Now we will try another way to inject SQL. Let's see if the database keeps dropping error messages. This method is called "waiting for a delay", and the delay itself is written as follows: waitfor delay 00:00:01'. I copy this from our file and paste it into the address bar of my browser.
All this is called "blind SQL injection on a temporary basis". All we're doing here is saying "wait a delay of 10 seconds". If you notice, at the top left we have the inscription "connecting ...", that is, what does our page do? It waits for a connection, and after 10 seconds, the correct page appears on your monitor. With this trick, we ask the database to allow us to ask it a few more questions, for example, if the user is Joe, then we need to wait 10 seconds. It's clear? If the user is dbo, wait 10 seconds too. This is the Blind SQL Injection method.
I think that the developers do not fix this vulnerability when creating patches. This is SQL injection, but our IDS program does not see it either, like previous methods of SQL injection.
Let's try something more interesting. Copy this line with the IP address and paste it into the browser. It worked! The TCP bar in our program turned red, the program noted 2 security threats.
Okay, let's see what happened next. We have one threat to the XP shell, and another threat is an SQL injection attempt. In total, there were two attempts to attack the web application.
Okay, now help me with the logic. We have a tampering data packet in which IDS says it has responded to various XP shell tampering.
If we go down, we see a table of HEX codes, to the right of which there is a flag with the message xp_cmdshell + &27ping, and obviously this is bad.
Let's see what happened here. What did SQL Server do?
The SQL server said "you can have my database password, you can get all my database records, but dude, I don't want you to run your commands on me at all, that's not cool at all"!
What we need to do is ensure that even if the IDS reports a threat to the XP shell, the threat is ignored. If you are using SQL Server 2005 or SQL Server 2008, if an SQL injection attempt is detected, the operating system shell will be locked, preventing you from continuing your work. It's very annoying. So what are we to do? You should try to ask the server very affectionately. Should I say something like, “please, daddy, can I have these cookies”? That's what I do, seriously, I ask the server very politely! I'm asking for more options, I'm asking for a reconfiguration, and I'm asking for XP shell settings to be changed to make the shell available because I need it!
We see that IDS has detected this - you see, 3 threats have already been noted here.
Just look here - we blew up the security logs! It looks like a Christmas tree, so many things are hung here! As many as 27 security threats! Hooray guys, we caught this hacker, we got him!
We are not worried that he will steal our data, but if he can execute system commands in our "box" - this is already serious! You can draw the Telnet route, FTP, you can take over my data, that's cool, but I don't worry about that, I just don't want you to take over the shell of my "box".
I want to talk about things that really got me. I work for organizations, I've been working for them for many years, and I'm telling you this because my girlfriend thinks I'm unemployed. She thinks that all I do is stand on the stage and chat, this cannot be considered work. But I say: “no, my joy, I am a consultant”! That's the difference - I speak my mind and I get paid for it.
Let me put it this way - we as hackers love to crack the shell, and for us there is no greater pleasure in the world than "swallowing the shell." When IDS analysts write their rules, you can see that they write them in a way that protects against shell hacking. But if you talk to CIO about the problem of extracting data, he will offer you to think about two options. Let's say I have an application that makes 100 "pieces" per hour. What is more important to me - to ensure the security of all data in this application or the security of the "box" shell? This is a serious question! What should you be more concerned about?
Just because you have a broken "box" shell doesn't necessarily mean that someone has gained access to the inner workings of the applications. Yes, it's more than likely, and if it hasn't happened yet, it may soon. But note that many security products are built on the premise that an attacker roams your network. So they pay attention to the execution of commands, to the injection of commands, and you should note that this is a serious thing. They point out trivial vulnerabilities, very simple cross-site scripting, very simple SQL injections. They don't care about complex threats, they don't care about encrypted messages, they don't care about that sort of thing. It can be said that all security products are looking for noise, they are looking for "yapping", they want to stop something that bites your ankle. Here's what I learned when dealing with security products. You don't need to buy security products, you don't need to drive the truck in reverse. You need competent, skilled people who understand the technology. Yes, my God, people! We don't want to throw millions of dollars into these problems, but many of you have worked in this field and know that as soon as your boss sees an ad, he runs to the store yelling "we gotta get this thing!". But we don't really need it, we just have to fix the mess that is behind us. That was the premise for this performance.
A high security environment is something that I spent a lot of time on to understand the rules of how protection mechanisms work. Once you understand the mechanisms of protection, bypassing protection is not difficult. For example, I have a web application that is protected by its own firewall. I copy the address of the settings panel, paste it into the address bar of the browser and go to the settings and try to apply cross-site scripting.
As a result, I receive a firewall message about a threat - I was blocked.
I think it's bad, do you agree? You are facing a security product. But what if I try something like this: put the parameter Joe'+OR+1='1 into the string
As you can see, it worked. Correct me if I'm wrong, but we've seen SQL injection defeat the application firewall. Now let's pretend we want to start a security company, so let's put on the software maker's hat. Now we embody evil because it's a black hat. I'm a consultant, so I can do this with software producers.
We want to build and deploy a new intrusion detection system, so we'll start a tamper detection campaign. Snort, as an open source product, contains hundreds of thousands of intrusion threat signatures. We must act ethically, so we will not steal these signatures from other applications and insert them into our system. We're just going to sit down and rewrite them all - hey Bob, Tim, Joe, come on over here and do a quick run through all those 100 signatures!
We also need to create a vulnerability scanner. You know that Nessus, the automatic vulnerability finder, has a good 80 signatures and scripts that check for vulnerabilities. We will again act ethically and personally rewrite them all in our program.
People ask me, "Joe, you do all these tests with open source software like Mod Security, Snort and the like, how similar are they to other vendors' products?" I answer them: “They don’t look alike at all!” Because vendors don't steal stuff from open source security products, they sit down and write all these rules themselves.
If you can make your own signatures and attack strings work without using open source products, this is a great opportunity for you. If you are unable to compete against commercial products, moving in the right direction, you must find a concept that will help you become known in your field.
Everyone knows that I drink. Let me show you why I drink. If you have ever done a source code audit in your life, you will definitely get drunk, trust me, after that you will start drinking.
So our favorite language is C++. Let's take a look at this program - Web Knight is a firewall application for web servers. It has default exceptions. It's interesting - if I deploy this firewall, it won't protect me from Outlook Web Access.
Wonderful! That's because a lot of software vendors are pulling rules out of some applications and putting them into their product without doing a whole bunch of the right research. So when I deploy a network firewall application, I think everything about webmail is done wrong! Because almost any webmail violates the default security. You have web code that executes system commands and queries LDAP or any other user database store right on the web.
Tell me, on what planet can such a thing be considered safe? Just think about it: you open Outlook Web Access, press b ctrl+K, look up users and all that, you manage Active Directory directly from the web, you execute system commands on Linux if you use "squirrel mail" or Horde or whatever something else. You're pulling out all those evals and other types of unsafe functionality. Therefore, many firewalls exclude them from the list of security threats, try asking your software manufacturer about this.
Let's get back to the Web Knight application. It stole a lot of security rules from a URL scanner that scans all these IP address ranges. And what, all these address ranges are excluded from my product?
Do any of you want to install these addresses on your network? Do you want your network to run on these addresses? Yes, it's amazing. Okay, let's scroll down this program and look at other things that this firewall does not want to do.
They are called "1999" and want their web server to be in the past! Do any of you remember this crap: /scripts, /iishelp, msads? Perhaps a couple of people will remember with nostalgia how much fun it was to hack such things. “Remember, man, how long ago we “killed” servers, it was cool!”.
Now, if you look at these exceptions, you will see that you can do all these things - msads, printers, iisadmpwd - all these things that no one needs today. What about commands that you are not allowed to execute?
These are arp, at, cacls, chkdsk, cipher, cmd, com. When listing them, you are overwhelmed by memories of the old days, “dude, remember how we took over that server, remember those days”?
But here's what's really interesting - does anyone see WMIC here or maybe PowerShell? Imagine that you have a new application that functions by running scripts on the local system, and these are modern scripts, because you want to run Windows Server 2008, and I'm going to do a great job of protecting it with rules designed for Windows 2000. So that the next time a vendor comes to you with their web application, ask him, “hey man, have you provided for things like bits admin, or executing powershell commands, have you checked all the other things, because we are going to update and use the new version of DotNET"? But all these things should be present in the security product by default!
The next thing I want to talk to you about is logical fallacies. Let's go to 192.168.2.6. This is about the same application as the previous one.
You may notice something interesting if you scroll down the page and click on the Contact Us link.
If you look at the source code of the "Contact Us" tab, which is one of the pentesting methods that I do all the time, you'll notice this line.
Think about it! I hear that many at the sight of this said: "Wow"! I once did penetration testing for, say, a billionaire bank, and noticed something similar there. So, we don't need SQL injection or cross site scripting - we have the main thing, this address bar.
So, without exaggeration - the bank told us that they had both - and a network specialist, and a web inspector, and they did not make any remarks. That is, they considered it normal that a text file can be opened and read through a browser.
That is, you can just read the file directly from the file system. The head of their security team told me, “yes, one of the scanners found this vulnerability, but considered it minor.” To which I replied, okay, give me a minute. I typed filename=../../../../boot.ini in the address bar and I was able to read the file system boot file!
To this they told me: “no, no, no, these are not critical files”! I answered - but it's Server 2008, isn't it? They said yes, it is him. I say - but this server has a configuration file located in the root directory of the server, right? "Right," they answer. “Great,” I say, “what if the attacker does this,” and I type filename=web.config in the address bar. They say - so what, you don’t see anything on the monitor?
I say - what if I right-click on the monitor and select the "Show page code" option? And what will I find here? "Nothing critical"? I will see the server administrator password!
And you say there is no problem here?
But my favorite part is the next one. You don't let me run commands in the box, but I can steal the web server's admin password and database, browse the entire database, rip out all the database and system failure stuff, and walk away with it all. This is the case when the bad guy says "hey man, today is a great day"!
Don't let safety products become your disease! Don't let security products make you sick! Find some nerds, give them all those Star Trek memorabilia, get them interested, encourage them to stay with you, because those nerdy stinkers who don't shower daily are the ones who make your networks work like follows! These are the people who will help your security products work properly.
Tell me, how many of you are able to stay in the same room for a long time with a person who constantly says: “oh, I need to print this script urgently!”, And who is busy with this all the time? But you need people who make your security products work.
To reiterate, security products are dumb because the lights are always wrong, they are constantly doing shitty things, they just don't provide security. I've never seen a good security product that doesn't require a guy with a screwdriver to tweak it where it needs to get it to work more or less normally. It's just a huge list of rules saying it's bad, and that's it!
So guys, I want you to pay attention to education, to things like security, polytechnics, because there are many free online courses on security issues. Learn Python, learn Assembly, learn web application testing.
Here's what will really help you secure your network. Smart people protect networks, network products do not protect! Go back to work and tell your boss you need more budget for more smart people, I know it's a crisis now but tell him anyway we need more money for people to educate them. If we buy a product but don't buy a course on how to use it because it's expensive, then why are we buying it at all if we're not going to teach people how to use it?
I've worked for a lot of security product vendors, I've spent almost my entire life implementing these products, and I'm getting sick of all these network access controls and stuff because I've installed and run all these crap products. One day I went to a client, they wanted to implement the 802.1x standard for the EAP protocol, so they had MAC addresses and secondary addresses for each port. I came, saw that it was bad, turned around and began to press the buttons on the printer. You know, the printer can print a network equipment test page with all MAC addresses and IP addresses. But it turned out that the printer does not support the 802.1x standard, so it should be excluded.
Then I unplugged the printer and changed my laptop's MAC address to the printer's MAC address and connected my laptop, thus bypassing this expensive MAC solution, think about it! So what good can this MAC solution do for me if a person can simply pass off any equipment as a printer or a VoIP phone?
So for me today, pentesting is about spending time trying to understand and understand a security product that my client has bought. Now every bank I do a penetration test at has all these HIPS, NIPS, LAUGTHS, MACS and a whole bunch of other acronyms that just suck. But I'm trying to figure out what these products are trying to do and how they're trying to do it. Then, once I figure out what methodology and logic they use to provide protection, getting around it becomes not at all difficult.
My favorite product, which I'll leave you with, is called MS 1103. It's a browser-based exploit that sprays HIPS, Host Intrusion Prevention Signature, or Host Intrusion Prevention Signatures. In fact, it is intended to bypass HIPS signatures. I don't want to show you how it works because I don't want to take the time to demonstrate it, but it does a great job of bypassing this protection, and I want you to adopt it.
OK guys, I'm leaving now.
Some ads 🙂
Thank you for staying with us. Do you like our articles? Want to see more interesting content? Support us by placing an order or recommending to friends, , a unique analogue of entry-level servers, which was invented by us for you: (available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper in Equinix Tier IV data center in Amsterdam? Only here in the Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $99! Read about
Source: habr.com