we append after a valid value for the bID parameter because the application is simply ignoring anything after, so this isn’t going to lead us down the path to SQL injection at least for this particular parameter so somehow we need to focus on finishing off the query with either the single quote or another technique.

With GetBoo installed locally you can gain access to the Mysql database logs which is extremely helpful when trying to debug a successful SQL injection attack of course in the real world this is unlikely to happen but if you want to perform better testing on your application then giving application testers access will go a long way.

Let’s go back to our single quote attack and see the output from the database query.

140805 3:31:05 750 Connect getboo@localhost on getboo
750 Query SELECT config_name, config_value FROM configs
750 Query select title from favourites where id='2''
750 Quit

Here we see that it is keeping the request as we sent it. In this case if the attack string bID=2’ and 1=1 is sent you get the same output from the Mysql database logs, this means the application is discarding anything after the single quote. One way of getting around that may be to encode your attack string. This time we will URL encode our attack string, so instead of the request being bID=2’ and 1=1 it will now be bID=2 %27%20%61%6e%64%20%31%3d%31. Once we run that the following shows up in the Mysql logs.

140805 3:43:25 755 Connect getboo@localhost on getboo
755 Query SELECT config_name, config_value FROM configs
755 Query select title from favourites where id='2' and 1=1'
755 Quit

Encoding the attack made all the difference although we still get a 500 error when making the request so we’ll need keep hammering away.

getboo8

Not all is lost though because notice in the Mysql output that a single quote is appended on the 1=1 even though we didn’t specify a single quote at the end of the attack. So instead of using numeric values we need to use strings and quote those strings but leave off the final quote as the application will put that in place for us. So in this case we can use the attack string bID=2’ and ‘blah’=’blah and the URL encoded value is bID= %32%27%20%61%6e%64%20%27%62%6c%61%68%27%3d%27%62%6c%61%68.

getboo9

Great success we were able to get a meaningful 200 response to our attacks. In the output from Mysql we can see that it properly parsed our attack as a valid SQL statement.

140805 4:03:19 765 Connect getboo@localhost on getboo
765 Query SELECT config_name, config_value FROM configs
765 Query select title from favourites where id='2' and 'blah'='blah'
765 Query select b_id from tags_books where b_id='2' and 'blah'='blah'
765 Query select title from favourites where id='2' and 'blah'='blah'
765 Query select b.ADD_DATE AS formatted_time, id, title, url, description, name from favourites b, tags_added ta where (b.id = ta.b_id and b.id = '2' and 'blah'='blah')
765 Query select title from tags t, tags_books tb where (t.id=tb.t_id and tb.b_id = '2')
765 Query select title from comments where bid='2'
765 Query select title, comment, author, date from comments where bid='2' and 'blah'='blah'
765 Query SELECT t.title, count(tb.t_id) as amount from tags_books tb, tags t, favourites f where t.id = tb.t_id and tb.b_id = f.id and f.name = 'user' group by tb.t_id, t.title order by amount desc LIMIT 0, 35
765 Quit

Now that we confirmed that we’re actually making proper database requests we can begin to pilfer the contents of the database.

Defeating MDM: Enrolling a jailbroken device into a mobile device management system

May 1st, 2015

TLDR:  I was able to enroll a jail broken device on a “major” MDM provider.  Any vendor that says they can prevent jailbroken devices from enrolling in a MDM solution is not being 100% honest.  Any resourceful person can get around jailbreak detections.  Because of the client side nature of this problem it’s very difficult to control the end user, as always it’s a cat and mouse game.

MDM or mobile device management is a way for organizations to control, push configurations, set policies, monitor, etc on phones and tablets.  Mobile operating systems today offer some MDM capabilities but the reason why MDM solutions are popping out of the woodwork is that there are features lacking especially in iPhone / iOS and Android.  Google has recently come out with Android for Work (AFW) which looks to close the gap and add a lot of MDM capabilities which will greatly help organizations adopt the Android platform, especially in a BYOD environment.  With that intro out of the way let’s get to how one can break MDM.

This will focus on iOS.  Enrolling a jailbroken device can very from quite simple to reversing the MDM app on how it checks for jailbreak detection.  I got enrolled a jailbroken device via the simple method.  Joe Demesy and the guys at BishopFox did all the hard work and created an app, named iSpy, to make all of this easier.  Follow the instructions on how to get everything setup and once done you will be able to perform actions such as code injection, runtime modification, debugging, disable SSL certificate pinning, and bypassing jailbreak detection.  Once installed go to Settings > iSpy and there you can enable “Bypass Common JailBreak Checks”, click on the screen shot below for the full size image.

iSpy

To get around this “major” commercial MDM vendor jailbreak detection all I had to do was enable the feature inside of iSpy.  You will also have to enable “Inject iSpy into Apps” for the MDM mobile app.  Next open up the MDM app and you should briefly see in the top left of the app that iSpy is successfully injected into the app.  Below is an example of iSpy injected into OneNote.

OneNote

After I did these two steps I was able to successfully enroll my jailbroken device inside the commercial MDM solution.  The purpose of MDM’s blocking jailbroken devices is that they have full root access to the device which allows an attacker or malicious user to modify the intentional features of a MDM solution.  So allowing a jailbroken device is somewhat of a big deal as you don’t have the same protections as you would with a non-jailbroken device.

Especially in iOS this cat and mouse game of jailbreak detection will continue.  Anytime you have a MDM iOS app the only thing it can do is what’s allowed by the iOS framework which is somewhat limiting.  Also a jailbroken device can inject itself into the mobile MDM app and modify it to trick the MDM app that it isn’t jailbroken.  So there you go, thanks to Joe Demesy and others it’s that simple to get around a MDM solution.

For reference below are some links on techniques MDM vendors use to detect a jailbroken device which in turn attackers will try and get around.

https://www.trustwave.com/Resources/SpiderLabs-Blog/Jailbreak-Detection-Methods/

https://reverse.put.as/2013/06/30/gone-in-59-seconds-tips-and-tricks-to-bypass-appminders-jailbreak-detection/

http://resources.infosecinstitute.com/ios-application-security-part-23-jailbreak-detection-evasion/

http://www.bishopfox.com/news/2014/09/misti-itac-2014-mobile-application-security-testing-code-review/

iPhone: quick process to check for local files of interest

March 31st, 2015
  1. Plug iPhone or iPad into Mac
  2. User iExplorer or iFunbox to explore file system of apps
  3. Export relevant directories to local box (Usually Library and *.app)
  4. Search for files of interest
find . -name "*.db"

find . -name "*.plist"

find . -name "*.sql*"

Search inside the files for items of interest

find . -type f -exec grep -l -i "password" {} +

iExplorer can open plist in quick view

You can open databases with Sqlite browser

One can read cookie with BinaryCookieReader.py

Metasploit set rhosts file

January 31st, 2015

Just a quick tip I don’t see documented a bunch of places, when you want to feed metasploit a list of targets in a file you need to use the following syntax.

set rhosts file:/path/to/file

Below is a screenshot for context.

metasploit set rhosts file

Brute force MySQL with Nmap

December 24th, 2014

Just a quick one liner, you can also incorporate this into a huge sweep of the network which will hopefully identify MySQL databases with weak or default credentials.

nmap -p 3306 10.10.10.10 --script mysql-brute --script-args userdb=user.txt,passdb=pass.txt