Tweet
Tweet

Slide 1

Slide 1 text

Raw Water: Quenching Your Thirst for SQL Injection vito@nautilus.institute

Slide 2

Slide 2 text

Vito’s a nom-de-plume

Slide 3

Slide 3 text

Sorry, “hot dog stand” is the only keynote theme I have

Slide 4

Slide 4 text

Security CTFs • Capture the Flag • Trying to get secrets out of computer programs • DEF CON CTF is a big one • Free online quali fi ers open to all! • https:/ /nautilus.institute spring 2024!

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

Binary vs. web challenges • We tend to do lots of binary challenges • More practice doing binary challenges means they get easier for us to continue to do • More kinds of challenge would be nice • Web is a kind of challenge

Slide 7

Slide 7 text

Web Challenges • Web challenge often means sql injection • Or some other kind of CWE-94 “Code/Data Injection” • It’s called something else now I guess but it’s always code/data injection in my heart

Slide 8

Slide 8 text

sqlmap • The reason challenge authors hate making web challenges • “sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection fl aws and taking over of database servers.” • Point it at a vulnerable web app and it gives you the database

Slide 9

Slide 9 text

LiveView to the rescue • Sqlmap makes http requests, doesn’t puppet a full browser • So just make the form only work with liveview

Slide 10

Slide 10 text

It’s a computer hacking game • Basically incentivized mischief • Don’t want players to interfere with each other

Slide 11

Slide 11 text

exqlite is a good library

Slide 12

Slide 12 text

Exqlite • Sqlite3 for elixir • You can make an in-memory database (use the fi lename “:memory:”) • You can turn that database into a binary • You can load that binary into a database • (open a blank memory database and Exqlite.Sqlite3.deserialize into it)

Slide 13

Slide 13 text

“Minibase” • Teams sql inject into their own private database • Save the blob into Postgres • many people told me this is cursed • Thanks for the feedback 👍 👍 👍

Slide 14

Slide 14 text

• Using ecto for the Postgres stuff because I want it safe • For the exqlite I interp the string for the party fi eld and put regular fi elds into a list to bind parameters defp field_to_value(%Hellform.Field{value: value, party: true} = _field) do "\'#{value}\'" end defp field_to_value(%Hellform.Field{} = _field) do "?" end defp field_to_bindlist(%Hellform.Field{party: true}), do: [] defp field_to_bindlist(%Hellform.Field{value: v}), do: v

Slide 15

Slide 15 text

“Hellform” • Also to be annoying there’re 100 form fi elds • Random per-team • About half are required • Exactly one is injectable • Exactly one will reject your form without an error if it sees a single quote

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

INSERT INTO orders ( product_id, "uZJJXi5pGME", "pLlCxRHto2I", "6WiwdA21QeA", "erWg-12xC6w", "2lWW4NZ7maM", "8zNgZjqWoYI", "cChE8gu- aus", "0lg9jUZvR_Q", "xGHw1-lj7U4", "UZRyDNLMvDg", "5JuEVskJfJU", "qRYrF2uAqIo", "AdISha0SJ3E", "4mUfH_5iHoU", "9cN42Pmly1I", "dn-x0hGPsB4", "KisG0bMgkGc", "MCUrWL3qD10", "EN5yKS1KnBg", "iZkdRs9fpDU", "05zsZwqgFbU", "KRa0SL8R63Y", "EHdoMzZToTE", "eyr_xH8fhSw", "tqFXxp7dYbE", "QdB4GWGYdzo", "LpEfSEv4UY0", "fuI6OD9NCts", "ijv6PRDi_dk", "f-BhKLjJIvc", "A7iFlgtmAhA", "hm- jMGDAQBQ", "FD5fH3eZ52Y", "Wx2V0llHzmE", "asihzUKu2Po", "SrG0KvgA6QE", "L8acqOSnjOg", "WAivNLK-U6A", "s1h9RYcwTFA", "UYaXBlPFyiY", "hNukC9o3R80", "v4nqODIUTPU", "VrKog3YWC2Y", "Xx8cgZCm4AU", "0Ch1hzMRtOs", "x--2Fu1hBDA", "HlGJ4Cel2Mo", "1yMCIVMwEVo", "c4HRm8bd8DI", "u2izQ2sAFNs", "_d8L5aRsTuc", "zHBas4AT4C8", "8e8a5WxpYWc", "unv7_59muI4", "hHMgqhSsf64", "FFoYcWP_wKY", "MbH32l6C2xQ", "ababM5oNx9o", "TacL-0UsIds", "LPZt7f8Q-b4", "tnnJPBK_Odg", "YcGYUDF-fmg", "zVJf5- RhhWI", "OyiNThxvmH4", "8y_AJX9U574", "UPEIgnyDTGc", "r0ZeSM1q1lA", "oz2X0-vT6bo", "2yHNhyw-O_0", "cA5-6508ar0", "HGKhmEFvGqM", "OJsncsVNaP0", "a_WTO3CTiMM", "WYr-t2SvUhk", "fp-pQbYy7q8", "hDCfHb5vmqw", "2TvaHwJ-qs8", "zwG16RszE1k", "92To-fcAlI4", "CEN21ZEKYr8", "ICCS34h1MVI", "hbkY4VZ3YB0", "Fhml2fM5PBY", "vTmdPD1xQGs", "wk40d3ZD6oA", "YDa1N2Gr1xQ", "nOk8IbdpENY", "qNilx2F9KaE", "ULwIn7-BSJw", "FH2_tDWh1lw", "2TpuwRwf0Ao", "xVPnrWKnNa4", "DgmnYtjvbiw", "jLBrxNCqDC8", "nhxgNSdZmcU", "Pqbyq6dYjK4", "SznSu6WCl1M", "Nm8Gg35ASgg", "0hMIsidI9g8", "bFum0j-Bmso" ) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? , ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, '' | | (select flag from flags) | | '', ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ) RETURNING id;

Slide 24

Slide 24 text

This is intended to be reusable • De fi nitely won’t repeat the same hellform gimmick • But the minibase concept has got legs for more sqli fun • If you want to use it let me know :) • I can help! • vito@nautilus.institute • MIT license • You might want to remove all the ticket stuff for your own way to manage teams

Slide 25

Slide 25 text

https:/ /github.com/Nautilus-Institute/quals-2023/ tree/main/rawwater https:/ /hackers.town/@vito https:/ /speakerdeck.com/vito/ vito@nautilus.institute https:/ /i.bf1c.us/hot%20dog%20stand.kth.zip