Saturday 4 October 2014

C Stuct Hack

Let's look at a nice little C structure hack which can be of use in many tricky situations.

Structures in C can also be defined as shown below
struct somestruct {
  int strlen;
  char str[0];
};

What does str[0] mean here?
      This statement is perfectly valid and it simply means that str  is a zero length array also known as flexible arrays.

Why do we need to use this?
       Say you declare a structure which looks like this
 
#define MAX_STRLEN 50
  struct somestruct {
  int strlen;
  char str[MAX_STRLEN];
 };

Whenever you declare structure, you are consuming 50 bytes for the array  str even if you don' use all of that. This is a waste of space. Flexible arrays can help you overcome this problem.

Lets look in details how to deal with the flexible arrays

I have a structure say,
struct mystruct
{
   int type;
   int length;
   char value[0];
};

sizeof(struct mystruct) will give 8 bytes since the memory for value hasn't been allotted.
The way to use these flexible arrays would be to allocate as many bytes as required for the character array "value" first and proceed.
For example:
struct mystruct* a = malloc(sizeof(struct mystruct) + value_length);
a->length = value_length;

One question that immediately comes to our mind is that,
Why do I need to do this to save memory. I can , instead define my struct as
struct mystruct
{
 int type;
 int length;
 char *value;
};

This is absolutely fine too when it comes to saving memory space. But the way u want to define it depends on the situation. Defining the struct as shown here in the latter way will make the character pointer "value" point to some place in memory randomly while in flexible arrays the memory allocated will be right after the memory allocated to type and length(which are of 4 bytes each).

To give an example of a situation where it comes handy.
Lets say I declare an array of structures (the structure has an array field), I want to populate them and write them to a file. In this kind of a situation, I would define the structure using flexible arrays.

For more details regarding zero length arrays or flexible arrays,

https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html
http://www.quora.com/What-is-the-advantage-of-using-zero-length-arrays-in-C

Sunday 7 September 2014

Computer Security - Links Really Worth Sharing

Hello,
          Its been a long time since I last wrote a blog post but I have decided to share whatever bit of info I know in the form of  blog posts from now on. If you find reading this post worth your time, please do follow my blog and I shall keep interesting you.

This post is for all those people who love computer security and would want to know more about it. I have been interested in this field for the past several years and I have come across very useful links which I would like to share with you today .These links have been part of my bookmarks ever since I found them and I hope they will make it to yours too :). A lot of  efforts have already been put in by many people to organize the various blogs, articles, websites,wargame into various useful categories. My job , in this post would be simply to make you aware of such worthy links.

Some useful links worth sharing:

This is an enormous list comprising of a lot of interesting blogs, tutorials and have been categorized systematically. If anyone from the security industry hasn't come across this then I must say that the person surely would have spent more time in collecting resources about a particular topic in computer security.A big thanks to all the people who have worked behind this and its quite disappointing that its been a while since they have updated the list(Its almost been 3 years now).Nevertheless, a great treasure of resources for a security enthusiast.Most of the links are worth going through barring a few.

If you are a CTF player then you ought to have come across this site. I regularly keep visiting this site to check if there is any CTF going on although I am not a very serious participant. If you dont have any idea of what a CTF is have a look at these links apart from the wiki of course :P.

https://ctftime.org/ctf-wtf/

https://ctf.isis.poly.edu/(A beginner level CTF..Try solving a few questions from the past year CTF's and you will get a fair idea).

This link contains a number of CTF's which are online most part of the year and you could particpate anytime you want.If you are a geek or a person who loves to code or someone who loves learning new things then a word of advice for you guys - Try and participate in any of the CTFs(You will get addicted to it)

Null is an open security community based in India. If you are from India, I would highly recommend you to join this community. Null also holds monthly meetups, workshops in various parts of India like Bengaluru, Pune, Mumbai, Chennai,Dharmashala etc.

I am adding this here for two reasons.
1) I like Python 
2) I think as a penetration tester or a CTF player, you should master at least one scripting language
If you really like Python , you can give this challenge a shot.

The list is not going to stop here and not anytime soon. I would also request you to suggest good links if you come across any.

Saturday 5 July 2014

Diving into SQL Injection - Part I

This post is for all those people out there who know what SQL Injection roughly is but have no idea how to practically exploit SQLi vulnerabilities.I will be going through the most rudimentary concepts in SQL Injection and hence this post is not suitable for people wanting to learn advanced concepts in SQL injection.
What is SQL Injection?
Wikipedia says "SQL injection is a SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. "
Now most of you would be aware of what this means only in theory. In this post I plan to show to show some of the basic attack vectors which you can craft to exploit the SQLi vulnerabilities. Although, these  attack vectors(cleverly crafted SQL queries) may be very basic, it is essential that we understand this before proceeding to the next level.
We will just be looking at authentication bypass in this post and further topics in the coming posts.
  • Authentication Bypass:
Most of us would have seen login pages of different sites like gmail,yahoo etc. Most of them ask us to enter the username and password. The question is what if we could bypass such authentication pages i.e logging in without having the actual details . Most of the vulnerabilities arise from insecure coding practices that developers tend to adopt .Let's see how we can exploit the vulnerability  which is introduced due to lack of secure coding practice on the server side

.
Below is a sample php code which checks for login credentials.
$q = "SELECT * FROM users where username='".$username."' AND password = '".md5($pass)."'" ;
Notice that the $username is what we enter in the username field is not at all being sanitized. By sanitized I mean, it is not checking for illegal characters .
The question is how do we take advantage  of this now.We have to craft our username in such a way that it bypasses the authentication.
suppose you know that there is a user called admin, then you could use
admin' -- // . In this case the query becomes select * from users where username= 'admin' -- // AND  password = '".md5($pass)."'" ;
Now why the two hifens -- ?
The reason is that they are the comment line characters in most sql interpreters. # is another such comment line character
why the //?
This is not necessary.You could just put a space instead of these but remember that you need to put a space otherwise there wont be a space between the -- and AND i.e the query looks somewhat like select * from users where username= 'admin' --AND  password = '".md5($pass)."'" ; which doesn't work.
Note: It's likely that you might miss the space and hence the //
In case you don't know any valid user, you could try this to bypass authentication
' or 1=1 -- //
let's construct the back end query with this user input in mind
select * from users where username='' or 1=1 -- // AND  password = '".md5($pass)."'" ; 
By using the expression or 1=1 we are evaluating the username to TRUE  and as done already we are commenting the password part using the --.
Now what does this query return from the backend database?
Since there is no username specified, this is an obvious question. The query actually returns the first row from the users table.

That's it for now. I will introduce more attack vectors and try to explain them in the coming posts.