diff --git a/build-presentation.sh b/build-presentation.sh new file mode 100755 index 0000000..f00489a --- /dev/null +++ b/build-presentation.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash + +# Argument $1 is the source markdown file +pandoc -s --mathml -i -t revealjs "$1" -o presentation.html -V theme=dracula diff --git a/introduction-to-reverse-engineering/presentation.html b/introduction-to-reverse-engineering/presentation.html index 6e1b3e3..343009f 100644 --- a/introduction-to-reverse-engineering/presentation.html +++ b/introduction-to-reverse-engineering/presentation.html @@ -41,7 +41,7 @@ } @media print { pre > code.sourceCode { white-space: pre-wrap; } - pre > code.sourceCode > span { text-indent: -5em; padding-left: 5em; } + pre > code.sourceCode > span { display: inline-block; text-indent: -5em; padding-left: 5em; } } pre.numberSource code { counter-reset: source-line 0; } diff --git a/introduction-to-sql-injection/example/create_db.py b/introduction-to-sql-injection/example/create_db.py new file mode 100644 index 0000000..41a25f2 --- /dev/null +++ b/introduction-to-sql-injection/example/create_db.py @@ -0,0 +1,33 @@ +import sqlite3 + +con = sqlite3.connect("secrets.db") +cur = con.cursor() + +cur.execute( + """ + CREATE TABLE user_data( + user_id INTEGER PRIMARY KEY AUTOINCREMENT, + username TEXT, password TEXT, notes TEXT + ); + """ +) + + +res = cur.execute( + """ + INSERT INTO user_data (username, password, notes) + VALUES ( + 'admin', + 's3cur3P455w0rd', + 'sqli{66d7724d872da91af56907aea0f6bfb8}' + ), + ( + 'catweasle', + 'catweasle_h3xh3x', + 'sqli{f91f3b7d41a6a40070ce7112bebfaaab}' + ) + ; + """ +) + +con.commit() diff --git a/introduction-to-sql-injection/presentation.html b/introduction-to-sql-injection/presentation.html new file mode 100644 index 0000000..49fc4ef --- /dev/null +++ b/introduction-to-sql-injection/presentation.html @@ -0,0 +1,539 @@ + + + + + + + Introduction to SQL Injection + + + + + + + + + +
+
+ +
+

Introduction to SQL Injection

+

Stefan Friese

+

11 April, 2024

+
+ +
+

Topics

+
    +
  • How an SQL Injection is Created
    • +
  • How to Exploit an SQL Injection
    • +
  • SPOILER: How to Prevent an SQL Injection in the +Next Presentation
    • +
+
+
+ +

How Does it Happen

+

An SQL injection occurs when two things come together.

+
+
+ +

Number 1

+

An SQL Query as a string embedded in other languages

+
sql_query = 
+  cursor.execute(
+    "SELECT * FROM user_data where username = 'foo' and password = 's3cur3P4ssw0rd"
+  )
+
+
+ +

Number 2

+

User input is possible as a part of said SQL query

+
sql_query = cursor.execute("SELECT * FROM user_data where username = '%s'" % username)
+
+
+ +

How to Exploit an SQL +Injection

+

Work is a product of power by time.
+P is your power to solve an issue.

+

W = P x t

+

The smarter you tackle work, the less time you need to solve an +issue.

+
+
+ +

Knowledge is a Map

+

You conventiently drive around the city using the underground. That’s +how you get to know the main spots of the city.

+

London Underground

+
+
+ +

Knowledge is a Map

+

Invest some time and explore deeper on foot. That’s how you get to +know the back alleys.

+

London by Foot

+
+
+

Ghidra – an Overview

+
+
+ +
+ + +
+
+
+ +

Watch Out for Low Hanging +Fruits

+
+
+ +
    +
  • Data Segment
    • +
  • Names of Functions
    • +
  • Conditions & Comparisons
    • +
  • Strings: Usernames, Passwords
    • +
  • URLs, IP & Port Numbers
    • +
+

Do not try to understand the whole code at once, it will only +drive you mad.

+
+
+ +

Data Segments

+

A look into the read only data segment

+

A look into the read only data segment

+
+
+ +

Name of Functions

+
+ + +
+
+
+ +

Conditions & Comparisions

+

Input is Compared to a Hard Coded String

+

Input is compared to a hard coded string

+
+
+ +

Function Graph

+

Take a Look at the Flow Graph of Functions

+

Take a look at the flow graph of functions

+
+
+ +

Strings

+

Open the Defined Strings Menu

+

Strings can not only be located in data but also in other code +segments, sometimes obfuscated

+
+
+ +

Strings

+
+An old friend + +
+
+
+ +

Binary Patching

+

Bypass any undesireable condition via a NOP +instruction.

+

NOP, export your patched binary

+

NOP, export your patched binary

+
+
+ +

Do It Yourselves!

+ +
+
+ +

A Word On Binary Obfuscation

+

Software Obfuscation was born in 1984 at the International Obfuscated C Code +Contest

+

A donut as code compiles to a spinning donut by Jim Hague

+
+
+ +

What Exactly +might be Obfuscated in Your Code?

+
+Layered +obfuscation: a taxonomy of software obfuscation techniques for layered +security by Hui Xu et. al +
+
+
    +
  • Code Element Layers +
      +
    • Layout
      • +
    • Controls
      • +
    • Data
      • +
    • Methods
      • +
    • Classes
      • +
    • +
+
+
+
    +
  • Component +
      +
    • Library Calls
      • +
    • Used Resources
      • +
    • +
  • Application Layer +
      +
    • DRM System
      • +
    • Neural Networks
      • +
    • +
+
+
+
+ +

Techniques of Obfuscation

+
+
+ +

Splitting & Merging of +Strings

+
a = "BABE"
+b = "CAFFEE"
+f"{b}{a}"
+

String +Deobfuscation with FLOSS

+
+
+ +

Packing

+

Compress binary data

+
            ooooo     ooo  ooooooooo.  ooooooo  ooooo
+            `888'     `8'  `888   `Y88. `8888    d8'
+             888       8    888   .d88'   Y888..8P
+             888       8    888ooo88P'     `8888'
+             888       8    888           .8PY888.
+             `88.    .8'    888          d8'  `888b
+               `YbodP'     o888o       o888o  o88888o
+

UPX Packer/Unpacker

+
+
+ +

Mangling

+Library symbols in compiled code for data that have the same name +
+

+c++filt
+_ZNSt7__cxx1114collate_bynameIcEC2ERKNS_12basic_stringIcSt11char_traitsIcESaIcEEEm
+std::__cxx11::collate_byname::collate_byname(std::__cxx11::basic_string, std::allocator > const&, unsigned long)
+
+
+
+Online Demangler +
+
+
+ +

Code Elements

+
    +
  • Adding Unnecessary Instructions
    • +
  • Changing Control Flows
    • +
  • Protecting Data
    • +
+

Convoluted Code

+
+
+ +

Deobfuscation Tools

+ +
+
+

The End

+
+
+
+ + + + + + + + + + + diff --git a/introduction-to-sql-injection/sql_injection.md b/introduction-to-sql-injection/sql_injection.md new file mode 100644 index 0000000..e95e034 --- /dev/null +++ b/introduction-to-sql-injection/sql_injection.md @@ -0,0 +1,52 @@ +% Introduction to SQL Injection +% Stefan Friese +% 11 April, 2024 + +--- + +# Topics + +* How an SQL Injection is Created +* How to Exploit an SQL Injection +* SPOILER: How to Prevent an SQL Injection in the Next Presentation + +--- + +## How Does it Happen + +An SQL injection occurs when two things come together. + +--- + +### Number 1 + +An SQL Query as a string embedded in other languages + +```python +sql_query = + cursor.execute( + "SELECT * FROM user_data where username = 'admin' and password = 's3cur3P4ssw0rd'" + ) +``` + +--- + +### Number 2 + +User input is possible as a part of said SQL query + +```python +sql_query = + cursor.execute( + "SELECT * FROM user_data where username = '%s' and password = '%s'", + % (username, password) + ) +``` + +--- + +## How to Exploit an SQL Injection + +--- + +# The End