zhemoon / teenage_mutant_ninja_turtles_v1.9.1 Goto Github PK

{\rtf1\ansi\ansicpg1252\cocoartf1038\cocoasubrtf360
{\fonttbl\f0\froman\fcharset0 Times-Roman;}
{\colortbl;\red255\green255\blue255;\red0\green33\blue224;\red0\green36\blue245;}
{\*\listtable{\list\listtemplateid1\listhybrid{\listlevel\levelnfc0\levelnfcn0\leveljc0\leveljcn0\levelfollow0\levelstartat1\levelspace360\levelindent0{\*\levelmarker \{decimal\}.}{\leveltext\leveltemplateid1\'02\'00.;}{\levelnumbers\'01;}\fi-360\li720\lin720 }{\listname ;}\listid1}
{\list\listtemplateid2\listhybrid{\listlevel\levelnfc0\levelnfcn0\leveljc0\leveljcn0\levelfollow0\levelstartat1\levelspace360\levelindent0{\*\levelmarker \{decimal\}.}{\leveltext\leveltemplateid101\'02\'00.;}{\levelnumbers\'01;}\fi-360\li720\lin720 }{\listname ;}\listid2}
{\list\listtemplateid3\listhybrid{\listlevel\levelnfc0\levelnfcn0\leveljc0\leveljcn0\levelfollow0\levelstartat1\levelspace360\levelindent0{\*\levelmarker \{decimal\}.}{\leveltext\leveltemplateid201\'02\'00.;}{\levelnumbers\'01;}\fi-360\li720\lin720 }{\listname ;}\listid3}
{\list\listtemplateid4\listhybrid{\listlevel\levelnfc0\levelnfcn0\leveljc0\leveljcn0\levelfollow0\levelstartat1\levelspace360\levelindent0{\*\levelmarker \{decimal\}.}{\leveltext\leveltemplateid301\'02\'00.;}{\levelnumbers\'01;}\fi-360\li720\lin720 }{\listname ;}\listid4}}
{\*\listoverridetable{\listoverride\listid1\listoverridecount0\ls1}{\listoverride\listid2\listoverridecount0\ls2}{\listoverride\listid3\listoverridecount0\ls3}{\listoverride\listid4\listoverridecount0\ls4}}
\paperw11900\paperh16840\margl1440\margr1440\vieww21740\viewh13260\viewkind0
\deftab720
\pard\pardeftab720\ql\qnatural
\f0\b\fs24 \cf0 Introduction
\b0 \
\
Now days cyber criminals are increasingly using automated SQL injection attacks powered by botnets to hit vulnerable systems. SQL injection attacks is the prevalent way of attacking front-end Web applications and back-end databases to compromise data confidentiality. Recently published reports by the Web Hacking Incidents Database (WHID) shows SQL injections as the top attack vector, making up 19 percent of all security breaches examined by WHID.\'a0 Open Web Application Security Project (OWASP) top 10 risk categorization chart, rates SQL injection risk as number one threat along with operating system command injection and LDAP injection attack.\
But why does this happen? Have you ever thought about it? Well the answer is easy, we're seeing such an increase in SQL injection incidents because we have an "industrialization of hacking". SQL injection attacks are generally carried out by typing malformed "SQL commands into front-end Web application input boxes" that are tied to database accounts in order to trick the database into offering more access to information than the developer intended. Part of the reason for such a huge rise in SQL injection attacks is that the last years criminals are increasingly using automated and manual SQL injection attacks powered by botnets\'a0 or professional hackers to hit vulnerable systems. They use the attacks to both steal information from databases and to inject malicious code into these databases as a means to perpetrate further attacks. \
\b Why SQL injection attacks still exist
SQL injection attacks happen because of badly implemented Web Application filters, meaning that the web application will often fail to properly sanitize malicious user input.\'a0 You can usually find this type of badly implemented SQL injection filters in outsourced web applications to India, Asia or other possibly third world countries, that developers are not aware of what SQL injection proper filtering is. Most of the time well known large organizations from the financial sector will create a large team of functional and security testers and then outsource the project in order to reduce the development cost, at the same time they would try to maintain and increase the control of the web application development progress and quality assurance process. Unfortunately this is not easy to happen or even possible due to bad management procedures or lack of security awareness from the side of the developers. The main mistake the developers do is that they are looking for a quick fix, for example they might think that placing a Web Application Firewall (WAF) in-front of a web application and apply black list filtering will solve the problem.\
That is wrong because SQL injection attacks can be obfuscated and relatively easy bypass these quick fixes. Obfuscating SQL injections attacks nowadays is a de facto standard for penetration testing and has been used by well known web malware such as ASPRox. The Asprox botnet (Discovered around 2008), also known by its aliases Badsrc and Aseljo, is a botnet mostly involved in phishing scams and performing SQL Injections into websites in order to spread Malware. Since its discovery in 2008 the Asprox botnet has been involved in multiple high-profile attacks on various websites in order to spread malware. The botnet itself consists of roughly 15,000 infected computers as of May, 2008 although the size of the botnet itself is highly variable as the controllers of the botnet have been known to deliberately shrink (and later regrow) their botnet in order to prevent more aggressive countermeasures from the IT Community. ASPRox used extensively automated obfuscated SQL injection attacks, in order to better understand what SQL obfuscation means, within the context of computer security, you should consider obfuscated SQL injection attacks as a similar technique to virus polymorphism.\
\b Why obfuscate SQL injection
This article is going to talk about Obfuscated SQL Injection Fuzzing. Nowadays all high profile sites found in financial and telecommunication sector use filters to filter out all types of vulnerabilities such as SQL, XSS, XXE, Http Header Injection e.t.c. In this particular article we are going to talk only about Obfuscated SQL Fuzzing Injection attacks.\
First of all what obfuscate means based on the {\field{\*\fldinst{HYPERLINK "http://dictionary.reference.com/browse/obfuscated"}}{\fldrslt \cf2 \ul \ulc2 Dictionary.com}}:\
\i \cf3 "Definition of obfuscate: verb (used with object), ob\'b7fus\'b7cat\'b7ed, ob\'b7fus\'b7cat\'b7ing.
\i0 \cf0 \
\pard\tx220\tx720\pardeftab720\li720\fi-720\ql\qnatural
\ls1\ilvl0
\i \cf3 {\listtext	1.	}To confuse, bewilder, or stupefy.
\i \cf3 {\listtext	2.	}To make obscure or unclear: to obfuscate a problem with extraneous information.
\i \cf3 {\listtext	3.	}To darken."
\cf0 \
Web applications frequently employ input filters that are designed to defend against common attacks, including SQL injection. These filters may exist within the application's own code, in the form of custom input validation, or may be implemented outside the application, in the form of Web application firewalls (WAF's) or intrusion prevention systems (IPS's). Usually this types of filters are called virtual patches. After you read this article should be able to understand that virtual patching is not going to protect you from advanced attackers.\
\b Common types of SQL filters
In the context of SQL injection attacks, the most interesting filters you are likely to encounter are those which attempt to block any input containing one or more of the following:\
\pard\tx560\pardeftab720\ql\qnatural
\ls2\ilvl0\cf0 {\listtext	1.	}SQL keywords, such as SELECT, AND, INSERT\'a0\
{\listtext	2.	}Specific individual characters, such as quotation marks or hyphens\'a0\
{\listtext	3.	}White-spaces\'a0\
You may also encounter filters which, rather than blocking input containing the items in the preceding list, attempt to modify the input to make it safe, either by encoding or escaping problematic characters or by stripping the offending items from the input and processing what is left in a normal way, which by the way is not logical because if someone would want to harm your Web Application what for you would want to process his malicious input.\
Often, the application code that these filters protect is vulnerable to SQL injection (because incompetent, ignorant or badly payed developers exist all over the world), and to exploit the vulnerability you need to find a means of evading the filter to pass your malicious input to the vulnerable code. In the next few sections, we will examine some techniques that you can use to do just that.\
\b Bypassing SQL Injection filters\'a0
The are numerous ways to by pass SQL injection filters, there even more ways to exploit them too. The most common way of evading SQL injection filters are:\
\ls3\ilvl0\cf0 {\listtext	1.	}Using Case Variation\'a0\
{\listtext	2.	}Using SQL Comments\'a0\
{\listtext	3.	}Using URL Encoding\'a0\
{\listtext	4.	}Using Dynamic Query Execution\'a0\
{\listtext	5.	}Using Null Bytes\'a0\
{\listtext	6.	}Nesting Stripped Expressions\'a0\
{\listtext	7.	}Exploiting Truncation\'a0\
{\listtext	8.	}Using Non-Standard Entry Points\
{\listtext	9.	}Combine all techniques above\'a0\
Take notice that all the above SQL injection filter bypassing techniques are based on the black list filtering mentality, and not the white list filtering logic. This means that bad software development is based in black list filters concept.\
\b \
What can Teenage Mutant Ninja Turtles project do for you
For these type of attacks there is a tool written by Gerasimos Kassaras (this is me) that can obfuscate SQL payloads (and other payloads), it is the Teenage Mutant Ninja Turtle tool.\
The Teenage Mutant Ninja Turtles project is three things: \
\ls4\ilvl0\cf0 {\listtext	1.	}A Web Application payload database (heavily based on fuzzdb project for now)\
{\listtext	2.	}A Web Application error database.\
{\listtext	3.	}A Web Application payload mutator.\
\cf0 In this particular project I am providing you with a tool to generate Obfuscated Fuzzing Injection attacks on order to bypass badly implemented Web Application filters (e.t.c SQL Injections, XSS Injections e.t.c). The tool takes as an input the option and a file name and spits the obfuscated file as an output.\
\b Functions that mutate the original payload file
This function does not do any payload obsufiscation the de-duplication (e.g. removes double lines):\
def deduplicate(_payloadList):\
currentTime = getTime()+'_'\
_mutatePayloadFile = currentTime+"deduplicatedPayloads.lst"\
_mutatePayloadFileObj = open(_mutatePayloadFile,"w")\
_deduplictedList = list(set(_payloadList))\
for line in _deduplictedList:\
_mutatePayloadFileObj.write(line)\
_mutatePayloadFileObj.close()\
This function adds case variation:\
def caseVarietionAdder(_payloadList): # Adding case variation\
_addVarietion1 = re.compile( '(select|SELECT)')\
_addVarietion2 = re.compile( '(insert|INSERT)')\
_addVarietion3 = re.compile( '(update|UPDATE)')\
_addVarietion4 = re.compile( '(version|VERSION)')\
_addVarietion5 = re.compile( '(union|UNION)')\
_addVarietion6 = re.compile( '(exec|EXEC)')\
_addVarietion7 = re.compile( '(null|NULL)')\
_addVarietion8 = re.compile( '(value|VALUE)')\
_addVarietion9 = re.compile( '(CASE|case)')\
_addVarietion10 = re.compile( '(drop|DROP)')\
_addVarietion11 = re.compile( '(create|CREATE)')\
_addVarietion12 = re.compile( '(tablespace|TABLESPACE)')\
_mutatePayloadFile = currentTime+"caseVariationPayloads.lst"\
for _payloadline in _payloadList: \
_mutated1 = _addVarietion1.sub( 'SeLeCt', _payloadline, count=0)\
_mutated2 = _addVarietion2.sub( 'InSeRt', _mutated1, count=0)\
_mutated3 = _addVarietion3.sub( 'UpDaTe', _mutated2, count=0)\
_mutated4 = _addVarietion4.sub( 'VeRsIoN', _mutated3, count=0)\
_mutated5 = _addVarietion5.sub( 'UnIoN', _mutated4, count=0)\
_mutated6 = _addVarietion6.sub( 'ExEc', _mutated5, count=0)\
_mutated7 = _addVarietion7.sub( 'NuLl', _mutated6, count=0)\
_mutated8 = _addVarietion8.sub( 'VaLuE', _mutated7, count=0)\
_mutated9 = _addVarietion9.sub( 'CaSe', _mutated8, count=0)\
_mutated10 = _addVarietion10.sub( 'DrOp', _mutated9, count=0)\
_mutated11 = _addVarietion11.sub( 'CrEaTe', _mutated10, count=0)\
_mutated12 = _addVarietion12.sub( 'TaBlEsPaCe', _mutated11, count=0)\
_mutated13 = _mutated12\
_mutatePayloadFileObj.write( _mutated13 +'\\n')\
This function adds suffixes e.g. %00 etc :\
def suffixAdder(_payloadList): # Adding suffixes\
_mutatePayloadFile = currentTime+"suffixedPayloads.lst"\
_suffixElementsFile = suffixFile\
_suffixElementObj = open(_suffixElementsFile,"r")\
_suffixList = _suffixElementObj.readlines()\
for _suffix in _suffixList: \
for _payloadline in _payloadList:\
_mutatePayloadFileObj.write( _suffix.rstrip() + _payloadline +'\\n')\
This function adds postfixes e.g. ); -- etc :\
def postfixAdder(_payloadList): # Adding postfixes\
_mutatePayloadFile = currentTime = getTime()+'_'+"postfixedPayloads.lst"\
_postfixElementsFile = postfixFile\
_postfixElementObj = open(_postfixElementsFile,"r")\
_postfixList = _postfixElementObj.readlines()\
for _postfix in _postfixList: \
_mutatePayloadFileObj.write( _payloadline.rstrip() + _postfix + "\\n")\
This function does url encoding:\
def urlEncoder(_payloadList): # Do url encoding \
_mutatePayloadFile = currentTime = getTime()+'_'+"urlEncodedPayloads.lst"\
_mutatePayloadFileObj.write((urllib.urlencode(\{'q':_payloadline\})+'\\n').replace("q=", ""))\
This function base 64 encoding:\
def base64Encoder(_payloadList): # Adding suffix \
_mutatePayloadFile = currentTime+"base64EncodedPayloads.lst"\
_mutatePayloadFileObj.write(base64.b64encode(_payloadline)+'\\n')\
This function does hexadecimal encoding:\
def hexEncoder(_payloadList): # Adding suffix \
_mutatePayloadFile =  currentTime = getTime()+'_'+"hexEncodedPayloads.lst"\
_mutatePayloadFileObj.write((str(_payloadline)).encode("Hex")+'\\n')\
This function does whitespace filling:\
def replacer(_payloadList): # Filling the gaps \
_mutatePayloadFile = currentTime+"spaceFilledPayloads.lst"\
_space_FillerElementsFile = fillerFile\
_space_FillerElementObj = open(_space_FillerElementsFile,"r")\
_space_FillerList = _space_FillerElementObj.readlines()\
for _space_Filler in _space_FillerList: \
_mutatePayloadFileObj.write(( _payloadline + '\\n' ).replace(" ",_space_Filler.rstrip()))\
\b Usage of Teenage Mutant Ninja Turtles\
\b0 Just execute the script and type help help at the option command line prompt:\
Usage: Type a single option then press enter type filename press enter again for help type help for the turtle type ban!\
Enter option: help\
help  :  Print help message for script arguments\
sfx   :  For mutating SQL injection attack strings by adding suffixes to the payloads e.g EXEC, ';-- e.t.c\
pfx   :  For mutating SQL injection attack strings by adding postfixes to the payloads e.g. --, );-- e.t.c\
url   :  For mutating SQL injection attack strings by url encoding the payloads\
flr   :  For mutating SQL injection attack strings by filling the gaps with SQL commends, url encoded space and other special characters\
b64   :  For mutating attack strings by base 64 encoding the payloads\
hex   :  For mutating SQL injection attack strings by hex encoding the payloads\
ban   :  Print ThE script banner\
ver   :  Print version of the script\
all   :  Performing all mutations\
ded   :  Deduplicate all attack strings payloads\
var   :  For mutating SQL injection attack strings by adding case variation the payloads\
Bye bye...\
Example script execution for generating suffixed SQL injection payloads:\
root# ./tmntv1.2.py \
Enter option: sfx \
Enter filename: p.txt\
Payload is being generated please wait...\
Payload mutation is finished enjoy...\
}