[WEB SECURITY] Numeric SQL injection ASP.NET

Mike mike at deadliestwebattacks.com
Thu Apr 28 16:48:01 EDT 2011


Sorry, I realize my comment was pretty brief. In your case, the string to be modified is part of an array of strings, so you need to look for the length field elsewhere. I've highlighted a hint below, although the formatting might not survive the email list.
0000000: ff01 0f0f 050a 3130 3131 3735 3433 3234  ......10117543240000010: 0f64 1602 0203 0f64 1602 0201 0f10 0f16  .d.....d........0000020: 061e 0d44 6174 6154 6578 7446 6965 6c64  ...DataTextField0000030: 0503 4e6f 6d1e 0e44 6174 6156 616c 7565  ..Nom..DataValue0000040: 4669 656c 6405 0849 645f 5669 6c6c 651e  Field..Id_Ville.0000050: 0b5f 2144 6174 6142 6f75 6e64 6764 1015  ._!DataBoundgd..0000060: 060a 4361 7361 626c 616e 6361 0552 6162  ..Casablanca.Rab0000070: 6174 0453 6166 6906 5461 6e67 6572 0641  at.Safi.Tanger.A0000080: 6761 6469 7205 5361 6669 6515 0603 3230  gadir.Safie...200000090: **03 3230 31** 3230 3203 3230 3303 3230  0.201.202.203.2000000a0: 3403 3230 3214 2b03 0667 6767 6767 6764  4.202.+..ggggggd00000b0: 6418 0105 0947 7269 6456 6965 7731 0f3c  d....GridView1.<00000c0: 2b00 0a01 0802 0164   

The general case of reverse engineering viewstate is quite interesting. Give me a week or so and I'll write up some notes about doing this in C++ with Boost Spirit on my web site (it's actually quite fun!)
--- On Thu, 4/28/11, Oussama Gabi <oussama.gabi at gmail.com> wrote:

From: Oussama Gabi <oussama.gabi at gmail.com>
Subject: Re: [WEB SECURITY] Numeric SQL injection ASP.NET
To: "Mike" <mike at deadliestwebattacks.com>
Cc: websecurity at lists.webappsec.org
Date: Thursday, April 28, 2011, 2:56 AM

sorry , i didn't understand ,

2011/4/27 Mike <mike at deadliestwebattacks.com>

Viewstate strings have a length field in the serialized form. So you'd need to append the "or 1=1" and adjust the length by 6 characters. In this simple hack, try looking for your string and a leading byte of 0x05 or 0x1e followed by a byte that indicates the length of the string.

(I've greatly simplified the description of viewstate serialization. For example, lengths greater than 127 bytes require an extra step to decode.)



From: Oussama Gabi
 <oussama.gabi at gmail.com>
To: Erlend Oftedal <erlend at oftedal.no>

Cc: websecurity at lists.webappsec.org
Sent: Wednesday, April 27, 2011 2:47 AM

Subject: Re: [WEB SECURITY] Numeric SQL injection ASP.NET

Hello guys,

For testing I put the enableViewStateMac to false, now there is no hash at the end of the ViewState. Then I intercept the request with BurpProxy.

The ViewState code is %2FwEPDwUKMTAxMTc1NDMyNA9kFgICAw9kFgICAQ8QDxYGHg1EYXRhVGV4dEZpZWxkBQNOb20eDkRhdGFWYWx1ZUZpZWxkBQhJZF9WaWxsZR4LXyFEYXRhQm91bmRnZBAVBgpDYXNhYmxhbmNhBVJhYmF0BFNhZmkGVGFuZ2VyBkFnYWRpcgVTYWZpZRUGAzIwMAMyMDEDMjAyAzIwMwMyMDQDMjAyFCsDBmdnZ2dnZ2RkGAEFCUdyaWRWaWV3MQ88KwAKAQgCAWQ%3D


I get something like that when i decode it :ÿ1011754324ddDataTextFieldNomDataValueFieldId_Ville_!DataBoundgdCasablancaRabatSafiTangerAgadirSafie200201202203204202+ggggggdd	GridView1<+�

d
my goal is to add or 1=1 to display all the cities with tamperature .So i add it after the value selected in the dropdownlist e.g 201, it will be 201 or 1=1i encode the all to base64.

but i got an error session information is not valid....
i've tried to change the centent-length in vain..
I know it's stupid, but i wanna make this exemple..



this is my Code https://gist.github.com/943987
do you have any ideas please?



Thank youBest regardsOussama GABI
2011/4/25 Erlend Oftedal <erlend at oftedal.no>




  
    
  
  
    Hi

    

    Sharing the code could be a good idea. Maybe put it up on github or
    something.

    

    

    Best regards,

    Erlend

    

    

    On 25.04.2011 17:38, Oussama Gabi wrote:
    
      Yes, i've disabled the enableValidation, for the
        ViewState i added EnableViewState=flase in the dropdownList
        without any result.

        

        The server response:

        

        Status=OK - 200

        Server=ASP.NET
        Development Server/10.0.0.0

        Date=Mon, 25 Apr 2011 16:22:39 GMT

        X-AspNet-Version=2.0.50727

        Cache-Control=private

        Content-Type=text/html; charset=utf-8

        Content-Length=1331

        Connection=Close

        

        

        Thank you very much

        

        

        
          2011/4/25 Ryan Dewhurst <ryandewhurst at gmail.com>

          
            Is the ViewState and EventValidation being URL encoded when
            being sent back to the server?

            

            What is the HTTP response you are getting?

          
           

          
          
            

            Ryan Dewhurst

            

            blog www.ethicalhack3r.co.uk

            projects www.dvwa.co.uk
            | www.webwordcount.com

            twitter www.twitter.com/ethicalhack3r

            

            

            
              
                On Mon, Apr 25, 2011 at 1:15 PM, Oussama
                  Gabi <oussama.gabi at gmail.com>
                  wrote:

                
              
              
                
                  
                    Hello guys,

                      

                      I am a beginner in web application Security, so I
                      started to train on webgoat.i would like to make
                      numeric SQL injection attack but in ASP.net.

                      So I created a dropdownlist that retrieves the
                      names of cities and a gridview for display!

                      The problem is when I change the ID value with
                      tamperdata, nothing happens. I look a bit and I
                      think that's a problem with ViewState, so it's
                      impossible to make this attack in ASP.net?

                      how could circumvent this viewstate or  Disenable
                      it for testing. Or any hint!

                      

                      Thank you !

                      

                      

                      Best regards!

                      

                    
                    

                  
                
                _______________________________________________

                The Web Security Mailing List

                

                WebSecurity RSS Feed

                http://www.webappsec.org/rss/websecurity.rss

                

                Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

                

                WASC on Twitter

                http://twitter.com/wascupdates

                

                websecurity at lists.webappsec.org

                http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

                

              
            
            

          
        
        

      
      
_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity at lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

    
    

  


_______________________________________________

The Web Security Mailing List



WebSecurity RSS Feed

http://www.webappsec.org/rss/websecurity.rss



Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA



WASC on Twitter

http://twitter.com/wascupdates



websecurity at lists.webappsec.org

http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org





_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss


Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates


websecurity at lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110428/bd4e28ac/attachment-0003.html>


More information about the websecurity mailing list