HQL Injection on Web Application Running Oracle Database

Hi,

Recent pentest encountered me with an application that it seems at first glance to vulnerable to SQL Injection as the common test usually I tested shows some firm behavior.

https://site.yappare/index.jsp?id=1' error

https://site.yappare/index.jsp?id=1'' no error / normal page

I believe this should be an Oracle SQL Injection after few tests. However, no result! SQLMap shows that this can be exploited via Time-Based but also no success at the end. During the fuzzing, an error message triggered as shown:

 Googling the error message pointing me to result as shown:

So, my initial understanding is slightly wrong. I should focus on Hibernate. Did some reading and looking for any good references for Hibernate Injection. These links really help me.

http://blog.h3xstream.com/2014/02/hql-for-pentesters.html

http://paulsec.github.io/blog/2014/05/05/blind-hql-injection-in-rest-api-using-h2-dbms/

After understand a little bit on how to do the injection. Did it via Blind technique as described by Paulsec, and voila! able to dump the current Hibernate version.

https://site.yappare/index.jsp?id=1') and substr(org.hibernate.cfg.Environment.VERSION,0,1)=’n' and ('1'='1

where n is actually numbers/characters that we are querying for.

Hibernate version 3.0.2

This is not enough to demonstrate the impact. Tried to read about hibernate/orm structure it seems they are using prepared statement query. I'm not able to get any clue how to query the database information. It'll be harder to me. Luckily Mikhail Egorov and Sergey Soldatov recent presentation helps me!

http://2015.zeronights.ru/assets/files/36-Egorov-Soldatov.pdf

It is possible to query a standard injection via DBMS_XMLGEN.getxml(‘SQL’) for Oracle dbms.

and Voilaa!! 

https://site.yappare/index.jsp?id=1') and NVL(TO_CHAR(DBMS_XMLGEN.getxml('Boolean Blind SQL Injection') and ('1'='1

Thanks!

Reference(s)

• http://blog.h3xstream.com/2014/02/hql-for-pentesters.html
• http://paulsec.github.io/blog/2014/05/05/blind-hql-injection-in-rest-api-using-h2-dbms/
• http://howtodoinjava.com/2014/10/27/complete-hibernate-query-language-hql-tutorial/#select_operation
• http://hsqldb.org/doc/guide/builtinfunctions-chapt.html
• http://kitkatsatonthemat.blogspot.my/2011/09/oracle-order-by-sql-injection.html
• http://2015.zeronights.ru/assets/files/36-Egorov-Soldatov.pdf

Referrer Leakage from HTTPS to HTTPS

From my recent bounty program participation, I failed to find any awesome bug for the whole bounty period. Requiring me to have an iOS9 to perform the full application test also one of the disadvantage as I don't own any Apple product :(

Then, I tried to look for any low hanging fruits on the application. Gotcha! HTTP Referrer Leakage!
When the password reset token provided to the user - after they reset - usually it'll come in a Hyperlink format where there are two ways for the user to use it. Either directly click on it or safely copy and pasted it in the browser.

I choose the second option in order to demonstrate the reset token is leaked to another external URL. And as can see in the figure below, the reset token actually being sent to the newrelic.com website.

Submitted this issue to the program's owner and the analyst responded that this is an issue that in 'Won't Fix' category. The first reason I obtained was it is because the referrer leaked from HTTPS to another HTTPS.
This is what actually hit something on my mind. I never thought about this before. Is the HTTP Referrer will not be logged by the external URL if both are using HTTPS?
With a help from my friend, we tried to simulate the situation. There are two cases. One from HTTPS to HTTP, the second one from HTTPS to HTTPS.


Doing some research  and found that, it is NOT!

Test Cases

HTTPS to HTTP will not leak the referrer

HTTPS to HTTPS will leak the referrer

By summary:

• HTTP Referrer will not be leaked to another URL if it is transmitted from HTTPS to HTTP. 
• HTTP Referrer will  be leaked to another URL if it is transmitted from HTTPS to HTTPS. 

So I get back to the bounty program to ask for review the submission again. Another staff replied with a better explanation why they consider this as a 'Won't Fix' issue. The reason are any of these:

(1) the impact is too low to qualify for a reward 

(2) a prerequisite to exploit the issue is heavy social engineering 

(3) a prerequisite to exploit the issue is being a man-in-the-middle or having theoretical access to a separate restricted resource

 So I believe the 1st reason is the suitable for this situation as the reset token in this case only one-time usable. The situation for an account to get reset via this issue is really rare by looking on the likelihood of it to happen. Furthermore, MiTM attack would not help in this case as the request is transmitted over SSL.

Nevertheless, no harm to submit the issue as they're are certain program that accepting this issue as a minor flaw and got rewarded.

• https://hackerone.com/reports/738
• https://hackerone.com/reports/13557
• https://hackerone.com/reports/5691
• https://hackerone.com/reports/47140

Reference(s)

1. https://isc.sans.edu/diary/When+does+your+browser+send+a+%22Referer%22+header+(or+not)%3F/16433
2. http://smerity.com/articles/2013/where_did_all_the_http_referrers_go.html
3. http://stackoverflow.com/questions/323200/is-an-https-query-string-secure
4. https://www.ietf.org/rfc/rfc2616.txt

Using HEAD to optimize Time Based SQL Injection

Was conducted a application pentest on a client site and found that the website is vulnerable to SQL Injection. The DBMS is MS SQL Server.

The problem:

1. There's a some sort of WAF or keyword filter looking for common SQLi payload such as 1 or 1=1 etc.
2. Only successful test was via Time Based, but the page doesn't load with a consistent time pattern which  affects the result. 
3. Automated tools doesn't help.
4. Burpsuite able to exfiltrate the IP address via DNS request but I have no external domain to test it manually. (eventually after found a way to exfiltrate via DNS, the result obtained seems different from Burpsuite)

Solution:

• My friend suggesting me to use HEAD then to ignore the content as it is the reason why the page doesn't have a consistent time response.
• Doing a some read on it and it works!

Change the method into HEAD at Burpsuite

Response now have a consistent pattern

• Time to run SQLMap then. So, is there an option to use HEAD in SQLMap? Yes it is. --null-connection
• However, SQLMap seems can't recognize it and the scan went failed. Probably I used a wrong options.
• Now, how we can we obtained the result faster and reliable without performing it manually. Burpsuite have the answer :) 
• We can use the Burpsuite to dump the information via Time Based SQLi technique. 

•  What we need to do just :

1. Change our Burpsuite's Timeout response to a value before our payload's value end. Example we want to delay the request for 10 seconds, so the value inside our Burpsuite should be 9 seconds.
   
   
   
2. Set our intruder and make sure the request still via HEAD.
3. Payload will be similar like 1;1'+if+((substring((@@version),§1§,1)))='§a§')+waitfor+delay+'0:0:10'—
4. Use Cluster Bomb for the Attack type in our intruder so we can have two different attack payloads in Burpsuite.
5. 1st payload type will be configured to use Number while the 2nd payload type should be alphanumerics and depends on you either to include special characters or not.
6. Run the intruder :)
7. We will have few results that have no status and length. That's actually the characters we are looking for. It became like that because the page will responded to TRUE and delay for 10 seconds. As we already configured to let our Burpsuite to have a timeout at 9 seconds, thus there'll be no result on it.
8. Organized the result from our intruder and we can see our desire output :)

Thanks!

References :

• https://funoverip.net/2010/12/blind-sql-injection-detection-with-burp-suite/
• https://depthsecurity.com/blog/blind-sql-injection-burpsuite-like-a-boss
• http://www.wisec.it/sectou.php?id=472f952d79293
• https://github.com/sqlmapproject/sqlmap/wiki/Usage

Whitelisting goes wrong

This summary is not available. Please click here to view the post.

Configure your Gmail in Outlook

1. Login  to your gmail and got to settings.
2. Under 'Forwarding and POP/IMAP', enable both POP3 and IMAP.
3. Now open your Outlook.
4. Add new account and put all the required information.
5. Put your incoming mail server as pop.gmail.com
6. Put your outgoing mail server as smtp.gmail.com
7. Click on the 'More Settings' as you need to enable few things.
8. At the 'Outgoing Server' tab, tick on "My outgoing server" and "use the same settings as my incoming mail server"
9. Then go to 'Advance' tab, Put the incoming server port as 995 and outgoing server as 465 with SSL connection. 
10. Save and try your connection. It should works! :)

UTPHax'14 - Writeup for Audio Stego Round 5

Its a great experience handling another hacking contest in a local university recently. As usual, there will be some questions that the contestants were not able to answer it and they keep on asking how the hell are it can be solved?

Well, here's one of the way for this challenge :)

Question : Chill out the pressure and listen to the rhyme. Enjoy! 
Participant provided with a WAV where when they play it will hear a nice piano rhythm. However, it seems there's something buggy at the middle of the play.

Hint given 

By looking at the hint, we can know that this sound generated from an online tool which can be manipulated using our keyboard.
Simple google for "piano generator" will lead us to this website http://www.gootar.com/piano/ and yes, this is the right URL :)

By default, there's already a piano tone available on the URL and if we play it, woh! it is the similar sound with our question WAV audio.right?!

Open up our audacity and record the sound. Open the original WAV and compare it with our question WAV. It will looks like below.

From the analysis, we can say that the starting and ending point is just like what I squared out in the picture above. So let us see what is actually the key that was used before our flag located is.

Yerp. you are right. ; symbol. So what we should do next? Looking back at our keyboard based piano, we can know that each tone have different frequency (high,high peak,low,etc) as described in the picture below, I divided it into 4 different layer of frequency.

If we hear the sound where our flag located is, the first tone actually belong to the 2nd layer. So back again to the URL, and 1 by 1 we test to capture the sound.
Start the tone with ; then continue with the character in the 2nd layer. As example,
;]_;[_;p_;o -continue yourself- do note that _ symbol actually just a rest tone. so we can hear the tone much clearer.
Once done for that, again record and compare it using audacity. It will look like below.

Aha! we can see some similarities between the sound we created just now with the original question WAV (from the starting point of the flag).
So the flag either start with ;p or ;o

Let us pick p and proceed with a new tone. Hear it back again, and we can say the tone quite low and belong to 3rd layer.

Go to URL, and start recording the tone. 
;p;_;pl_;pj_;ph_;pg -blalala continue yourself-

Compare it again with our question WAV.

Auw yeahh!! we are on the right track! Then? just continue the same step until you finish the line. once done you'll get the flag :)
flag is pl4yme

That's all. Thanks!

I hate you, so I pawn your Google Open Gallery

Hi, long time no see. Quite busy with works and probably will not able to update too much in future.

Going to share with you guys another bug I found in Google.
The bug as shown below.

Google is currently open service port 80 and 443. These ports are exposing what kind of service they're using. This bug worth $10k. Ok. Just a joke. Lets be serious.

Last time I found a bug in one of Google's service, Open Gallery. Using this service, it allows a user to share their exhibition art stuff (sorta) and each of the exhibition will be given a specific URL at *.culturalspot.org domain. And, this domain cannot be changed once we saved the name.

I created two different account for Open Gallery.

1. jablor.culturalspot.org (using attacker@gmail.com) -
2. test333.culturalspot.org (using prakhar's_motorbike@gmail.com)

Both of the current state for its exhibition page as shown below.

jablor.culturalspot.org

test333.culturalspot.org

 

 

 

 

 

 

 

 

 

 I have some revenge at prakhar's_motorbike@gmail.com, and luckily this guy currently selling his arts using Open Gallery (test333.culturalspot.org). Lets pawn his Open Gallery!

What I'm doing below shows that

1. I run up my Burpsuite in my account and try to save my current setting.
2. I trapped the request during the saving process and change my domain from jablor.culturalspot.org into my target's URL, test333.culturalspot.org
3. What happen? His Open Gallery stuff changed into mine and his domain owned by me. He will see his domain as my content and the content itself will be controlled by me. :)

Trigger up Burp and change the domain

My original culturalspot will be non-exist as its already changed into victim's URL

Victim's culturalspot with my content :)

That's all guys. Have fun.
This was fixed by Google Team :)

XSS in Google MapMaker

Hi,
Its been a while..just get back to my blog and what I can see is similar to..

sorry my dearie blog.

Ok. Going to share my old bug with Google BugBounty VRP. Its an XSS in the MapMaker,a tool to create/modify the Google Map I assume.

The bug exist on the comment form.

1 - Find any place(s) that you want to edit.
2 - Go to comment form and put your XSS payload. Easy Pitsy! :D

oh yea..your "><img src=x> and <a href=x> payload wont working for this case. Seems there's some filter happening in case we are using those payloads. Luckily, they missed-out <iframe> :)

cio :)

Youtube - Stored XSS Strikes Back!

Hi,

Remember above picture? Most of you might thought its an XSS vulnerability in Gmail, sad to say it is not.haha..The bug actually exist in Youtube Api. Yes, similar to my previous post Yay the Nay in Youtube, this bug also came from the same Youtube Api.

The vulnerable parameter was track's name. Interesting part is, if you try to use XSS payload directly as track's name, it won't working. An error will appear saying you're trying to use special characters that are not allowed.

But due a glitch occur in this section, I was able to change the track's name by using "edit" function. By directly replay the request or tamper it, I can change the old_name into a new name with my XSS payload as shown below.

Once saved, the XSS successfully stored in my video. So does it mean if you watch the video from www.youtube.com it'll executed? Sadly, no. However, the XSS can be executed in Gmail, Google Docs/Presentation and Google Plus. This is because the video will be played using Google's player that was affected with this vulnerability.

Simple right?
Till next time,adios!

@yappare

10 January 2013 : Reported to Google
11 January 2013 : Received notification from Aleksandr, Google Security Team
12-14 January 2013 : Bug noticed was fixed around this date.
15 January 2013 : Received email regarding reward
22 January 2013 : Confirmation of fix from Google's team.


#edit: Prakhar my friend said that this XSS actually execute on youtube main domain as well since he was double check for me on that day and it work in www.youtube.com. sadly I dont have the screenshot as a proof

Again, from Nay to Yay in Google Vulnerability Reward Program!

Happy new year to everyone. This is my first post for 2014.

On 9th January 2014, I posted this on my twitter

https://twitter.com/yappare/status/421470672330571777/photo/1

So is this post related to that? Will get to it soon or probably next month.haha..

In this post I'm going to share to you a bug that manage me to be inside  Google Vulnerability Reward Program G+ Community here

The bug is a Self Stored XSS in Youtube. Yerp..

Let us see how the XSS exist.

1. In Youtube video manager, there's a function for a user to create Captions for his/her video(s).
2. Put our XSS payload in the script box and save.
3. Once we play the video, our XSS will be executed.
4. Check on below screenshots :)

But..there's a problem! The XSS only executing in Caption's Video Manager. Which in other word the XSS is only stored for that user only.

Hmmm...

There's must be a way to exploit or to manipulate this vulnerability. Last time I managed to find a way to Yaying this Nay in Google Adwords. You guys can check on it http://c0rni3sm.blogspot.com/2013/12/google-adwords-stored-xss-from-nay-to.html

I browsed a few times to see is there any share or embed function in this Captions thing. And then..

                                         

I noticed that, there's a function where a user can request for a translation from 3rd party or other users. So how this function working?

1. User request for his/her video for a translation.
2. User able to choose either from 3rd party or by other Google Users.

Manipulating time.Let assume that, there's a community for English series, Movies, Korean dramas that have some translator for Youtube's caption..and among them, there's an attacker >: )

1. Attacker will received the invitation.
2. Attacker put his/her evil code in the middle of translations.
3. Send to the requester for approval.

Once done, the requester will get an email notification and what she/he need to do is review the translated caption and approve it. So what happen next? The XSS will be executed 

and

Till next time, adios!

@yappare

03 December 2013 - Reported via VRP form

07 December 2013 - Received a reply from Martin,Google Security Team

07 December 2013 - Google Team asked for more information to reproduce

08-10 December 2013 - Fixed around these dates.

11 December 2013 - Received a reward email from Google

10 January 2014 - Kevin,Google Security Team confirmed the fix.