Week04

Review

Any questions about previous content?

Content

Server-side exploitation

RCE
Injection
- SQLi
- SSTI
LFI/LFD
File Upload
SSRF

RCE

Remote Code Execution

Executing code on a remote host!!
Almost always critical

Injection

Injection attacks occur when an attacker injects malicious data that is then used to control program behaviour

SQL

Structured Query Language

Language for querying databases
Implementations include:
- PostgreSQL
- MySQL
- SQLite
- SQL Server (Microsoft)

SQL Statements

SELECT _ FROM _ …
INSERT INTO _ (COLn, …) VALUES (VALn, …)
UPDATE _ SET _ = _ …
DELETE FROM _ …
… – this is a comment
… # this can also be a comment (sometimes) …

SQL Syntax

WHERE
- > - greater than
- < - less than
- = - equal to
- <> - not equal to
LIKE
- % - wildcard
UNION …

More SQL Syntax

ORDER BY
GROUP BY
DISTINCT
LIMIT
OFFSET

Demo

SQLi

what?

User input contains control characters that interfere with the SQL statement

Why?

Bad programmers - The user input is being trusted to be a valid format.

SQLi

Code before injection

SELECT a FROM b WHERE a = '$userInput'

Code after injection

vvvvvvvvvvvvv SELECT a FROM b WHERE a = '' OR '1' = '1' ^^^^^^^^^^^^^

SQLi

What can you do with SQLi?

Bypass logins
Leak data
Spoof a user
Modify data (don’t try in 6443)

SQLi

You should be asking:

How can we tell what implementation is being used?
How do we know what tables/columns exist?

Fingerprinting

Different implementations will have different artifacts
- MySQL: Version()
- SQLite: sqlite_version()
- SQL Server: @@Version
Seem more here and here

Schema Recon

what tables exist, what do they look like?
- MySQL: information_schema.[tables|columns]
- SQLite: sqlite_[master|schema]
- SQL Server: SHOW TABLES; DESCRIBE <table_name>

Demo

SQLi Mitigation

Disable debug logging
- No error messages, maybe just a blank screen?
WAF - Web Application Firewalls
- Reject/strip malicious payloads
Parameterised Queries

Beating Mitigations

Payload stripped? Embed dummies
Blank response? Side channel attacks
- Timing Attacks
- Out of Band Attacks i.e inbuilt functions (therefore fingerprint!)
Error-based extraction
Boolean-based extraction
Subqueries
- SELECT a,b FROM c WHERE d UNION SELECT (SELECT …), 2

Remember

The payloads can be complex
Reporting a vulnerability != extracting data
Big database? - COUNT or LIMIT + OFFSET it instead
No SQLmap or automated SQL enumeration/exploitation
Don’t try to DROP any tables

Other Injection

SSTI

Server side template injection

Jinja
Twig
Plates

SSTI Example

In the backend: output = template.render(name=request.args.get('name'))

Attacker requests: http://vulnerable-website.com/?name={{bad-stuff}}

bad-stuff could be code to execute

SSTI Demo

LFI/LFD

Local File (Inclusion|Disclosure)

Server-side code allows user to access unintended files
Can lead to (sometimes):
Arbitrary code execution
Source code disclosure
Information leaks (e.g. envvars, /etc/passwd, general sensitive files)

Examples

http://vulnerable_host/preview.php?file=../../../../etc/passwd
https://php-lfd.quoccacorp.com/?page=../../../../../../password.txt

[more info]

File upload

Where can you upload files?
What can you do with them?
- Code execution
How are the files processed?
How are the files stored?

SSRF

Server-side request forgery

HaaS
Making a server in the target network make request on your behalf
Used to access servers that might not be public
Some servers trust internal requests (bad authz)

Why SSRF

Utilising functionalities of a server to access resources

Information retrieval
Can lead to RCE
Server Side Includes
Horizontal/vertical priv. esc.

Mitigation

Whitelist domains and IPs!
Lower the access control of services
Set limits! exec time, file sizes, recursion depth
Zero Trust
- Local devices should NOT be assumed to be safe