Date post: | 05-Dec-2014 |
Category: |
Technology |
Upload: | clubhack |
View: | 2,132 times |
Download: | 3 times |
FatCat V2– Automatic Web [S]QL-Injector
Sandeep Kamble AKA [S]Parason INC
Blog : http://sandeepkamble.com Twitter: @SandeepL337
•Narcissistic Vulnerability Pimp (aka Security Researcher for fun)
•Listed in Google , Facebook , Twitter , Drop box , Cloud flare , 500px , Lynda.com , Central Desktop Security Pages.
•Ahhh ? What are those Vulnerabilities
•Member of Garage4hackers.com & you can find POC @G4h.
# /usr/bin/whoami
Index
•Introducing FatCat Beta 2•SQL Injection in Brief• FatCat Injgredients
1) DB Information & server Information gathering.2) Normal SQL injection.3) Error Based SQL injection.4) WAF (Web Application Firewall)Bypass functions.
• C-Style Mysql comment WAF Bypass• Buffer overflow WAF Bypass• CRLF WAF Bypass• Bypass with Information_schema.statics• Bypass with Information_schema.key_column_usage
5) Countermeasures 6) Demo
Provide Good Advise for Good People
Warning! : FatCat is being used for security research. All PHP files will be
infected and all yours data will be collected. If you want to be safe, don't use this Tool. If you do that, don't send
sensitive information. If after all you continue, do it on your own risk
1)It’s New , it’s cool to use , inject web! 2)Normal SQL injection 3)Error Based SQL injection 4)WAF (Web application firewall ) Bypass
function. 5)Helpful to Pentester – You can create POC
from anywhere .6)It supports Mysql 5.0 7)Developed in PHP 8)FatCat made 3400+ Downloads on
Code.google.com
Ladies gentleman introducing FatCat V2
SQL injection in Brief
“SQL Injection happens when user manipulate input & form a SQL Query. “
Sending payload !@#$%^&*()
It’s me .. Hi, :/ Payload : ; Drop table Clubhackparty -- -
1)DB Information & server Information gathering.
2)Normal SQL injection.3)Error Based SQL injection.4)WAF (Web Application Firewall)Bypass
functions.
FatCat Ingredients
1)DB Information & server Information gathering.1. Finding Total Column Count
• Order by n+1;2. Finding MySQL Version
• VERSION () Function3. Finding current User
• User() Function 4. Finding Data Directory
• @@datadir Function5. Finding Base Directory
• @@basedir Function6. Finding Host Name
• @@hostname Function 7. Finding Operating System
• @@version_compile_os Function 8. Finding Current Database name
• Database() Function
By using MYSQL Statement , Db & Server information can be gathered
FatCat Ingredients
9. Max allowed Packet size• @@max_allowed_packet
function
1)Normal SQL injection •It is also Know as Union SQL injection •Union help us to combine two result set of the select statement •Eg: Id=-2+Union+select+13371,13372,13373,13374-- -
FatCat Ingredients
2) Error based SQL injection •It is also Know as Double Query SQL injection •Some times union based SQLi get fails that time you can use Error based SQLi• A query which confuse the DB engine and produce helpful mysql errors •Eg: select gmailid,(select password from id where id=9)
As Google_India from id;
FatCat Ingredients
FatCat web interface
Sending payload !@#$W00T%^&*()
Aww .. ! Double Query
duplicate entry '~‘Clubhack_screte'~1' for key 1
3) WAF (Web application Firewall) Bypass ?
FatCat Ingredients
FatCat Ingredients
1.Protection Against OWASP Top Ten!2.Types of Vulnerabilities it can prevent.3.Brute Force protection.
In simple language , It’s Monitor HTTP conversation
3) WAF (Web application Firewall) Bypass
FatCat Ingredients
•We use Following Methods to bypass WAF• C-Style Mysql comment WAF Bypass• Buffer overflow WAF Bypass• CRLF WAF Bypass• Bypass with Information_schema.statics• Bypass with Information_schema.key_column_usage
•Linux Based WAFS • AppArmor• ModSecurity - Also works under Mac OS X, Solaris and other
versions of Unix.• Systrace• Zorp
3) WAF (Web application Firewall) Bypass
1. Mysql Comment WAF bypass • Syntax /*! Mysql Statements */• Example
FatCat Ingredients
3) WAF (Webapplication Firwall) Bypass
1. Buffer Overflow WAF bypass • Syntax : ‘ AAAAAAAAAAAAAAAAAAAAAAAAAAAA Mysql Statement • Example:
FatCat Ingredients
3) WAF (Webapplication Firwall) Bypass
1. CRLF WAF Bypass Syntax : %0A%0D+Mysql Statements+%0A%0
Example :
FatCat Ingredients
3) WAF (Webapplication Firwall) Bypass
1. Bypass with information_schema.key_column_usage
Example :
FatCat Ingredients
3) WAF (Webapplication Firwall) Bypass
1. Bypass with information_schema.statics
Example :
FatCat Ingredients
Countermeasures for SQLI
Lets Inject with FatCat
A Gentleman never asks.
A Lady never tells.
Any Questions ?
</presentation>
Thank you !