1
00:00:04,140 --> 00:00:10,820
The outline techniques are known as blind as fuel injection the methodology of this attack type relies

2
00:00:10,820 --> 00:00:18,400
not only on embedding single expressions like o'War one equals one into as Cuil commands entire statements

3
00:00:18,400 --> 00:00:21,670
or complicated expressions logical conditions.

4
00:00:21,670 --> 00:00:26,160
Tests can be injected as well.

5
00:00:26,330 --> 00:00:31,790
You can communicate with the server without having access to a server interface by using only information

6
00:00:31,790 --> 00:00:34,410
returned or not returned an error messages.

7
00:00:36,610 --> 00:00:43,980
This is one of the most popular techniques for blindest fuel injection and other method is a technique

8
00:00:43,980 --> 00:00:49,560
that relies on measuring the times needed to execute a query.

9
00:00:49,590 --> 00:00:52,390
It's worth noting that this is not the sole alternative.

10
00:00:54,810 --> 00:01:01,610
An attacker can try to embed some commands and attempt to delay an execution of equerry if an application

11
00:01:01,610 --> 00:01:02,880
responds immediately.

12
00:01:02,960 --> 00:01:06,250
The attacker will know that the answer to command has not been executed.

13
00:01:08,610 --> 00:01:13,530
If the answer is delayed by for example two seconds this is proof that the command has been executed

14
00:01:13,530 --> 00:01:20,090
despite no credentials having been directly obtain.

15
00:01:20,300 --> 00:01:27,140
Remember the results are visible for us in an editor window an attacker would not be able to see the

16
00:01:27,140 --> 00:01:28,140
results.

17
00:01:29,360 --> 00:01:35,430
A database server as you can now see will execute any well-formed command to execute it.

18
00:01:35,440 --> 00:01:40,250
However the instruction must refer to another command that is contained in an object database.

19
00:01:42,300 --> 00:01:46,960
The command has to be both syntactically and semantically well-formed.

20
00:01:46,970 --> 00:01:51,870
You should not expect an application like Hackney travel to which were quickly logged in.

21
00:01:51,920 --> 00:01:56,750
See the taskbar where were logged as user to display and tired tables with data when you type.

22
00:01:56,750 --> 00:02:00,050
Select a posture from table.

23
00:02:00,050 --> 00:02:02,580
This isn't likely.

24
00:02:02,760 --> 00:02:08,790
Apart from that error messages might be filtered and replaced with messages that are more general.

25
00:02:08,800 --> 00:02:14,200
This is a good practice as far as application security is concerned and end users should not be able

26
00:02:14,200 --> 00:02:16,360
to see any detailed error messages

27
00:02:19,670 --> 00:02:23,080
despite this plan Eskew all injection is still possible.

28
00:02:24,690 --> 00:02:26,020
Why is that.

29
00:02:26,030 --> 00:02:30,070
It's because we're able to execute commands that are sure to always be executed.

30
00:02:31,780 --> 00:02:38,920
This is the basic idea behind blindest fuel injection.

31
00:02:39,020 --> 00:02:45,180
If you know such commands this requires the knowledge of a specific dialect of a given language or the

32
00:02:45,180 --> 00:02:47,040
knowledge of the database server.

33
00:02:47,070 --> 00:02:53,520
You can ask server questions that will always be answered with true or false.

34
00:02:53,720 --> 00:02:57,730
Something is or is not executable.

35
00:02:57,740 --> 00:03:03,970
This is obviously a time consuming solution but it can be used to obtain all needed or relevant information.

36
00:03:09,540 --> 00:03:14,910
Let's use a particular blind bascule injection attack that targeted a really large web application several

37
00:03:14,910 --> 00:03:18,630
years ago as a case study.

38
00:03:18,660 --> 00:03:26,730
The fact that the text application was Espey net based is largely irrelevant all this means is that

39
00:03:26,730 --> 00:03:31,690
a given application certainly uses a Microsoft database server.

40
00:03:31,740 --> 00:03:38,170
It's difficult to imagine otherwise the reverse configuration is possible.

41
00:03:38,290 --> 00:03:44,520
But if an application is based on HSP dot net it almost certainly uses some version of an Escuela server

42
00:03:46,800 --> 00:03:51,170
a common feature of web applications is that they are publicly available.

43
00:03:51,180 --> 00:03:54,400
This is one of their strengths.

44
00:03:54,460 --> 00:03:56,580
They attacked the application was also a public

45
00:04:00,350 --> 00:04:05,700
blogging form and the application required the submission of a log in and password.

46
00:04:05,700 --> 00:04:12,110
What's more the form and allows users to reset their password if a user forgot their password.

47
00:04:12,110 --> 00:04:16,670
They did not have to contact an administrator.

48
00:04:16,900 --> 00:04:22,800
The process could have been done automatically.

49
00:04:22,840 --> 00:04:28,240
This was possible because clicking on the Remine password button send a user's password to the email

50
00:04:28,240 --> 00:04:32,230
address submitted during registration.

51
00:04:32,450 --> 00:04:37,570
It would be absurd to send the forgotten password to an address submitted only a while ago by a user.

52
00:04:39,270 --> 00:04:44,130
Attackers checked that after entering a single quote into a user field and clicking on the send password

53
00:04:44,130 --> 00:04:45,020
button.

54
00:04:45,060 --> 00:04:50,180
The application reported a specific error.

55
00:04:50,360 --> 00:04:54,410
The query executed at this point by the application might have looked like this.

56
00:04:56,590 --> 00:05:04,660
Note that we mentioned a single quote the above listing has three apostrophe's the same was the case

57
00:05:04,660 --> 00:05:07,140
with the examples we showed before.

58
00:05:07,180 --> 00:05:11,740
We'll come back to this later in our presentations.

59
00:05:11,760 --> 00:05:16,740
It's worth noting however that the key here is the correct ending of a line.

60
00:05:16,820 --> 00:05:19,130
Why are there three or just one apostrophe.

61
00:05:19,130 --> 00:05:27,870
Alternately if a command itself used a single quote to make a quarter quote It has to be preceded with

62
00:05:27,870 --> 00:05:30,380
another quote.

63
00:05:30,450 --> 00:05:37,000
This is how as QOL is written and unfortunately it's not the only language that is constructed in this

64
00:05:37,000 --> 00:05:37,660
way.

65
00:05:39,820 --> 00:05:43,880
Many languages need to double a control character to make it retain its meaning.

66
00:05:45,310 --> 00:05:46,990
We would like to end this string.

67
00:05:46,990 --> 00:05:50,120
This means we need another apostrophe.

68
00:05:50,280 --> 00:05:52,350
We'll come back to this subject later.

69
00:05:54,720 --> 00:06:01,480
When trying to submit a different username the attackers clicked send this prompted a different error

70
00:06:01,480 --> 00:06:03,360
message.

71
00:06:03,390 --> 00:06:06,760
This was no longer error 500.

72
00:06:06,850 --> 00:06:14,640
Instead the unknown user error message would be displayed if a true expression was entered into a user

73
00:06:14,640 --> 00:06:17,510
field like o'War one equals one.

74
00:06:17,550 --> 00:06:22,590
An interesting message would be prompted a new password has been sent.

75
00:06:25,750 --> 00:06:31,730
We might assume that the server executed the following query as we saw it before.

76
00:06:31,730 --> 00:06:39,140
This is more or less the use line of reasoning at this point the first user in a table received an email

77
00:06:39,140 --> 00:06:41,140
that contained a new password.

78
00:06:41,210 --> 00:06:44,620
Regrettably But let's not cry over spilled milk.

79
00:06:47,710 --> 00:06:51,710
This means that we have three system reactions.

80
00:06:51,760 --> 00:06:53,860
We sent a new password to a user.

81
00:06:54,460 --> 00:07:06,020
We got an error 500 message or a user unknown error message 3 system reactions have been discovered.

82
00:07:06,050 --> 00:07:08,740
Let's try to find the names of the table columns.

83
00:07:10,240 --> 00:07:16,120
We had a chance to see one of the methods used for extracting this data live using executable instructions

84
00:07:18,970 --> 00:07:21,750
this information can be checked also in a different manner.

85
00:07:23,830 --> 00:07:27,060
Take a guess at the columns name and check system reaction.

86
00:07:28,650 --> 00:07:35,610
See if this brings an error or not and if the column is contained in the table at all as you already

87
00:07:35,610 --> 00:07:41,640
know we can communicate with the application by interpreting messages like user unknown or internal

88
00:07:41,640 --> 00:07:42,680
server error.

89
00:07:45,840 --> 00:07:49,200
When the column names are obtained it's time to extract the table name.

90
00:07:50,620 --> 00:07:57,120
In order to do this you can use a sub query that again takes a guess at the table name.

91
00:07:57,290 --> 00:08:00,160
The method we saw before was more universal.

92
00:08:00,200 --> 00:08:03,170
The table name would be returned in an error message at once

93
00:08:07,210 --> 00:08:10,780
having acquired the names of the columns in the name of the table.

94
00:08:10,930 --> 00:08:14,410
You need to verify if the table name is really correct.

95
00:08:14,440 --> 00:08:21,530
This is essential since most database servers object names are made up from two parts a table name is

96
00:08:21,530 --> 00:08:24,030
preceded by a name that is known as a schema.

97
00:08:25,300 --> 00:08:29,810
This means that the same table name might be reused multiple times inside a database.

98
00:08:31,290 --> 00:08:35,930
Need to be sure that you have both the name of the schema and the table name.

99
00:08:35,960 --> 00:08:39,610
You can put a schema head of the table name in a query and see the results

100
00:08:42,430 --> 00:08:44,310
having obtained this information.

101
00:08:44,320 --> 00:08:50,880
You can try to read user data in this case however the attackers opted for another solution.

102
00:08:52,100 --> 00:08:55,870
They decided to change an email address of one of the users.

103
00:08:55,870 --> 00:08:57,020
Why would they do that.

104
00:08:58,420 --> 00:09:05,270
Remember that the application sends a new password to an email address supplied at registration knowing

105
00:09:05,270 --> 00:09:10,730
this we chose a user who we suspect to be an administrator and update the email address column of this

106
00:09:10,730 --> 00:09:16,510
user by entering an arbitrary email to which we'd like a new password to be sent.

107
00:09:19,780 --> 00:09:26,850
It turns out that this approach is adequate the system forwards and password with administrative permissions

108
00:09:26,850 --> 00:09:28,200
to the attacker on its own.