1 00:00:02,320 --> 00:00:06,840 Before we move on to ask fuel injection How can this deck be manipulated. 2 00:00:08,840 --> 00:00:13,850 The first and easiest attack scenario can rely on inserting a payload directly in the argument of a 3 00:00:13,850 --> 00:00:21,640 called function assume that an FPP server that we mentioned is vulnerable to buffer overflow. 4 00:00:21,700 --> 00:00:28,470 We checked this by submitting increasingly longer strings as log in and password at some stage the server 5 00:00:28,470 --> 00:00:29,370 failed. 6 00:00:31,120 --> 00:00:36,410 This is visible because we analyze it via a debugger. 7 00:00:36,420 --> 00:00:42,630 This means that an insertion point is found an insertion point is a place where bounds checking checking 8 00:00:42,630 --> 00:00:45,840 an input value for length is not being applied. 9 00:00:47,900 --> 00:00:50,960 How can the address of a return function be located now. 10 00:00:52,990 --> 00:00:56,600 Find an opcode table for the targeted software. 11 00:00:56,810 --> 00:01:01,670 It will contain memory addresses for system registers for the program. 12 00:01:01,710 --> 00:01:05,440 The next step is preparing a payload. 13 00:01:05,520 --> 00:01:12,240 It should be short and compact enough to be able to be transferred as a function call parameter. 14 00:01:12,240 --> 00:01:15,960 The final point is padding the payload with an up slide. 15 00:01:15,970 --> 00:01:20,860 This will increase the likelihood of the victim's computer executing your code in the program you aim 16 00:01:20,860 --> 00:01:23,600 to control. 17 00:01:23,620 --> 00:01:26,330 It's up to you entirely to choose what your code will do. 18 00:01:27,470 --> 00:01:29,620 What is the danger related to this attack. 19 00:01:31,510 --> 00:01:36,730 Attack services above all have a higher level of permissions than the permissions of a user who runs 20 00:01:36,730 --> 00:01:37,460 an attack. 21 00:01:39,200 --> 00:01:44,600 It's no use applying complex techniques to control the execution of a program you run since the program 22 00:01:44,600 --> 00:01:51,890 will have your level of permissions system services usually run with escalated permissions that a user 23 00:01:51,890 --> 00:01:54,270 doesn't have. 24 00:01:54,290 --> 00:01:59,030 They for example run on remote machines. 25 00:01:59,050 --> 00:02:05,920 This is often locally reasonable because programs perform some operations with escalated permissions. 26 00:02:05,950 --> 00:02:14,610 If we were to seize control over this service this would make us in fact the administrator of the computer. 27 00:02:14,610 --> 00:02:20,440 Let's now look into Eskew queery manipulation as well. 28 00:02:20,470 --> 00:02:25,940 Unlike C and C++ languages is interpretive. 29 00:02:26,010 --> 00:02:35,920 There's no compiled code and no compilers the languages use interpreters instead interpreters are programs 30 00:02:35,920 --> 00:02:41,400 that translate strings if and analyze dring is well-formed. 31 00:02:41,590 --> 00:02:46,660 Which means it conforms to the version of the Escuela standard that a given database server supports. 32 00:02:46,840 --> 00:02:50,450 The server will execute it. 33 00:02:50,540 --> 00:02:52,410 The source of the code is irrelevant. 34 00:02:53,240 --> 00:03:00,070 Many applications allow user input examples of this practice or logging firms that require a user to 35 00:03:00,070 --> 00:03:02,450 submit log in and password to log in. 36 00:03:04,660 --> 00:03:09,000 You can't ensure that a potential attacker will not submit any other value to the form. 37 00:03:10,550 --> 00:03:17,800 The form will accept any strings as skewl statements in particular can be entered as well. 38 00:03:18,970 --> 00:03:25,540 The simplest case can include entering an expression that's always true for example or one equals one 39 00:03:27,290 --> 00:03:33,560 a more sophisticated option could be 0 or 1 less than 2. 40 00:03:33,680 --> 00:03:39,590 If an application is susceptible to this thread it will forward the submitted string to a database server 41 00:03:39,590 --> 00:03:41,020 where it will be executed. 42 00:03:43,720 --> 00:03:48,100 The string will be executed with the same permissions as the permissions of the application that connects 43 00:03:48,100 --> 00:03:49,090 to the server. 44 00:03:50,380 --> 00:03:55,490 If the application connects to a database server as the server's administrator which is a widespread 45 00:03:55,540 --> 00:03:58,970 practice and makes as CULE injection a significant threat. 46 00:03:59,690 --> 00:04:03,570 This means the code will certainly be executed provided it's well formed. 47 00:04:05,030 --> 00:04:15,010 An administrator is able to run any instructions on his server. 48 00:04:15,020 --> 00:04:21,080 The second factor that aggravates as Kule injection threat is the fact that developers are programmers 49 00:04:21,350 --> 00:04:26,530 often join as Cuil statements fragments with user input. 50 00:04:26,590 --> 00:04:31,370 They join strings for a database server. 51 00:04:31,510 --> 00:04:36,040 The difference between the part of the string that is embedded in the application code and the part 52 00:04:36,040 --> 00:04:37,970 that is supplied as a parameter. 53 00:04:38,230 --> 00:04:43,120 For example a user name is indistinguishable. 54 00:04:43,140 --> 00:04:47,790 The server executes all statements contrary to popular belief. 55 00:04:47,970 --> 00:04:53,280 The location of the string Konk intonation whether it's on the side of the client application or on 56 00:04:53,280 --> 00:04:58,810 the side of the database server via stored procedures does not alter the threat level at all. 57 00:05:00,480 --> 00:05:08,610 We'll see this in a moment. 58 00:05:08,720 --> 00:05:13,770 The first part of this presentation will cover some basic techniques for manipulating as Cuil queries 59 00:05:14,250 --> 00:05:20,200 will check if we can really manage to log into a poorly written application and then examine the possibilities 60 00:05:20,210 --> 00:05:25,210 of more sophisticated as CULE injection techniques. 61 00:05:25,250 --> 00:05:27,810 Let's imagine typical circumstances for an attack 62 00:05:32,000 --> 00:05:35,110 an application is poorly designed at first glance. 63 00:05:37,110 --> 00:05:46,070 Usernames and corresponding passwords are stored in tables in a database there in plain text regardless 64 00:05:46,070 --> 00:05:47,800 of what's contained in the database. 65 00:05:47,930 --> 00:05:50,840 Anyone can access it. 66 00:05:50,990 --> 00:05:57,560 The usage of inbuilt authentication mechanisms for a used environment ASAP dot net or ph P would be 67 00:05:57,580 --> 00:06:01,090 preferrable. 68 00:06:01,190 --> 00:06:07,430 In any case what we have here is a simple table containing a user name a user's password and information 69 00:06:07,430 --> 00:06:14,420 on the user status whether or not he or she is a system or an application administrator. 70 00:06:18,860 --> 00:06:20,900 Well entered two users into this table 71 00:06:24,340 --> 00:06:29,810 in the system version we work with will have to do this row by row. 72 00:06:29,830 --> 00:06:36,110 First we insert the date of the first user and then the data of the other user in a moment. 73 00:06:36,120 --> 00:06:39,810 A log in form will be visible. 74 00:06:39,960 --> 00:06:44,670 The form leads to an application that is prepared in this way the alter database 75 00:06:47,320 --> 00:06:52,000 a client application checks at the Values submitted to the log in and password fields match the ones 76 00:06:52,000 --> 00:06:54,620 in the rows in the table. 77 00:06:54,620 --> 00:06:55,810 How is this done. 78 00:06:57,260 --> 00:07:03,740 The simplest and the most dangerous solution is to execute the query given. 79 00:07:03,850 --> 00:07:09,220 This will read all the table rows that contain user names and passwords that match the values we submitted. 80 00:07:11,820 --> 00:07:13,760 Why is this method so dangerous. 81 00:07:15,160 --> 00:07:20,010 It's because you can enter an always true expression instead of a valid log in or password string 82 00:07:22,910 --> 00:07:25,700 one characteristic feature of an alt.. 83 00:07:25,760 --> 00:07:34,540 The Omaar operator is that if one operand is true the others value is practically irrelevant. 84 00:07:34,570 --> 00:07:41,190 The result will always be true since the next part is a code fragment that checks passwords. 85 00:07:41,560 --> 00:07:43,870 We don't want to execute. 86 00:07:44,040 --> 00:07:45,240 What should we do then. 87 00:07:47,140 --> 00:07:49,240 We need to mark the latter part of the string. 88 00:07:49,330 --> 00:07:59,600 The commands at the right side as Commons to include inline comments and Eskew will use double dashes. 89 00:07:59,630 --> 00:08:05,420 Let's check this solution without submitting a user name or password. 90 00:08:05,470 --> 00:08:07,620 We're able to read all contents of the table.