SQL Injection using System Variables in MySQL

For BSides Manchester 2015, the UK pen-testing company aptly named ‘Pentest Ltd’ held a SQL injection challenge where the injection point required structuring the payload in a specific manner with MySQL voodoo to keep the payload under 90 characters, and bypass a basic WAF.
I was fairly certain the lab could also be accomplished using MySQL variables, but was unable to get the job done. Low and behold, it totally was possible and it turned out I overcomplicated the solution which they revealed could be achieved with the following:

This was something I’d never looked at before, and it just didn’t cross my mind to store the query result and retrieve it using a variable with one hit using a UNION. I was trying to do this over two queries and therefore my variable would always be empty/null when i tried to retrieve it, as MySQL variables are scoped to a SESSION ( a single database connection ), and are emptied after the first query completes and the application closes its connection.
This lead me to going completely down the wrong rabbit hole trying to solve the challenge, but also into discovering something reasonably interesting: SQLi with System Variables. Continue Reading “SQL Injection using System Variables in MySQL”

Gotta Captcha’m All – Automating Image (and Audio!) Captchas.

A captcha serves one purpose. To ensure that a human has performed a task, and not a machine.
In web applications, they attempt to prevent attackers from creating automated bits of code to brute-force forms, fuzz user input or cause a denial of service.
Its very much a non-trivial task these days to differentiate the man from the machine using these image ( and sometimes audio ) “challenges”, as the logical steps a human brain takes to decipher characters from a captcha can almost always be replicated, often more effectively, in code. The types of people you deploy a captcha to shield yourself against are unlikely to be thwarted by something that can be programatically broken. You’re often just adding another hurdle with a captcha. Some people like hurdles.
With this in mind, if you have chosen to use a captcha to protect a mission-critical application from attack… I am of the opinion you’re already a little bit screwed. A captcha is suitable for stopping a casual WordPress blog like this from being overrun by spam comments from knock-off Barbour jacket merchants, nothing more.
On a recent test, a mission critical application for a bank was indeed vulnerable to a nasty DoS, caused by using the ‘RadCaptcha‘ captcha system, which is built into the commercial ‘Telerik’ .net framework. Its a particularly crappy captcha. A previous pentest from another company had already highlighted this, but without demonstrating how it could be broken the bank were reluctant to swap it out.
For the rest of this post, I’ll detail some of the steps I took, and tools I used, to create a PoC for bypassing Telerik RadCaptcha. At the end of it you should have a reasonable idea of how to incorporate captcha-beating functionality into your own scripts. The secondary take-home should be to not use RadCaptcha. Continue Reading “Gotta Captcha’m All – Automating Image (and Audio!) Captchas.”

"Bypassing" CSP’s Data-Exfiltration Protections

A long time ago now, I tweeted a challenge to see of anyone knew what the following URL would attempt to do:

Don’t worry, I don’t expect you to stare at that monstrosity. Instead I’ll just tell you;
So a friend of mine was competing in WhiteHatRally last year, which is a sort of “solve the clues to figure out where to go”-style car race for charity, and he realised that it might be possible to stalk the other competitors, who were displaying there progress on FB via GPS tracking site insta-mapper.com, in order to determine where they were going and beat them there. So initially we looked at spending a weekend making an app to cheat at a charity race by scraping the other contestant’s locations in semi-real-time… we’re that cool. But I ended up spending the weekend learning the ins and outs of Content Security Policy (CSP) instead, which actually is quite cool. In this post I’ll explain what a learned about CSP that stopped our attack, and how we were still able to ‘bypass’ it and skin the cat a different way. Continue Reading “"Bypassing" CSP’s Data-Exfiltration Protections”

Threema Revisited.

So the Treema bug I found a few years ago was fairly cool in my opinion, something a bit different anyway. So it was disappointing that Threema didn’t respond to me at all and then released a patched/updated Threema to the AppStore with something like “general improvements’ in the change-log.. lovely.. very general.

Well, anyway… process this for a second “All UI exploits are vulnerabilities in code; but not all vulnerabilities in code are UI exploitable.”. This should be pretty obvious… but if you forget it and find a UI bug in an iOS app, you might be passing up a 2nd vulnerability if you’re faced against lazy devs. Here’s how the same attack looks today:

Continue Reading “Threema Revisited.”

Threema Local Authentication Bypass

I sent Threema an email disclosing this and got an auto-reply saying that they commonly take a week to reply to customer messages. Since I hate waiting for things and its not a total remote RCE flaw, lets just put it here for now.

The flaw allows gaining local access to a user’s Threema application, bypassing the local authentication (PIN), and the ‘delete data after 10 failed attempts’ setting. Continue Reading “Threema Local Authentication Bypass”

The OkBot.py

For a while I was trying to do the whole online dating lark. I had some fun with it but the problem with a site like OkCupid (my poison of choice) is that you can never really tell how ‘well’ you are doing. Obviously you are doing well if you are meeting people and having fun in the process or happen to meet the love of your life, but for a competitive narcissist like me; I just wanted to know how i stacked up against other people on the site.
…scratch that. I wanted to be ‘better’ than everyone else 😛
After a few drinks with my very talented programmer buddy david we got talking about this wondered how hard it would be to script something in a few hours to play the online dating game for us, and give us the George Clooney appeal we knew we deserved. The became ‘The OkBot’.

Continue Reading “The OkBot.py”