1
00:00:02,500 --> 00:00:09,710
There's also another interesting variant of fuel injection this method we refer to is known as automated

2
00:00:09,710 --> 00:00:10,940
as fuel injection

3
00:00:13,810 --> 00:00:19,180
several years back manipulating Eskew old queries was not considered prone to optimization.

4
00:00:20,300 --> 00:00:25,110
And the fact that even blind attacks were managed by trial and error seem to support this claim.

5
00:00:26,980 --> 00:00:31,600
And attacker needed to see some returned information and react to it in a correct way.

6
00:00:32,750 --> 00:00:35,590
The procedure would tend to look dissimilar most of the time

7
00:00:39,170 --> 00:00:40,290
this belief proved false.

8
00:00:40,290 --> 00:00:48,140
However when the new type of attack cropped up in 2008 judging from the scale of infection it was extremely

9
00:00:48,140 --> 00:00:50,790
dangerous.

10
00:00:50,890 --> 00:00:55,840
It was less vicious However as far as its results were concerned.

11
00:00:56,090 --> 00:01:01,160
The aim of the attack was not to break into systems but to sniff out credentials to social networking

12
00:01:01,160 --> 00:01:03,510
services or online gaming sites.

13
00:01:05,770 --> 00:01:12,290
At any rate over a million websites were hit in the attack what sites were ripe for this attack.

14
00:01:14,870 --> 00:01:17,690
The sites that were hit were above all written in.

15
00:01:17,870 --> 00:01:21,740
Microsoft technology.

16
00:01:22,060 --> 00:01:29,000
The second factor was that the sites were connected to a Microsoft as Cuil server.

17
00:01:29,000 --> 00:01:34,430
Thirdly the targeted application would dynamically create as Kule commands and forward them to you our

18
00:01:34,560 --> 00:01:39,300
addresses.

19
00:01:39,480 --> 00:01:44,700
If you look at the entire address in a browser you would see their parameter equals parameter value

20
00:01:44,700 --> 00:01:48,790
call to attack a site like this.

21
00:01:48,790 --> 00:01:55,820
It was enough to send it something similar to the string you can see in the slide this method was practically

22
00:01:55,820 --> 00:01:58,180
Fail-Safe.

23
00:01:58,450 --> 00:02:03,730
If some of you haven't yet decoded the above message will try to break it into a more readable format.

24
00:02:10,030 --> 00:02:15,160
We need to find a service that is vulnerable to as kewl injection and constructs queries in the way

25
00:02:15,160 --> 00:02:16,530
that you can see below.

26
00:02:18,340 --> 00:02:23,440
We need to check the responses from a web application to the supplied queries or to the applications

27
00:02:23,440 --> 00:02:24,690
to a web server.

28
00:02:28,230 --> 00:02:35,170
As you probably all noted all of the your addresses contain encoded as Cuil commands.

29
00:02:35,250 --> 00:02:39,470
If we were able to decode them you would see that they look like this.

30
00:02:40,570 --> 00:02:42,790
These are simple as Cuil commands.

31
00:02:44,280 --> 00:02:50,320
Take a look at the server reactions.

32
00:02:50,540 --> 00:02:58,580
If the reactions match your expectations you have found a perfect target for an automated attack.

33
00:02:58,640 --> 00:03:02,500
You can send them the following as Q All command.

34
00:03:02,590 --> 00:03:07,370
This is the long coded fragment you saw before.

35
00:03:07,440 --> 00:03:09,750
We know that we can place eschewed commands inside.

36
00:03:09,750 --> 00:03:12,770
You are right addresses.

37
00:03:13,020 --> 00:03:16,920
This means that we can insert the above command and executed at the end.

38
00:03:21,890 --> 00:03:27,310
As we mentioned over a million Web sites were vulnerable to this attack.

39
00:03:27,360 --> 00:03:29,200
Why was the number so large.

40
00:03:30,370 --> 00:03:37,670
Since an efficient attack technique has been developed why shouldn't it be automated program for this

41
00:03:37,670 --> 00:03:39,250
popped up rather quickly.

42
00:03:40,940 --> 00:03:47,480
As you can see the program's interface is not displaying correctly to be able to see what's written

43
00:03:47,480 --> 00:03:48,110
there.

44
00:03:48,410 --> 00:03:55,160
You need Chinese fonts installed in your system the application works by submitting one of the previously

45
00:03:55,160 --> 00:03:58,160
seen tests into a web search engine of your choice.

46
00:03:59,540 --> 00:04:07,870
Click Search or what we think is search the pain below will list websites that are prone to and ready

47
00:04:07,870 --> 00:04:09,400
for and rescue all injection

48
00:04:11,990 --> 00:04:14,490
Let's now see what the school code looks like.

49
00:04:14,880 --> 00:04:21,570
But before there's a few words of introduction there's two aspects.

50
00:04:21,570 --> 00:04:26,400
First we'll try to see how the information on the database and database structure can be obtained so

51
00:04:26,400 --> 00:04:28,750
that we could execute some commands later.

52
00:04:29,960 --> 00:04:32,700
We'll also move back to a topic that was broached earlier.

53
00:04:32,990 --> 00:04:39,380
Two quotes there are two apostrophes and all commands we saw earlier just like this.

54
00:04:40,880 --> 00:04:43,000
Why is this constructed in this manner.

55
00:04:44,110 --> 00:04:50,290
All presentations here are demonstrated inside the CULE editor window and not in a client application

56
00:04:51,040 --> 00:04:56,350
because of this we had to simulate in some way a code excerpt that was executed by a client application

57
00:04:56,350 --> 00:05:04,280
itself to make it look as close as possible to the real code sent by a client application.

58
00:05:04,340 --> 00:05:06,170
We split it into three rows.

59
00:05:07,900 --> 00:05:13,450
The first and third row are constructed by an application except the double dashes in the third row

60
00:05:16,060 --> 00:05:18,520
the dashes should be at the end of the second row.

61
00:05:18,710 --> 00:05:26,370
But if there were in this case the command would not work for us since the double dashes are an end

62
00:05:26,370 --> 00:05:27,210
of line marker.

63
00:05:27,210 --> 00:05:32,140
What's beyond them is irrelevant to make an attack far less complicated.

64
00:05:33,370 --> 00:05:38,020
It doesn't matter if they're followed by two or three apostrophes or No apostrophes at all.

65
00:05:38,790 --> 00:05:43,830
We don't know what is ahead in the command and we don't need to know that.

66
00:05:43,980 --> 00:05:46,920
All we want is to make sure that it won't be executed.

67
00:05:48,390 --> 00:05:51,100
Let's see what will happen after executing this query.

68
00:05:52,450 --> 00:05:58,980
This function is exclusive to Microsoft as well servers remember that we're again dealing with AS-P

69
00:05:59,060 --> 00:06:03,930
dot net which is sure to be connected to a Microsoft as Cuil server

70
00:06:07,470 --> 00:06:09,070
after the query is executed.

71
00:06:09,240 --> 00:06:12,170
The server introduces itself.

72
00:06:12,240 --> 00:06:19,750
We now know the version of the server will quicken the pace a little.

73
00:06:19,780 --> 00:06:25,750
It's obviously possible to read a table row by row in a way that was shown earlier.

74
00:06:25,900 --> 00:06:30,970
You could look up error messages to see the contents of individual rows but this presentation would

75
00:06:30,970 --> 00:06:36,330
take ages in that case let's speed things up a bit.

76
00:06:37,810 --> 00:06:43,820
Imagine that Rhodes is playing has been factored into the outline techniques will simply read more than

77
00:06:43,820 --> 00:06:45,130
one row at a time.

78
00:06:46,350 --> 00:06:51,360
We know that this version of rescue a server is sure to contain a table named sists tables.

79
00:06:51,360 --> 00:06:53,730
Knowing the version we know that's for sure.

80
00:06:54,810 --> 00:06:57,980
We also know the structure of syste tables.

81
00:06:58,130 --> 00:07:01,160
It's well-known and publicly documented.

82
00:07:01,160 --> 00:07:05,300
So let's try to ask the table for some data.

83
00:07:05,450 --> 00:07:11,060
We still can't enter any arbitrary values but we can add code to part of the command formulated by the

84
00:07:11,060 --> 00:07:13,620
application.

85
00:07:13,620 --> 00:07:16,570
This means that we can for example add something like this.

86
00:07:17,740 --> 00:07:23,040
Call them names and the result are obviously incorrect but we can see that there are some tables contained

87
00:07:23,040 --> 00:07:27,600
in schemas and that they have identifiers as well.

88
00:07:27,650 --> 00:07:33,110
If we were really determined we'd read this row by row until we found a name that draws attention.

89
00:07:35,200 --> 00:07:39,350
Apart from knowing the table name also the names of columns are required.

90
00:07:41,030 --> 00:07:44,980
Let's send a similar query this time referring to system columns.

91
00:07:45,930 --> 00:07:53,290
This made us discover the names of columns and the names of tables in which the columns are contained.

92
00:07:53,400 --> 00:07:57,180
The next part is quite easy.

93
00:07:57,210 --> 00:08:04,910
Let's come back now to one of the queries we could for example focus on employees the identifier of

94
00:08:04,910 --> 00:08:10,370
the table can be inserted in another query once it's executed.

95
00:08:11,290 --> 00:08:16,460
It's visible that there really is a table there that has some specified columns.

96
00:08:16,640 --> 00:08:25,300
You can check birthdate gender and other employee data will anticipate things a little assume that you're

97
00:08:25,300 --> 00:08:26,640
interested in identifier.

98
00:08:26,650 --> 00:08:28,900
Title gender and log in.

99
00:08:29,020 --> 00:08:33,360
This is more than we can take by a general rule.

100
00:08:33,440 --> 00:08:39,050
We can only request three values at a time since the table that is used by the original query has only

101
00:08:39,050 --> 00:08:42,410
three columns.

102
00:08:42,440 --> 00:08:44,120
This can't be changed.

103
00:08:45,480 --> 00:08:49,990
You can instead ask for two or three values in a single column.

104
00:08:50,030 --> 00:08:55,190
The results include identifier title logging and gender all clumped together.

105
00:08:56,950 --> 00:08:58,840
You can't do it in any other way.

106
00:09:00,630 --> 00:09:03,670
An hour or two pass.

107
00:09:03,810 --> 00:09:08,850
After analyzing the database we've realized that additional employee information is contained not only

108
00:09:08,850 --> 00:09:11,100
in the employee table.

109
00:09:11,210 --> 00:09:14,810
It can be found also in the Contact table.

110
00:09:14,850 --> 00:09:20,090
The tables are joined in the employee ID and contact ID fields.

111
00:09:20,150 --> 00:09:23,310
We've discovered this in an interpretive process.

112
00:09:23,330 --> 00:09:29,360
Now we simply wish to read the data since we can't do it in any other way.

113
00:09:29,360 --> 00:09:31,430
This will be done in three columns again.

114
00:09:33,770 --> 00:09:39,290
As it turns out we have the first and last name of passwords hash and the data we've seen before.

115
00:09:40,740 --> 00:09:43,910
This information is pretty interesting and we can work around it.

116
00:09:45,500 --> 00:09:49,460
To be honest we don't need to search any further.

117
00:09:49,510 --> 00:09:54,610
At the end we should only arrange a table that contains a log of our activities if it exists.

118
00:09:58,840 --> 00:10:00,600
This turns out successful.

119
00:10:00,880 --> 00:10:09,690
There's no prompted error message will at last take a look at an automated attack after decoding the

120
00:10:09,690 --> 00:10:11,930
string you've seen in one of the earlier slides.

121
00:10:12,090 --> 00:10:19,020
The following code excerpt will appear two variables and a cursor are declared.

122
00:10:19,220 --> 00:10:23,480
Then the cursor reads names from system tables.

123
00:10:23,500 --> 00:10:26,430
This will be performed exactly like before.

124
00:10:26,440 --> 00:10:29,210
The difference is that other system tables are used here.

125
00:10:30,450 --> 00:10:38,870
Next the code will check whether user table data is read and check if a column is a text data type.

126
00:10:39,100 --> 00:10:45,840
If it is looping through the rows in all found tables all found text data type columns the code will

127
00:10:45,840 --> 00:10:55,230
execute and update command a script is inserted to a current table to a selected text data type column.

128
00:10:55,460 --> 00:11:01,130
We can execute the code because instead of exec we're using print so that the data in the database is

129
00:11:01,130 --> 00:11:02,350
not modified.

130
00:11:04,180 --> 00:11:08,360
All the columns to which the script are injected down contain the following code.

131
00:11:10,830 --> 00:11:15,750
What this means for a web application and its users is that everything that's displayed in their browsers

132
00:11:15,810 --> 00:11:17,450
is now an active element.

133
00:11:19,650 --> 00:11:25,260
By clicking anywhere on the page visitors connect to the site above and execute the code that is added

134
00:11:25,260 --> 00:11:33,210
to it this script is constructed to steal credentials from visitors.

135
00:11:33,220 --> 00:11:39,830
This is the end of planetes fuel injection attack used in conjunction with cross-site scripting and

136
00:11:39,840 --> 00:11:42,110
attacks that will be discussed in a moment.