B-Sides Manchester 2015
Pentest were pleased to return as sponsors for B-Sides Manchester 2015 on 25th August at Manchester Metropolitan University. There were some excellent talks on the day, the food and venue were exceptional and everyone seemed to have a great time. Pentest ran an SQLi based challenge on the day with a PlayStation 4 awarded to the first person to break the challenge.
The challenge is still available for you to attempt at bsides-2015.pentest-challenge.co.uk. If you want to attempt the challenge - stop reading now! The solution is below.
Congratulations to everyone who attempted the challenge. There were a number of people who were close, but the 'first past the post' was Mohit Gupta, so special congratulations to him. We hope he enjoys his PS4.
This challenge involved a seemingly simple union-based SQL injection attack, with a twist! We implemented a rather basic simulation of a Web-Application Firewall (WAF) which introduced a number of restrictions. These were made clear to the conference attendees, as part of the source code for the application was disclosed:
Looking at the source code, we can see two limitations on the injection:
- The payload can only be up to 90 chars.
- The payload cannot contain 'union select from' strings in this exact order.
The challenge can be solved in a number of different ways, here are two examples:1) Brute forcing
A valid, albeit not very elegant way to solve this challenge by brute forcing tables, columns and data belonging to the current database. This also can be done in several ways, here is an example or extracting the data once the table and column are discovered:
This would result in the images from the search being displayed, as the 11th character in the string does indeed equal “3” (ASCII code 51). The following query would result in no images being displayed, as the 11th character does not equal “4” (asci code 52):
This approach can be used to systematically iterate through each character position and return TRUE/FALSE conditions depending on which ASCII code the character is being compared to. This method was used by the contest winner Mohit Gupta to great effect. Congratulations again to Mohit on his new PlayStation 4!2) Using database variables
We can simply bypass both limitations by using MySQL variables as in this example when we extract the table name in one query:
http://bsides-2015.pentest-challenge.co.uk/?search='or@:=(select table_name from information_schema.tables limit 40,1)union select 1,2,@%23
This results in an invalid src attribute for an <img> element, which is in fact the table name (bsides_manchester_2015):
This technique can then be used to facilitate the remainder of a standard union-based SQL injection attack in order to determine the column names of the table and finally the data within the table.
Pentest offers a thorough, yet adaptive range of security services to help customers address vulnerabilities in their network or applications. Services include: Secure Coding Workshops, SAST tools, Manual Penetration Testing and Security Audits.
Pentest offers a complete Database Security Assessment Service (DSAS) to businesses that rely on the security of the information held within their databases or have concerns relating to the security compliance of these systems.