All the information on this page is for educational purposes only. The owner of the blog, nor Blogger, nor anyone associated with this blog can be held liable for illegal activities brought by this blog

Monday, January 30, 2012

A Double Tutorial - CSRF & SQL Column Truncation

So today we have a double tutorial...

We will be looking at 2 new hacking methods:
CSRF (Cross Site Request Forgery)
&
SQL Column Truncation

To begin we will look at CSRF, now CSRF is basically a hybrid between XSS (Cross Site Scripting) and LFI (Local File Inclusion)

Side Note: We will be looking at those 2 vulnerabilities at a later stage, this technique is very simple and straight forward, so a tutorial on XSS prior to this is not really necessary.

In CSRF, the victim is basically sent to a different page without his knowledge.

Say we have a website with a form that allows us to edit our profile, normally comprising of:
  • Avatar
  • Password
  • Email Address
  • Interests
  • etc
Remember, an image stored on a website is always stored on a server and the image is retrieved every time that image loads... 

Now say our form is set up with a text box as to where you must insert your server address for your new avatar, you need to instead of giving a server address, insert a script that will allow you to alter details of your profile.

So the first thing you will need to do, after logging in and navigating to the edit profile page, is to view the source code of the edit page.

You will notice that the form action has something similar to  
.edit/profile.php
or something to that effect
So to begin with insert that line(the form action) into the avatar text box, next you insert a ?, so the text in the text box will be:
.edit/profile.php?

The question mark is always followed by a parameter and the parameter is whatever we want to edit on the profile, so next you need to view the source code again, and look for the line that allows you to change your password and see what it's name is, remember that as that is our parameter:
.edit/profile.php?password

Now finally, add an "=" afterwards directly followed by what you would like the password to be, for example:
.edit/profile.php?password=hacked

Now, lets imagine that a victim, for example Admin, goes to view your password for some reason, when the victim's browser goes to retrieve the image (the edit page we set) it will execute the edit profile page as the victim which would change whatever information we set it to change as, in this case, the password.

This will edit any user who views your image's information.
Typically, the password access you will gain will be that of a robot or spider, but with that access, you have a very good chance that gaining admin rights will now be relatively easy.


Next up is....


***SQL COLUMN TRUNCATION***


SQL Column Truncation is also a very simple and effective technique that can be used to hack websites.
Basically, SQL Column Truncation gives you the ability to duplicate usernames in an SQL database and therefore giving you access to that user account.

To begin, let us imagine that you have discovered that the admin's username is Admin, now, regardless of the password, you will be able to log in as Admin and also make use of administrative rights, to do this you need to understand a few things first.

An SQL database does not recognize spaces, that is why on many website registrations, your username and password may not contain a space, in SQL, a space is completely ignored, for example:

Hacking is awesome
will be stored as
Hackingisawesome

Also, the database table will have rules set that will determine how many characters may be stored in a cell, if that number is exceeded, the additional characters will be dropped and only the allowed number of characters will be stored, for example:

If the database only allows for 10 characters in the cell, and a user attempts to insert 15 characters, the first 10 will be stored and the last 5 numbers will be dropped, for example:

CookieMonster

will be stored as

CookieMons

"ter" has been dropped as they have exceeded the maximum amount of characters allowed to be stored.

Now, go to register a new account, next you need to view the source of the page, as there is a character limit added onto the SQL database, the web master would have added in HTML code to the username text box a maximum number limit, say you have discovered this to be 10.

In the textbox, insert Admin followed by 5 spaces, as Admin is 5 characters long and adding another 5 spaces will make the username 10 characters in total, the text box will restrict you from adding in any more characters.

Please Note: For the next step I will be using Tamper Data (a firefox add-on), if you would like information on how to do this without using Tamper Data, comment below.

Open Tamper Data and start the tamper, tamper the request that will submit your registration form and then add an x to the end of your "Admin     " string, therefore, you will now have this:
Admin     x

(The x is there because if it wasn't there, the username would never be passed to the SQL database, because the moment the spaces were removed it would notice the duplicate data - The x can be any other character)

Now when that username is submitted, the entire username will be added to the cell (because of the x it is not equal to admin), but because it is 11 characters, which is too large for the database to handle, according to the rules set by the admin, the database will drop the additional characters, in this case, x.

After the character has been dropped, the database will now remove the spaces and store "Admin" as the final string, but because it is actually "Admin     x", the database does not recognize it as Admin.

Finally, log in as Admin with the password you just set at registration and you will find that you are logged in with administrative rights.

--- Final Summary ---

Both these methods will get you admin access, the first thing that you should do after gaining access, should be to go and clear your logs.

Also remember, that when using the CSRF method that the victim WILL discover the password change the next time he attempts to log in, so you will have to log in immediately and attempt to grant yourself admin rights (There are multiple ways to achieve this)

Now, using the SQL column Truncation method, on the other hand, is a lot less likely to be discovered, but still is a possibility, you should also try and grant another one of your accounts admin rights and use your Admin account sparingly, also, you would have a better chance of remaining undiscovered if you clear the logs every time you log in as Admin.

Although, if the administrator were to check or clean the database, your database account may be discovered.

Well I hope you enjoyed this tutorial and please feel free to comment.
Peace Out!!!

Techno Master

11 comments:

  1. Does in the CSRF will change the password of the victim who whould click on the link?

    ReplyDelete
  2. Well, in my example, it changes the password of the victim who goes to view your profile, which has an image attached and because of how the internet treats images, their password will be changed, but yes, if you were to combine this with a button click, then every user who clicks the button would have their password changed. The reason my way is more effective is because it is easier to link someone to your profile then it is to make someone click a button

    ReplyDelete
  3. can you make a video tutorial because im having a hard time finding the .edit/profile.php

    ReplyDelete
    Replies
    1. Yeah, will work on one very soon - What website are you attacking?

      Delete
    2. This comment has been removed by a blog administrator.

      Delete
    3. Please make a video sir.
      please i'm begging you

      Delete
  4. This blog is very clear. I have so much to learn .Can you write more about Tempare data and please write to me email if for some reasone this blog would be off setas.hacker@gmail.com.

    ReplyDelete
    Replies
    1. Thank you Setas - I will do a tutorial on Tamper Data for you soon. Thanks for reading

      Delete
  5. sooo are you making a vid or not?

    ReplyDelete
    Replies
    1. Well, I thought, instead of making another video, what I will have instead is a webinar, so I will be able to show you live and you will have a chance to ask any questions

      Delete
  6. SQL COLUMN TRUNCATION doesnt work for me.. :( my boyfriend's account was hacked on a social networking site.. and i want to take it back.. :(

    ReplyDelete

 
Back To Top