Here is something quick from the latest experience I had in the past month.
I found a website vulnerable to an SQL injection attack, which was originally caused because of a human-error.
The original web application was not vulnerable, but some administrator modified the page to provide users with a flexible use of information. Information passed by the users were not sanitized at all, therefore, vulnerability was born from ashes.
The funny part is that the vulnerable parameter was an integer, which all you need to sanitize it is to use the PHP function: intval() – as simple as that!
Using the SQL vulnerability I was able to read database data using a somewhat complex SQL query. I had to extract the information one byte at a time using Boolean expressions, scan the page for a certain text that appears when the expression returns True, to decide if I got the right byte, i.e:
for (i = 1; 1==1; i++)
for (ch = 0x61; isTrue; ch++)
(case when (hex(select mid(column,i,1) from table) = ch) then 187 else 0 end)
// scan the page for “List of products:”
// (found ? got the correct byte, save it, move to next byte : otherwise continue)
isTrue = false;
isTrue = true;
// check if there are more bytes left
// (not anymore? break : otherwise continue)
This method worked well, however, it took me a very long time to extract the information I wanted even after I wrote a Python script to automate the process and improved it couple of times to avoid scanning the whole possible alphabet set.
Two days later I changed my query to another complex one using MySQL function: load_file() – not that I haven’ thought of it before, but at the time of discovery it wasn’t possible to go right ahead and use it just like that.
I was able to get the result with one single shot.
For my surprise (not really), I found that the current MySQL user was ‘root’ with the almighty privileges
Went ahead and extracted the root password hash, it was of MySQL 3.23 type… (that shouldn’t be hard!) but it was
The hash wasn’t found in any database of tens I’ve searched in. I’ve even created my own rainbow table (loweralpha_numeric_1-6) but got no result (I know it’s not the superb rainbow table settings but that what I could afford creating in couple of days on my CPU).
Hmm… so what now? Give up and run away with what I’ve got before I get hammered?
Not yet baby. I have ‘root’ privileges remember? Means I have ‘FILE’ privileges. Means I can read any arbitrary file on the affected server, time for the SAM (oh yeah, I’m doing a Windows server)
SAM database contains the NTLM hashes of the system groups. Only problem is that on Win2k and later, the SAM database is protected by the syskey, which is stored in another database encrypted with AES-128 unfortunately, the syskey was enabled by default. Hence, it would be a waste of time trying to get my hands on both files.
Hmm… and now? Easy man in order for PHP to communicate with the database, the SQL connection requires the username & password, which are luckily stored as plaintext }: ]
So with ‘FILE’ privilege, I went ahead and acquired a copy of several PHP files (one by one, scanning for any include, include_once, require, require_once). To make things even more challenging, the files were encoded by Zend Guard
No problem, deZend tools are all over the Internet. Got one, decoded the files and there was it, the root password in plaintext on a silver plate.
Using the password I was able to connect to the database through PHPMyAdmin control panel.
Enough? Nooo.. the fun has just started.
I need to own the system now. But how? Well, a PHP shell is more than enough
Wrote a PHP shell, converted it to hexadecimal, inserted the hexadecimal content into a table on the affected server, and with a simple query:
SELECT shell INTO DUMPFILE ‘c:/wamp/www/shell.php’ FROM stupid_table
I dropped the shell into the affected server J
Thanks to the PHP shell I’m now able to control the system, upload/download/edit/delete/copy/move files, browse disk drives, execute system commands, use the server as zombie to attack different servers… you name it!
I didn’t even have to crack over 700 hashes, I simply modified the login page to save a plaintext copy of the password before resuming the normal functions… in approx 10 hours, I had over 300 logins
To be honest … I’m going to attack the rest of the network, there are several systems attached to the affected server… and I’m curious about their contents.
How am I going to do that? “Pass-the-Hash” attack
SQL injections can lead to full system compromise if running with high privileges.
As for the time being… I better get back to my work before my boss come break my neck :s
I hope you have enjoyed reading.
- Xacker has left the building (for a sip of coffee )