Sunday, November 18, 2012

Advance Oracle Blind SQL Injection

Advance Oracle Blind SQL Injection


Had a job to test an application few days back. Its an application using java applet.
Hum..when I heard its an application via java applet what came in my mind

1 - Internet Explorer will be a better browser
*which is true in this case..since to use other browser I need to install Java jiniator(something like that)
*no extra addon such as hackbar/tamper data available in IE

2 - Try to hook using proxy tools burp/paros/webscarap/zap etc.
*Success,but no use. Since the data is encrypted well. Failed to crack/reverse them :(
*Tried to use JavaSnoop. Failed to setup it.hahaha

3 - Manual testing!!!
* The best choice.

The developer of this application really confident with their applications. They already guaranteed that there's no bug in their application. So that's why the company that hire them asked me to test the application..

So,after tested it for the 1st day..it is true the application is hard to hack..not because the application,but because the java applet.
How about the application then? LOTS of vulnerability.
I found multiple forms that vulnerable to Oracle Blind SQL Injection.

Then came another problem.
Most of the forms only accept a little amount of characters. some of them accept 30chars..some of them 40chars..the longest acceptable chars is 90chars where I found in one of the vulnerable form.

It is a BLIND SQLI with limitation of characters.

At first I already informed this to the company,but then one of the developer said that..
"So what?..You cannot extract anything just by that 1 or 1=1 1=2 thing right?haha"

Really pissed me off. So I need to extract something from this Blind Sqli to show the impact to this developer guy.

A little of reading and googling found that, for Blind Sqli in Oracle,we need a lots of chars to successfully extract the data.
The only hope I have now is the only form that accept 90chars.

So the how I'm confident it is a blind sqli?
Simple.
When I'm trying to search for " john ", the result of john's profile will appear.
but if I try to search for " john' ", a different profile or a blank profile appear.

So I tried
john' or 1='1 TRUE
john' or 1='2 FALSE
yerp! it is a blind sqli.

Had a read in pentestmonkey cheat sheet and found out that we can use like this as well. called String Concatenation


jo'||'hn = TRUE
jo'||hn = FALSE
jo'||h||'n = TRUE

So here's the idea.

jo'|| INJECTION HERE if TRUE 'h' else 'x' || 'n

- let say we query to find a first letter of current_user='U' ,so if the current_user's first letter start with U,it will be 'h' which completed the string equals jo'||h||'n
- if the 1st letter not start with U, it will be else 'x'..so the string become jo'||x||'n which is not a valid profile available in the application.

added up a little example on this tutorial [IMG]
In order to ensure that my instinct is correct,I proceed with another testing.
search=Zack' and 1='1
TRUE!
FALSE!

in oracle, this query can be use as well for injection
let say we search for:

this will be a false statement. since it'll be something like Za'ck.
if we search for
it'll be a TRUE query. and a valid info about Zack will appear.
same as below query,it'll resulting a TRUE statement.
so what are we going to do is,our injection will be like this
where in above injection,if the injection returns a valid value,(TRUE),it'll be
where else,if FALSE,it'll be
which is not a valid user available (Zaxk).

a simple example to query like below
What query above is about? It will try to query the database banner from v$version (which has string Oracle in it).
after that, it'll try to test the first character (specified by the substr() call) and compared to the letter 'A'.
If the first letter start with 'A', the query will be a valid statement and will returns 'c', if NO, it'll returns 'X'.
hope you get the idea:)...
Author at