Raw Water: Quenching Your Thirst for SQL Injection [email protected]

Vito’s a nom-de-plume

Sorry, “hot dog stand” is the only keynote theme I have

Security CTFs • Capture the Flag • Trying to get secrets out of computer programs • DEF CON CTF is a big one • Free online quali fi ers open to all! • https:/ /nautilus.institute spring 2024!

No content

Binary vs. web challenges • We tend to do lots of binary challenges • More practice doing binary challenges means they get easier for us to continue to do • More kinds of challenge would be nice • Web is a kind of challenge

Web Challenges • Web challenge often means sql injection • Or some other kind of CWE-94 “Code/Data Injection” • It’s called something else now I guess but it’s always code/data injection in my heart

sqlmap • The reason challenge authors hate making web challenges • “sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection fl aws and taking over of database servers.” • Point it at a vulnerable web app and it gives you the database

LiveView to the rescue • Sqlmap makes http requests, doesn’t puppet a full browser • So just make the form only work with liveview

It’s a computer hacking game • Basically incentivized mischief • Don’t want players to interfere with each other

exqlite is a good library

Exqlite • Sqlite3 for elixir • You can make an in-memory database (use the fi lename “:memory:”) • You can turn that database into a binary • You can load that binary into a database • (open a blank memory database and Exqlite.Sqlite3.deserialize into it)

“Minibase” • Teams sql inject into their own private database • Save the blob into Postgres • many people told me this is cursed • Thanks for the feedback 👍 👍 👍

• Using ecto for the Postgres stuff because I want it safe • For the exqlite I interp the string for the party fi eld and put regular fi elds into a list to bind parameters defp field_to_value(%Hellform.Field{value: value, party: true} = _field) do "\'#{value}\'" end defp field_to_value(%Hellform.Field{} = _field) do "?" end defp field_to_bindlist(%Hellform.Field{party: true}), do: [] defp field_to_bindlist(%Hellform.Field{value: v}), do: v

“Hellform” • Also to be annoying there’re 100 form fi elds • Random per-team • About half are required • Exactly one is injectable • Exactly one will reject your form without an error if it sees a single quote

No content

No content

No content

No content

No content

No content

No content

INSERT INTO orders ( product_id, "uZJJXi5pGME", "pLlCxRHto2I", "6WiwdA21QeA", "erWg-12xC6w", "2lWW4NZ7maM", "8zNgZjqWoYI", "cChE8gu- aus", "0lg9jUZvR_Q", "xGHw1-lj7U4", "UZRyDNLMvDg", "5JuEVskJfJU", "qRYrF2uAqIo", "AdISha0SJ3E", "4mUfH_5iHoU", "9cN42Pmly1I", "dn-x0hGPsB4", "KisG0bMgkGc", "MCUrWL3qD10", "EN5yKS1KnBg", "iZkdRs9fpDU", "05zsZwqgFbU", "KRa0SL8R63Y", "EHdoMzZToTE", "eyr_xH8fhSw", "tqFXxp7dYbE", "QdB4GWGYdzo", "LpEfSEv4UY0", "fuI6OD9NCts", "ijv6PRDi_dk", "f-BhKLjJIvc", "A7iFlgtmAhA", "hm- jMGDAQBQ", "FD5fH3eZ52Y", "Wx2V0llHzmE", "asihzUKu2Po", "SrG0KvgA6QE", "L8acqOSnjOg", "WAivNLK-U6A", "s1h9RYcwTFA", "UYaXBlPFyiY", "hNukC9o3R80", "v4nqODIUTPU", "VrKog3YWC2Y", "Xx8cgZCm4AU", "0Ch1hzMRtOs", "x--2Fu1hBDA", "HlGJ4Cel2Mo", "1yMCIVMwEVo", "c4HRm8bd8DI", "u2izQ2sAFNs", "_d8L5aRsTuc", "zHBas4AT4C8", "8e8a5WxpYWc", "unv7_59muI4", "hHMgqhSsf64", "FFoYcWP_wKY", "MbH32l6C2xQ", "ababM5oNx9o", "TacL-0UsIds", "LPZt7f8Q-b4", "tnnJPBK_Odg", "YcGYUDF-fmg", "zVJf5- RhhWI", "OyiNThxvmH4", "8y_AJX9U574", "UPEIgnyDTGc", "r0ZeSM1q1lA", "oz2X0-vT6bo", "2yHNhyw-O_0", "cA5-6508ar0", "HGKhmEFvGqM", "OJsncsVNaP0", "a_WTO3CTiMM", "WYr-t2SvUhk", "fp-pQbYy7q8", "hDCfHb5vmqw", "2TvaHwJ-qs8", "zwG16RszE1k", "92To-fcAlI4", "CEN21ZEKYr8", "ICCS34h1MVI", "hbkY4VZ3YB0", "Fhml2fM5PBY", "vTmdPD1xQGs", "wk40d3ZD6oA", "YDa1N2Gr1xQ", "nOk8IbdpENY", "qNilx2F9KaE", "ULwIn7-BSJw", "FH2_tDWh1lw", "2TpuwRwf0Ao", "xVPnrWKnNa4", "DgmnYtjvbiw", "jLBrxNCqDC8", "nhxgNSdZmcU", "Pqbyq6dYjK4", "SznSu6WCl1M", "Nm8Gg35ASgg", "0hMIsidI9g8", "bFum0j-Bmso" ) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? , ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, '' | | (select flag from flags) | | '', ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ) RETURNING id;

This is intended to be reusable • De fi nitely won’t repeat the same hellform gimmick • But the minibase concept has got legs for more sqli fun • If you want to use it let me know :) • I can help! • [email protected] • MIT license • You might want to remove all the ticket stuff for your own way to manage teams

https:/ /github.com/Nautilus-Institute/quals-2023/ tree/main/rawwater https:/ /hackers.town/@vito https:/ /speakerdeck.com/vito/ [email protected] https:/ /i.bf1c.us/hot%20dog%20stand.kth.zip