1
00:00:02,320 --> 00:00:06,840
Before we move on to ask fuel injection How can this deck be manipulated.

2
00:00:08,840 --> 00:00:13,850
The first and easiest attack scenario can rely on inserting a payload directly in the argument of a

3
00:00:13,850 --> 00:00:21,640
called function assume that an FPP server that we mentioned is vulnerable to buffer overflow.

4
00:00:21,700 --> 00:00:28,470
We checked this by submitting increasingly longer strings as log in and password at some stage the server

5
00:00:28,470 --> 00:00:29,370
failed.

6
00:00:31,120 --> 00:00:36,410
This is visible because we analyze it via a debugger.

7
00:00:36,420 --> 00:00:42,630
This means that an insertion point is found an insertion point is a place where bounds checking checking

8
00:00:42,630 --> 00:00:45,840
an input value for length is not being applied.

9
00:00:47,900 --> 00:00:50,960
How can the address of a return function be located now.

10
00:00:52,990 --> 00:00:56,600
Find an opcode table for the targeted software.

11
00:00:56,810 --> 00:01:01,670
It will contain memory addresses for system registers for the program.

12
00:01:01,710 --> 00:01:05,440
The next step is preparing a payload.

13
00:01:05,520 --> 00:01:12,240
It should be short and compact enough to be able to be transferred as a function call parameter.

14
00:01:12,240 --> 00:01:15,960
The final point is padding the payload with an up slide.

15
00:01:15,970 --> 00:01:20,860
This will increase the likelihood of the victim's computer executing your code in the program you aim

16
00:01:20,860 --> 00:01:23,600
to control.

17
00:01:23,620 --> 00:01:26,330
It's up to you entirely to choose what your code will do.

18
00:01:27,470 --> 00:01:29,620
What is the danger related to this attack.

19
00:01:31,510 --> 00:01:36,730
Attack services above all have a higher level of permissions than the permissions of a user who runs

20
00:01:36,730 --> 00:01:37,460
an attack.

21
00:01:39,200 --> 00:01:44,600
It's no use applying complex techniques to control the execution of a program you run since the program

22
00:01:44,600 --> 00:01:51,890
will have your level of permissions system services usually run with escalated permissions that a user

23
00:01:51,890 --> 00:01:54,270
doesn't have.

24
00:01:54,290 --> 00:01:59,030
They for example run on remote machines.

25
00:01:59,050 --> 00:02:05,920
This is often locally reasonable because programs perform some operations with escalated permissions.

26
00:02:05,950 --> 00:02:14,610
If we were to seize control over this service this would make us in fact the administrator of the computer.

27
00:02:14,610 --> 00:02:20,440
Let's now look into Eskew queery manipulation as well.

28
00:02:20,470 --> 00:02:25,940
Unlike C and C++ languages is interpretive.

29
00:02:26,010 --> 00:02:35,920
There's no compiled code and no compilers the languages use interpreters instead interpreters are programs

30
00:02:35,920 --> 00:02:41,400
that translate strings if and analyze dring is well-formed.

31
00:02:41,590 --> 00:02:46,660
Which means it conforms to the version of the Escuela standard that a given database server supports.

32
00:02:46,840 --> 00:02:50,450
The server will execute it.

33
00:02:50,540 --> 00:02:52,410
The source of the code is irrelevant.

34
00:02:53,240 --> 00:03:00,070
Many applications allow user input examples of this practice or logging firms that require a user to

35
00:03:00,070 --> 00:03:02,450
submit log in and password to log in.

36
00:03:04,660 --> 00:03:09,000
You can't ensure that a potential attacker will not submit any other value to the form.

37
00:03:10,550 --> 00:03:17,800
The form will accept any strings as skewl statements in particular can be entered as well.

38
00:03:18,970 --> 00:03:25,540
The simplest case can include entering an expression that's always true for example or one equals one

39
00:03:27,290 --> 00:03:33,560
a more sophisticated option could be 0 or 1 less than 2.

40
00:03:33,680 --> 00:03:39,590
If an application is susceptible to this thread it will forward the submitted string to a database server

41
00:03:39,590 --> 00:03:41,020
where it will be executed.

42
00:03:43,720 --> 00:03:48,100
The string will be executed with the same permissions as the permissions of the application that connects

43
00:03:48,100 --> 00:03:49,090
to the server.

44
00:03:50,380 --> 00:03:55,490
If the application connects to a database server as the server's administrator which is a widespread

45
00:03:55,540 --> 00:03:58,970
practice and makes as CULE injection a significant threat.

46
00:03:59,690 --> 00:04:03,570
This means the code will certainly be executed provided it's well formed.

47
00:04:05,030 --> 00:04:15,010
An administrator is able to run any instructions on his server.

48
00:04:15,020 --> 00:04:21,080
The second factor that aggravates as Kule injection threat is the fact that developers are programmers

49
00:04:21,350 --> 00:04:26,530
often join as Cuil statements fragments with user input.

50
00:04:26,590 --> 00:04:31,370
They join strings for a database server.

51
00:04:31,510 --> 00:04:36,040
The difference between the part of the string that is embedded in the application code and the part

52
00:04:36,040 --> 00:04:37,970
that is supplied as a parameter.

53
00:04:38,230 --> 00:04:43,120
For example a user name is indistinguishable.

54
00:04:43,140 --> 00:04:47,790
The server executes all statements contrary to popular belief.

55
00:04:47,970 --> 00:04:53,280
The location of the string Konk intonation whether it's on the side of the client application or on

56
00:04:53,280 --> 00:04:58,810
the side of the database server via stored procedures does not alter the threat level at all.

57
00:05:00,480 --> 00:05:08,610
We'll see this in a moment.

58
00:05:08,720 --> 00:05:13,770
The first part of this presentation will cover some basic techniques for manipulating as Cuil queries

59
00:05:14,250 --> 00:05:20,200
will check if we can really manage to log into a poorly written application and then examine the possibilities

60
00:05:20,210 --> 00:05:25,210
of more sophisticated as CULE injection techniques.

61
00:05:25,250 --> 00:05:27,810
Let's imagine typical circumstances for an attack

62
00:05:32,000 --> 00:05:35,110
an application is poorly designed at first glance.

63
00:05:37,110 --> 00:05:46,070
Usernames and corresponding passwords are stored in tables in a database there in plain text regardless

64
00:05:46,070 --> 00:05:47,800
of what's contained in the database.

65
00:05:47,930 --> 00:05:50,840
Anyone can access it.

66
00:05:50,990 --> 00:05:57,560
The usage of inbuilt authentication mechanisms for a used environment ASAP dot net or ph P would be

67
00:05:57,580 --> 00:06:01,090
preferrable.

68
00:06:01,190 --> 00:06:07,430
In any case what we have here is a simple table containing a user name a user's password and information

69
00:06:07,430 --> 00:06:14,420
on the user status whether or not he or she is a system or an application administrator.

70
00:06:18,860 --> 00:06:20,900
Well entered two users into this table

71
00:06:24,340 --> 00:06:29,810
in the system version we work with will have to do this row by row.

72
00:06:29,830 --> 00:06:36,110
First we insert the date of the first user and then the data of the other user in a moment.

73
00:06:36,120 --> 00:06:39,810
A log in form will be visible.

74
00:06:39,960 --> 00:06:44,670
The form leads to an application that is prepared in this way the alter database

75
00:06:47,320 --> 00:06:52,000
a client application checks at the Values submitted to the log in and password fields match the ones

76
00:06:52,000 --> 00:06:54,620
in the rows in the table.

77
00:06:54,620 --> 00:06:55,810
How is this done.

78
00:06:57,260 --> 00:07:03,740
The simplest and the most dangerous solution is to execute the query given.

79
00:07:03,850 --> 00:07:09,220
This will read all the table rows that contain user names and passwords that match the values we submitted.

80
00:07:11,820 --> 00:07:13,760
Why is this method so dangerous.

81
00:07:15,160 --> 00:07:20,010
It's because you can enter an always true expression instead of a valid log in or password string

82
00:07:22,910 --> 00:07:25,700
one characteristic feature of an alt..

83
00:07:25,760 --> 00:07:34,540
The Omaar operator is that if one operand is true the others value is practically irrelevant.

84
00:07:34,570 --> 00:07:41,190
The result will always be true since the next part is a code fragment that checks passwords.

85
00:07:41,560 --> 00:07:43,870
We don't want to execute.

86
00:07:44,040 --> 00:07:45,240
What should we do then.

87
00:07:47,140 --> 00:07:49,240
We need to mark the latter part of the string.

88
00:07:49,330 --> 00:07:59,600
The commands at the right side as Commons to include inline comments and Eskew will use double dashes.

89
00:07:59,630 --> 00:08:05,420
Let's check this solution without submitting a user name or password.

90
00:08:05,470 --> 00:08:07,620
We're able to read all contents of the table.