Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
IPP - Injection (Internal Parameter Poisoning)
Posted by: vinnu
Date: March 16, 2010 06:21AM

Namaste

I m going to unveil a new technique developed by me to hack webapps and sites.

Internal Parameter Poisoning

You might've heard about HPP-injection technique in web apps and websites.

Now i m presenting a technique which can be subcategorized under the tree of HPP injection, The "IPP - Injection".


IPP stands for "Internal Parameter Poisoning" and is helpful in penetration testing

The IPP injection employs the HPP injection technique and the variable name-value pair is directly injected into webserver using GET or POST requests.

The aftermath of the injection depends upon the use and implementation of the application's variable under attack.

For examples:

Suppose, anyhow i know any of variable's name internalVar.

Then, i can inject this variable for example in URL:

victimserver[dot]com?param1=value&internalVar=malformedvalue

U can also inject using POST (u can use the javascript injection to add a custom form to a webpage for this purpose).


Now let us proceed with a live example from Pentagon:

www[dot]housing[dot]navy[dot]mil/pages[dot]cfm?pg=hlc&num=2&section_id=2&sort=datUp&nextrow=11&CFID=2699653&CFTOKEN=48909620

But, how to know the names of internal variables:

Well, we can either do know them either by brute forcing/hit-and-trial or by causing the errors and exceptions in webapp.

For example in above site, when in specify a wrong value to the parameter


section_id=2


change it to :


section_id=2and



Open following URL:


www[dot]housing[dot]navy[dot]mil/pages[dot]cfm?pg=hlc&num=2&section_id=2and&sort=datUp&nextrow=11&CFID=2699653&CFTOKEN=48909620


It returned the error:



Variable SUB_HEAD_TEXT is undefined

(Well above example is specially chosen for the sake of simplicity, otherwise, u may get even more robust errors revealing some source code or line of the code that caused the problem, from there try to harvest the variable names)


So what are we now waiting, now Let us inject this variable in URL and specify it any value.

Test revealed that this variable is being used in returned page formation

Because this variable's value is injected in returned result page, so we can try to inject HTML or javascript and it will lead to an XSS condition. Check folloing HTML injection:


www[dot]housing[dot]navy[dot]mil/pages[dot]cfm?pg=hlc&num=2&section_id=2and&SUB_HEAD_TEXT=<H1>IPP-Injection</H1><br>vinnu<br><H2>Legion+Of+Xtremers</H2><br>INDIA&sort=datUp&nextrow=11&CFID=2699653&CFTOKEN=48909620


A complete hijack of application's logic is possible, if the variable value is used as an executing script or database query, though this will depend upon the way variables are initialized and implemented in webapp.


..."vinnu"

Options: ReplyQuote
Re: IPP - Injection (Internal Parameter Poisoning)
Posted by: Gareth Heyes
Date: March 16, 2010 07:29AM

I'm going to unveil a new technique developed by me to hack webapps and sites. Now I'm presenting a technique which can be subcategorized under the tree of IPP injection, The "IP ON U - Injection". It involves a spray attack.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: IPP - Injection (Internal Parameter Poisoning)
Posted by: digi7al64
Date: March 17, 2010 01:40AM

Gareth Heyes Wrote:
-------------------------------------------------------
> I'm going to unveil a new technique developed by
> me to hack webapps and sites. Now I'm presenting a
> technique which can be subcategorized under the
> tree of IPP injection, The "IP ON U - Injection".
> It involves a spray attack.


Bad news Gareth :(

RKelly was the first to use the heap spray attack you are describing.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: IPP - Injection (Internal Parameter Poisoning)
Posted by: vinnu
Date: March 18, 2010 09:55AM

Heap Spray....r u puzzled.
Well heap spray attack makes use of large object initialization several times so as to flood the heap area in order to make the EIP register to point to the heap attacker controlled shellcode.

The heap spray method has been effectively and heavily used against browsers using scripting languages.

But the IPP-Injection is an attack subcategorised under HPP-Injection and is meant against the server-side app modules.


It arise due to superposition of attacker supplied value on applications variable's value. Whereas in spraying the repeated loops of a same value of shellcode are initialised in heap area.

Whereas in ipp injection, the variable can also lie in stack or wherever, depends on the variables initialization and implementation.



Though, u r confusing with the induced XSS condition in above scenario example. This is only by chance, because the variable under attack is used by the app to construct the returned page.
Moreover, in this attack we need not to repeatedly inject the variable several times as is done in spray attack.

Though i havn't yet researched on it a lot, because of very few resources available to me, may be u can flourish this injection technique better...thanx.


Remember: IPP-Injection is caused by injection single instance of variable and it affects the serverside module.
Whereas the heap spray attack makes use of initialization of single shellcode object instance several times in loop and it is carried out on client side modules.


..."vinnu"

Options: ReplyQuote
Re: IPP - Injection (Internal Parameter Poisoning)
Posted by: sirdarckcat
Date: March 20, 2010 09:44PM

No vinnu, what Gareth means is that by means of the spray attack he is able to Inject Parameters in Unsigned integers (IP on U), such as unsigned int.

in that case the number will overflow if its unsigned and will now be "NaN" or "Infinity" or "null" or "window" depending on the implementation, then the server will transform our number to JSOPCodes and will execute an alert.. I can't make a PoC right now but, I'm sure Gareth can.

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: IPP - Injection (Internal Parameter Poisoning)
Posted by: Gareth Heyes
Date: March 22, 2010 03:08AM

*gareth is currently drinking lots of water*

POC almost ready

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 03/22/2010 11:04AM by Gareth Heyes.

Options: ReplyQuote
Re: IPP - Injection (Internal Parameter Poisoning)
Date: March 27, 2010 07:00AM

Big sql injection exploited by Vinnu bro n me on pak and aussie sites..a deadly combination of sql+ajax was used to prepare a virus..U can get rest of the info on our blog....


Thanks LOX "Legion of Xtremers" India

http://hackingethics.wordpress.com

Options: ReplyQuote
Re: IPP - Injection (Internal Parameter Poisoning)
Posted by: Skyphire
Date: April 04, 2010 10:08PM

Vinnu, that's what most commercial application scanners are doing i.e. they have to know what comes back at them to know if it's vulnerable.

Options: ReplyQuote


Sorry, only registered users may post in this forum.