document.write. Then, I added needle highlighting. Eventually I had a grease monkey script. I then turned it into its own FireFox extension.
I mention this for two reasons:
Eval Villain is my first baby, so as a first time father I will take every opportunity to show off baby pictures.
Obfuscated SQL Injection made Easy!
This is my biggest console win, but it will take a while to explain in full. I was auditing a very important application, and I was told this application had already been scanned by several fancy web scanners and no vulnerabilities were found. I should mention here that this test happened a while back, but SQL injection was already becoming more rare. Most web application frameworks had already tried to hide the raw SQL query API in favor of an API that prevented injection by default.
At the start of the test, I found the web application has a multi-request login process. After logging in, I reviewed the requests in my proxy. I couldn’t find the credentials I used in any of the requests. So, I log out and log in again but intercept the last request of the login process. There I see a giant base64 encoded blob being sent to the server. I base64 decode the blob (psst atob) expecting to see JSON or something. Instead, I get an ugly binary blob. It was starting to look like the credentials were being sent encrypted, serialized, obfuscated, or compressed. Later I learned what was going on, but for now let’s just call the request obfuscated.
Let’s take stock of the situation for a moment:
- The most important request for the security of this website is some ugly binary blob.
- There is no way an application scanner would have tested this request properly.
- There is no way a Web application firewall will be inspecting these obfuscated requests for malicious injections.
- Additionally, I highly doubt the web framework being used has a nice SQL API for this mess.
This is all shaping up to be a perfect footgun. I need to test this API but how do I make my own obfuscated requests efficiently?
Sending Requests with the Console
Can I just use the web form and inject content? Not exactly, there are events that prevent the adding of special characters to the form data. You can’t just paste “username’ or 1=1–” into the form. You can bypass this with the dev tools, but because it is a multi-step authentication process, it’s a giant pain.
Once I hit enter in the console, my proxy got a big base64 binary blob request and the server told me I was authenticated.
Further testing proved the login was trivially vulnerable to a SQL injection authentication bypass. I did something like this (note: this code is just made up, might not even work. This is just to show the idea):
The above could be pasted into the console and authentication would be bypassed. This means, again, I have a proof of concept I can send to the client that does not require a proxy or fooling around in the inspector. They could visit a link, paste code in the console and be logged in as Admin.
Now SQL injection is not done until I have hashes–so next time on part two of “Console Wars,” I will write a binary search algorithm for blind SQL injection all in the console.
Moral of the Story
Stay tuned for part 2 of Console Wars where I’ll walk through how to write a SQL injection script in the web console.