Now Reading
Uncooked Water: Quenching Your Thirst for SQL Injection

Uncooked Water: Quenching Your Thirst for SQL Injection

2023-09-22 11:04:30

This text was initially introduced as a lightning discuss
throughout ElixirConf 2023.

Pc safety Seize The Flag contests
(CTFs for brief)
are essentially about getting secrets and techniques out of pc packages.
Typically the secrets and techniques are locked inside or behind a
complicated binary requiring a
decompiler or disassembler and
hours of study,
and this frustrates gamers who need “internet” challenges.
Internet challenges are sometimes synonymous with SQL injection challenges,
that are a specific taste of
CWE-94 Improper Control of Generation of Code.

Sadly,
sqlmap
is a extremely great tool for locating and exploiting
SQL injection vulnerabilities in internet purposes.
It’s absurd how trivial it’s.
You level it at a URL and may get the entire database again.
Ridiculous.

Nevertheless, many applied sciences within the fashionable internet
aren’t appropriate with the very
’90s view of the online sqlmap assumes.
It doesn’t puppet a browser,
simply parses HTML and makes regular HTTP requests.
Which means that we will use a
JavaScript-based system talking WebSockets
or another weirdo HTTP subset
to deal with the consumer interplay in
a method that sqlmap can’t work together with.

The opposite downside with SQL
(or actually, any taste of persistence) injection
challenges is that mischief is incentivized.
Even in the event you don’t resolve the problem,
there could also be alternatives to make it tougher
for different groups by
useful resource consumption assaults or simply straight up vandalism
which are laborious for sport organizers to trace down or repair in the course of the sport.

Hack-A-Sat, along with being the primary CTF in house,
additionally had a system of tickets and receipts
(sure I did provide you with it on a prepare journey)
to offer traceability and distinctive experiences per workforce.
Tickets include an RNG seed and a per-team key.
This permits totally different situations of a problem
(with no communication between them,
good for operations!)
to offer both
a brand new random expertise per connection or
a constant however random expertise per workforce.
Nautilus Institue additionally makes use of tickets and receipts for our
quals sport.

I got here up with the “Uncooked Water” problem
proper at the start of 2023:

<vito> with the quals service i’ve been occupied with, “uncooked water” (sqli utilizing websockets so you may’t simply sqlmap it), not having to fret a couple of shared sql occasion can be good

<vito> oh god i’ve a nasty thought although

<vito> deal with the ticket myself within the http server and have a named sqlite per slug on a shared fs

I needed to attenuate the processing achieved on the shopper;
you may’t belief them usually,
even much less when solely scary hackers will use it.
(j/ok ilu :3)
I began working with uncooked WebSockets in Phoenix
(utilizing Phoenix.Socket.Transport)
and was on the verge of beginning the shopper JS for it
after I realized I used to be simply reimplementing
Phoenix LiveView
(which is the well-supported and fairly good
system for
receiving occasions from the shopper,
processing them on the server,
and sending redirects and HTML adjustments again to the shopper).

So, I constructed “Hellform,”
which makes use of the seed from the ticket to make a constant
type of 100 fields, about half required,
with one injectable “occasion” area
and one “landmine” area that rejects any single quotes
(i.e. makes an attempt at SQL injection).
It’s damaged into 10 pages of 10 fields every,
as a result of that allow me cover the web page navigation on the primary web page
(as a result of it was humorous, to me.)
The in-progress kind simply lives within the LiveView course of,
and the precise submission of the shape can also be achieved over the
LiveView too, which sqlmap can’t work together with.

exqlite,
an Elixir library wrapping sqlite3,
solved the shared useful resource downside.
Sqlite3 databases have a reasonably environment friendly file illustration,
recordsdata are simply an array of bytes,
and PostgreSQL has a column kind only for these.
The “Minibase” a part of Uncooked Water actually
simply implements two issues: saving an order and loading an order.
Wrangling the Postgres knowledge is completed elsewhere,
with Ecto.

Saving the order is kinda difficult:

See Also

  1. Obtain both the entire byte array or a giant fats
    NULL from Postgres.
  2. Open a :reminiscence: datbase with
    Exqlite.Sqlite3.open/1
  3. Deserialize the database with
    Exqlite.Sqlite3.deserialize/2
  4. Validate the schema
  5. If any of the above failed,
    reopen :reminiscence and
    create the flags and orders tables.
  6. Generate and insert a flag into flags.
  7. Run the SQL assertion to insert the order into orders.
  8. Delete the flag from flags with
    the SQL assertion DELETE FROM flags;
  9. Serialize the database with
    Exqlite.Sqlite3.serialize/1

Loading the order is far less complicated,
deserialize and SELECT and simply 404 if it fails.

Minibase (or the Minibase idea) is meant to be reused
in future challenges.
For those who’re focused on it or one thing prefer it,
take a look at the source code,
and hit me up for questions,
both by way of electronic mail or
on Mastodon.

Vito

Source Link

What's Your Reaction?
Excited
0
Happy
0
In Love
0
Not Sure
0
Silly
0
View Comments (0)

Leave a Reply

Your email address will not be published.

2022 Blinking Robots.
WordPress by Doejo

Scroll To Top