5/24/2018 apr2012

1/29

----------------------- Page 1-----------------------

Issue 27 April 2012 | Page - 1

----------------------- Page 2-----------------------

Issue 27 April 2012 | Page - 2

----------------------- Page 3-----------------------

Issue 27 April 2012 | Page - 3

XSS The Burning issue JavaScript cod

e on the victim's browser. The impact ofan XSS attack is only limitedin Web Application by the potency of the attacker's JavaScript

code.

One of the largest portals was in news A quick look into the types of XSS :-recently when their website was exploitedby targeting XSS vulnerability. The person StoredXSS Attackswho compromised the website has also Reflect

ed XSS Attacksnotified the portal with screenshots proving DOM Based XSSsuccessful attack. Information Security chiefcalled an urgent meeting to discuss the issue Stored XSS -Stored XSS are those wherewith his entire team. He asked that we have the injectedcode is permanently stored ongot application security audit done form the target servers, such as in a database, in athird party before going live, we have also message forum, visitor log, comment field,trained our developers with secure coding etc. The victi

m then retrieves the maliciouspractices, then why this incident happened!! script fromthe server when it requests theThey went to other third party vendor and stored information.appointed them to audit the application.Audit team has found that XSS can be Reflected XSS - Reflected XSS are thosepossible from the Custom XSS attack where the injected code is reflected off the

5/24/2018 apr2012

2/29

vector method. web server, such as in an error message,

search result, or any other response thatIn this paper, I will be explaining two major includes someor all of the input sent to theaspects of Cross Site Scripting Attack: server as partof the request. Reflected XSS

are delivered to victims via another route,

1. Tricky XSS such as inan e-mail message, or on some2. Complete control over User

s other web server. When a user is tricked

browser BeEFinto clicki

ng on a malicious link orsubmitting a

specially crafted form, theCross Site scripting (XSS) is an attack in

injected code travels to the vulnerable webwhich an attacker exploits vulnerability in

server, whichreflects the attack back to theapplication code and runs his own

----------------------- Page 4-----------------------

Issue 27 April 2012 | Page - 4

user's browser. The browser then executes There are more common attack vectors but

the code because it came from a "trusted" we are not going to discuss those in thisserver. article, what weare going to discuss is out of

box attacks which requires more patienceDOM based XSS - DOM Based XSS is an and more beer XSS attack wherein the attack payload isexecuted as a result of modifying the DOM What my personalexperience is saying that,environment in the victim's browser used XSS is more dependentn our observation,by the original client side script, so that the observation of ho

w input gets stored or getclient side code runs in an unexpected reflected on the web page. In some cases Imanner. That is, the page itself (the HTTP have observed that developer uses a userresponse that is) does not change, but the input data insome client side JavaScriptclient side code contained in the page functions. Herethey are getting trapped.executes differently due to the malicious What a develope

5/24/2018 apr2012

3/29

r will do, he will sanitizemodifications that have occurred in the only the USER FACING area (i.e. form), heDOM environment. will not takecare of JavaScript functions.

Let's cover all these possible ways bySo, all this is the story about the types of example.XSS. Now let the real game begin.

Custom Attack Vector I

XSS attack more patience, morepossibility of attack. It's been encountered many a times that

user input values are getting used in clientRegular XSS attack strings: - side java script functions at clients'

machine. Generally developers focus more >alert(document.cookie) GUI, but most of

the time developer forgets ;alert(String.fromCharCode(8 about the functionin which input value are

8,83,83))//\ ;alert(String.fr being used in plain text.

omCharCode(88,83,83))//";alert(String.fromCharCode(88,83,8 In below example

we can see the way XSS is3))//\";alert(String.fromChar successfully expl

oited in applications which

Code(88,83,83))//-- take user input values in javascript

>"> >alert(S functions. ThisVictim application uses the

tring.fromCharCode(88,83,83)) application subdirectory name in the

javas criptfunction. For example, http://www.victim

site.com/abc and JavaScript Function contains subdirectory

names in a plaintext.

5/24/2018 apr2012

4/29

----------------------- Page 5-----------------------

Issue 27 April 2012 | Page - 5

/tickets-booking /search form

+

&t=

+ (((newDate()).getTime() -

began_loading) /1000);alert(document

.cookie);//

+ &t= + (((newDate()).getTime() -

began_loading) / 1000)

Javascript function will treat this line asVictim application has /tickets-

continuation ofthe function line and

booking/search form directory. Observe inexecute the li

ne, then it comes toabove screenshots that /tickets-

alert(document.cookie); it will execute thatbooking/search form is being used at two

command and `// ' will make rest of the lineplaces - one in javascript function and one

as a comment. HenceXSS vulnerability getsin one of the hidden field of the GUI page.

exploited easily inthis application. We haveDeveloper has encoded special characters in

tried all available attack vectors in thishidden field, but we can observe that text is

application, but

application has smartas it is in javascript function.

encoding methodswhich encodes all the/tickets-booking /search form special characters, butby this JAVASCRIPT+

&t=

+ (((new FUNCTION, attackers have exploited XSSDate()).getTime() - very easily.

5/24/2018 apr2012

5/29

began_loading) / 1000)Custom Attack Vecto

r II

Above line is as it is in javascript function. If This is another example of custom attackI write http://www.victimsite.com/abc/xyz vector. In the

victim site, there is onein address bar then application responses hidden variablewhich has the value ofback with page not found error,but the referer page link. T

his value is being used byjavascript function will have value like one javascript function called OpenTicket.below:

Legitimate value of the function line is as

per below:/abc/xyz + &t= + (((newDate()).getTime() - OpenTicket(

TaxTDR.aspx , qw1234began_loading) / 1000) 5678u

,

9999999999

, attack@atta

cker.com

,

55555

,

devil

,

13/02Now we will see a custom attack vector for

/2012this javascript function. I have appended 15:19:13 , 1 , 1 , frmTempasad ,` + &t= + (((new

, , , ,SegmentID)Date()).getTime() -began_loading) /1000);alert(document.cookie);//in the URL. Now the javascript function

becomes like following. By appending thisattack vector, javascript

function treats the line as a legitimate line

and completes thefunction. Then function

----------------------- Page 6-----------------------

Issue 27 April 2012 | Page - 6

executes the document.write function and Style Attributethen it comments rest of the part.

It's been observed that STYLE attribute isOur aim is achieved here, XSS exploited ignored by some of the developers. They

5/24/2018 apr2012

6/29

successfully. block allthe miscellaneous events like

onclick, onmouseover etc. STYLE attributeOnmouseover XSS xss has limitation of supporting only get

execute inIE, but that doesn't mean we canOne form is available on victim website.

ignore it.

This is a part of registration form to registerfor some scheme on public facing page. Fill There isone form on victim website whichthe required information in the form, press expects thedetails of user. Developers havesubmit and capture the request in the web tried their level best to prevent XSS by allproxy tool. the possible methods, but totally ignored

STYLE attribute.

The formis processed with the required

field andcaptures the values in proxy tool.

Observe inthe below screenshot, there is an

appended STYLE attribute with the value of

XSS attackvector in the input field.Append the onmouseover attack vectorinto the first name field.

XSS is exploited successfully at the page.

In response, application respond back witherror message that special characters are

not allowed. But when you click on the textbox of first name, you get surprised. Script There a

re many more victim websitesgets executed on the page. availableon internet; it's just a matter of

how expert you are to catch the vulnerable

point. For Reflected XSS, how your input

gets reflected on the entire html page

concerns a

5/24/2018 apr2012

7/29

lot. Now we have successfullyexploited

XSS in web applications, let's seehow an at

tacker can take full control ofvictim's brow

ser using BeEF.

The Browser Exploitation Framework

(BeEF) isa powerful professional security

tool. BeEF is pioneering techniques that

provide the experienced penetration tester

with practical client side attack vectors.

----------------------- Page 7-----------------------

Issue 27 April 2012 | Page - 7

Unlike other security frameworks, BeEF Now, let's start the attacker machines. Andfocuses on leveraging browser let's initialize the BeEF on the machine.vulnerabilities to assess the security Below isthe screenshot for the BeEF loginposture of a target. BeEF hooks one or page.more web browsers as beachheads for thelaunching of directed command modules.

Each browser is likely to be within adifferent security context, and each contextmay provide a set of unique attack vectors. http://beefproject.com/

Disclaimer: In this entire examplesection I have usedhttp://demo.testfire.net as a victimsite. This website is handled by IBM,and which contains number ofvulnerabilities by intention only.

BeEF framework code is available at

http://code.google.com/p/beef/downloads/list. Anyone can download and install BeEF, After logininto the BeEF framework, belowwhich requires web server, PHP and ruby is the first look or we can say home page ofinstallation as pre-requisites. Backtrack the initialized BeEF.(BT) has inbuilt setup of BeEF in it. BTusers can use it without any installation. In

5/24/2018 apr2012

8/29

this article, I have used BT to demonstrate.

Lets start it by a simple XSS example. Belowin the search filed pass the simple XSSvector, alert('XSS')

Now the real game is about to begin. At the

Victim side

, earlier we have seen the normal XSS on demo site. Let's apply the BeEF

attack payload on the site.

----------------------- Page 8-----------------------

Issue 27 April 2012 | Page - 8

Nowentire browser is in attacker's hand. He

can check the system information of the

created information.

Simply apply this script code in the searchbox of the application. IP address is live IPaddress of a machine on which BeEF isconfigured. Hook.js will hook a browser into

BeEF.

There are many other ways possible to forcevictim user to click on this payload, forexample by sending one image which hasmalicious link behind it, or by click jackingattack, or by email etc.

When Victim execute BeEF payload, he

won't see any changes on his side, but the atthe attacker side, he can see one ZOMBIEcreated.

----------------------- Page 9-----------------------

5/24/2018 apr2012

9/29

Issue 27 April 2012 | Page - 9

Attacker can execute JAVASCRIPTS fromhis end to victim's browser. In belowscreenshot attacker is sending the javascriptalert box request.

I have opened Facebook in Victim'sbrows

er.

BeEFplugin has detected that Facebook is

initiated at the victim's browser.

Alert box get populated at the victim's end.

BeEF can also detect the social networkingsite status on the browser. Detect Socialnetworks module will detect if the victim's

browser is authenticated to Gmail,Facebook or Twitter.

----------------------- Page 10-----------------------

Issue 27 April 2012 | Page - 10

BeEF can also be useful to capture the bestto prevent XSS by applying wellkeystrokes of the victim's browser. I have encoding

techniques, also do not allowopen one test page at victim's browser insertionof any HTML tag or attribute inwhich has one textbox field. I have typed editable

input option (i.e. textbox, listbox,secret password as the textbox value. textarea) and hidden variables. XSS attack

may harm a lot; it all depends on how bad

development skills of the application

developer are and how good attackers' skills

are.

5/24/2018 apr2012

10/29

At the BeEF framework, event Logs willhave an entry that was typed by the user onthe victim browser secret password in onetextbox.

Ankit Nirmalankit.ni

rmal@indusface.com

Ankit Nirmal is a senior information

security consultant at Indusface. Ankit

hasover 2 years of experience in

information and application security. At

Indusface, Ankit currently leads a team

of security engineers and is conducting

expansive research in the automate

application security and code reviewThis was all about some tricky and advance proce

ss.stuff of XSS. Sometimes one wonders what

if attackers hook cyber caf's or library's orpublicly available computer into their

BeEF!! All those who access these machines

will suffer a lot. One should try their level

----------------------- Page 11-----------------------

Issue 27 April 2012 | Page - 11

Sysinternals Suite TCP connections. TCP View is a subset of

the NetStat program which provides a more

informative and conveniently handled data.

5/24/2018 apr2012

11/29

On downloadingTCPView Tcpvcon and aSysinternals utilities are one of the best

command-lineversion with the same

friends of administrator. Sysinternals wasfunctionality com

es along as a surprise gift.original created back in 1996 by MarkRussinovich and Bryce Cogswell and wasbought by Microsoft in 2006. Since then the

company has continued to release new toolsand improve the existing ones.

The Sysinternals suite consists of thefollowing different categories:

File and Disk Utilities Networking Utilities Process Utilities Security Utilities System Information Utilities Miscellaneous Utilities

Using TCPViewWe will look into some interesting utilitiesthat can come to our rescue in a handy. TCPView enumerates all the active TCP and

UDP endpoints, resolving all IP addresses toTCPView v3.05

their domainname versions. To toggle

between the displays of resolved names aTCPView is a program from Windows that

toolbar button ormenu item can be used. Byshows a detail listings of all the TCP and

default, TCPViewupdates every second, butUDP endpoints on a system, including allthe local and remote addresses and state of

----------------------- Page 12-----------------------

Issue 27 April 2012 | Page - 12

you can use the Options|Refresh Rate menu integratedsymbol support for eachitem to change the rate. operation, simultaneous logging to a file,

and much more. It is a powerful utilityColor Coding: Endpoints which changes whose featureswill make it an important

5/24/2018 apr2012

12/29

state from one update to the next are utility in one's system troubleshooting andhighlighted in yellow; those which are malware huntingtoolkit.deleted are shown in red, and newendpoints are shown in green. Overview

of Process MonitorCapabilities

One can close any established connectionswhich are labeled as a Established by Process Monitor includes powerful

selecting File|Close Connections, or by monitoringand filtering capabilities,right-clicking on a connection and choosing including:Close Connections from the resultingcontext menu. The data captured for operation

input and output parameters is moreUsing Tcpvcon detailed.

The thread stacks are captured forTcpvcon is similar to use as the built-in each o

peration making it easier toWindows netstat utility. identify the root cause of any

operation.Usage: tcpvcon [-a] [-c] [-n] [process name

Capture of process details, includingor PID]

image path, command line, user and-a Show all endpoints (default is to session

IDshow established TCP connections). The event properties columns are

configurable and moveable-c Print output as CSV. The filters can be set for any data

field,including fields which are not-n Don t resolve addresses. configured as columns

Advanced

logging architecture scalesThe TCPView is a very useful and a handy

to tensof millions of captured eventstool which gives the details in one view to

and gigabytes of log datathe Administrator.

A process tree tool shows

5/24/2018 apr2012

13/29

Process Monitor v3.0 relationship of all processes

referenced in a traceProcess Monitor is monitoring tool that Easyviewing of process image

shows file system, Registry and informationprocess/thread activity. It is a combination Boot timelogging of all operations isof the features of two important possibl

e.Sysinternals utilities, Filemon and Regmon.It adds an extensive list of enhancements

including rich and non-destructive filtering,comprehensive event properties such

session IDs and user names, reliable processinformation, full thread stacks with

----------------------- Page 13-----------------------

Issue 27 April 2012 | Page - 13

The Sysinternals Troubleshooting Utilities

have been rolled up into a single Suite of

tools. This file contains the individual

troubleshooting tools and help files.

http://technet.microsoft.com/en-

us/sysinternals/bb842062

Author:

Amit Kumar

Amit is a System Engineer at Infosys.

5/24/2018 apr2012

14/29

There are malwares present which analyze

whether any of the Sysinternal tools arerunning and before attack they make sure to

close it or change its own behavior. Thesetypes of malwares need to be analyzed

separately.

If used properly the Sysinternals now calledas WinInternals can be very useful and can

make you work easier if used properly

----------------------- Page 14-----------------------

Issue 27 April 2012 | Page - 14

Decoding ROT usingthe Echo and TrCommands in your

Linux Terminal It would echo the word ProjectX=). Thus,

5/24/2018 apr2012

15/29

the commandis used to write its arguments

to standardoutput. Another command thatROT which is known as the Caesar Cipher is we will be using is the tr command whicha kind of cryptography wherein encoding is translates

characters. I saw in pastebindone by moving the letters in the alphabet different

implementations in differentto its next letter. There are 25 possible ROT programming

languages to decode ROT andsettings which covers the scope of letters A- that most of them are using the TRZ. Thus in ROT-1, A is equals to B and B is application so why not mixed it with theequals to C and so are the next letters but Z echo command? Alright here it goes, forwould go back to A. And so the ROT-1 example QspkfduY is ROT-1 and so I cancipher of `ProjectX`is `QspkfduY`. Thus, ROT decode it usiecho QspkfduY | tr `b-za-= rotation. aB-ZA-A' `a-zA-Z'.

In this short write up we will be using theecho and tr bash commands in your Linuxterminal to encode or decode letters usingROT cipher. The `echo' command is a built-in command in Bash in C shells whichrepeats the letters of words after it. Forexample:

----------------------- Page 15-----------------------

Issue 27 April 2012 | Page - 15

To decode the ROT-2 ProjectX which isRtqlgevZ, I can just change b-za-aB-ZA-A to c-za-bC-ZA-B.

Jay Turla

shipcodez@gmail.comThis list should help you to decode ROT-3 toROT-25:

Jay Turlais a programming student and

Infosec enthusiast from the Philippines.ROT-3 = tr d-za-cD-ZA-C `a-zA-Z'

He is one

5/24/2018 apr2012

16/29

of the bloggers of ROOTCONROT-4 = tr

e-za-dE-ZA-D

`a-zA-Z'(Philippin

e Hackers Conference) andROT-5 = tr f-za-eF-ZA-E `a-zA-Z'

TheProjectX Blog.

ROT-6 = tr

g-za-fG-ZA-F

`a-zA-Z'(http://ww

w.theprojectxblog.net/)ROT-7 = tr h-za-gH-ZA-G `a-zA-Z'

ROT-8 = tr

i-za-hI-ZA-H

`a-zA-Z'ROT-9 = tr -za-iJ-ZA-I `a-zA-Z'

ROT-10 = tr k-za-jK -ZA-J `a-zA-Z'ROT-11 = tr

l-za-kL-ZA-K

`a-zA-Z'

ROT-12 = tr

m-za-lM-ZA-L

`a-zA-Z'

ROT-13 = tr

n-za-mN-ZA-M

`a-zA-Z'ROT-14 = tr o-za-nO-ZA-N `a-zA-Z'ROT-15 = tr

p-za-oP-ZA-O

`a-zA-Z'ROT-16 = tr q-za-pQ-ZA-P `a-zA-Z'ROT-17 = tr

r-za-qR-ZA-Q

`a-zA-Z'

ROT-18 = tr

s-za-rS-ZA-R

`a-zA-Z'ROT-19 = tr

t-za-sT-ZA-S

`a-zA-Z'ROT-20 = tr u-za-tU-ZA-T `a-zA-Z'ROT-21 = tr v-za-uV-ZA-U `a-zA-Z'ROT-22 = tr w-za-vW-ZA-V `a-zA-Z'ROT-23 = tr x-za-wX-ZA-W `a-zA-Z'ROT-24 = tr y-za-xY-ZA-X `a-zA-Z'ROT-25 = tr z-za-yZ-ZA-Y `a-zA-Z'

Take note of this technique, this guidemight be useful in CFP for other hackingand information security conventions outthere.

----------------------- Page 16-----------------------

Issue 27 April 2012 | Page - 16

retainingor receiving a stolen computer

resource or a communication device.

Provisions of Sec. 66B The section reads as

Whoever dishonestly receives or retains any

stolen computer resource or communication

5/24/2018 apr2012

17/29

Punishment for dishonestly device knowing or having reason to believereceiving stolen computer the same to be stolen computer resource orresource or communication communication device, shall be punished

with imprisonment of either description fordevice

a term which may extend to three years or

As we have discussed in the earlier articles, with fine which may extend to rupees oneunder the amended Information Technology lakh or with both.Act, Section 66 has been completedamended to remove the definition of This section applies hacking. Amendments also introduced a Only if the person knows or has aseries of new provisions under Section 66reason to believe that the computercovering almost all major cybercrimeresource or the communication

incidents.device is stolen. An

y stolen computer resource, orIn this article, we will have a look at theto a person who dishonestly receivesprovisions of Sec. 66B which is aboutor retains.

----------------------- Page 17-----------------------

Issue 27 April 2012 | Page - 17

Any stolen communication device.

Here, term `computer resource' means `Computer resource' as defined underSection 2 (1)(k) of the IT Act, 2000

Computer/computer, System/computernetwork/data/computer data base orsoftware.

Hence, this provision can also be applied inthe event of `data theft'.Illustration -

1. Dinesh is working as an office boy inCalsoft systems Pvt. ltd. a

renowned IT company. Although hisSagar Rahurkar.

work profile is low, he has a habit of

5/24/2018 apr2012

18/29

contact@sagarrahurkar.complaying gambling, because of which

he is always in need of money. One

Sagar Rahurkar is a Law graduate, aday, he noticed that, Priyanka, who

Certified Fraud Examiner (CFE) and ais a company secretary of Calsoft has

certified Digital Evidence Analyst.forgot her iPad in the office. He has

stolen the iPad and sold it toHe specializes in Cyber Laws, Fraud

Dheeraj, his friend who knew thatexamination, and Intellectual Property

the iPad is stolen.Law related issues. He has conducted

exclusive training programs for law

Dheeraj can be prosecuted under thisenforcement agencies like Police, Income

provision.

He is a regular contributor to various

2. Dinesh is working as an office boy inInfo-Sec magazines, where he writes on

Calsoft systems Pvt. ltd. aIT Law related issues.

renowned IT company. Dinesh was

Sagar Rahurkar can be contacted atinfamous in the office as a greedy

contact@sagarrahurkar.comperson who is always behind money

and lavish lifestyle. One day, he

noticed that, Priyanka, who is a

5/24/2018 apr2012

19/29

company secretary of Calsoft has

forgot her laptop in the office.

Dinesh stolen the laptop, took it

home and given to his kids to play

with.

Dheeraj can be prosecuted under this

provision.

----------------------- Page 18-----------------------

Issue 27 April 2012 | Page - 18

Start VM Ware and boot Matriux.How to enable Wi-Fi After you login and obtain an IP, if

on Matriux runningyou execute ifconfig -a, by default

you will see only two interfaces i.e.,inside VMwareeth0 and lo.

8:22 root@(none) /root# ifconfig aIntroduction

eth0 Link

encap:Ethernet HWaddrOne of the most commonly asked questionaa:00:04:00:0a:04on Matriux forums and IRC is how to enable inetaddr:192.168.116.130

and work with Wi-Fi on a Matriux instance Bcast:192.168.116.255

running inside VMware or any other Mask

5/24/2018 apr2012

20/29

:255.255.255.0

virtualization software. This tutorial will inet6 addr: fe80::a800:4ff:fe00:a04/64

Scope:Linktake you step by step on how to do that. UP BROADCAST RUNNING MULTICAST MTU:1500

Metric:1For this tutorial, I am running VMware RX pac

kets:34 errors:0 dropped:0Workstation on a Windows 7 Enterprise N overruns:0 frame:0Edition which is my Host machine. The TX packets:119 errors:0 dropped:0

overruns:0 carrier:0Matriux is (obviously) my guest operating

collisions:0 txqueuelen:1000system running "Krypton" v1.2. I am using aD-Link DWA-125 Wireless N 150 USBAdapter for this tutorial.

ProcedureThere are so many methods and approachesto enable Wi-Fi inside VMware /Virtualization environment. One of thepreferred approaches is explained below:

Note: Do not connect the WirelessAdapter now.

Start Windows 7 (or your Host OS).

----------------------- Page 19-----------------------

Issue 27 April 2012 | Page - 19

collisions:0 txqueuelen:1000RX bytes:4731 (4.6 KiB) TX

bytes:11021(10.7 KiB)Interrupt:19 Base address:0x2000

lo Link encap:Local Loopbackinet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:HostUP LOOPBACK RUNNING MTU:16436

Metric:1RX packets:52 errors:0 dropped:0overruns:0 frame:0TX packets:52 errors:0 dropped:0

Now Connect your USB Wi-Fioverruns:0 carrier:0collisions:0 txqueuelen:0Adapter to your PC / Laptop.

5/24/2018 apr2012

21/29

RX bytes:6688 (6.5 KiB) TX

bytes:6688(6.5 KiB)

If you get a Driver SoftwareInstallation error or information

window (as shown below), click onthe Close button to proceed.

Figure 2

Also, if you move the mouse over the

VM Status Bar USB icons, you can

see the USB WiFi Device listed there

(as shown below):

Figure 1

Now the USB Wi-Fi device is

Figure 3

available for VM. You can verify this by switching to Clic

k (or right-click) on the USB WifiVM and clicking on the menu VM ->

Icon on the VM and click onRemovable Devices.

"Connect (Disconnect from Host)" as You can see the USB Wi-Fi Device sh

own below:listed there as shown below:

Figure 4

----------------------- Page 20-----------------------

Issue 27 April 2012 | Page - 20

The following Message WindowRX packets:107 errors:0 dropped:0

overruns:0 frame:0should appear. Click OK to proceed.

5/24/2018 apr2012

22/29

TX packets:300 errors:0 dropped:0

overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:11883 (11.6 KiB) TX

bytes:20639 (20.1 KiB)

Interrupt:19 Base address:0x2000

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0Figure 5

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING If you look at the VM Status bar, youMTU:16436 Metric:1

can see that the USB WiFi Icon is

RX packets:52 errors:0 dropped:0

overruns:0 frame:0now active and highlighted as shown

TX packets:52 errors:0 dropped:0below:

overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:6688 (6.5 KiB)

TX bytes:6688 (6.5 KiB)

wlan0 Link encap:Ethernet HWaddr

f0:7d:68:62:b9:ab

BROADCAST MULTICAST

MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0Figure 6

overruns:0 frame:0 Now your USB WiFi adapter is ready

TX packets:0 errors:0 dropped:0

overruns:0 carrier:0for your Matriux WM and you can

collisions:0 txqueuelen:1000verify the same using the ifconfig -a

RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

5/24/2018 apr2012

23/29

command. The output is displayedbelow:

Conclusion:8:52 root@(none) /root# ifconfig -a

The rest I leave it to your WiFi zeal. Now

you can do all your WiFi experiments with

eth0 Link encap:Ethernet HWaddraa:00:04:00:0a:04 Matriux from within your Virtual

environment.

inet addr:192.168.116.130

Bcast:192.168.116.255J

oin us for more discussion on Matriux andMask:255.255.255.0 W

i-Fi topics at http://forum.matriux.com/

inet6 addr: fe80::a800:4ff:fe00:a04/64 or http://is-ra.org/forum/.Scope:Link H

appy Learning

UP BROADCAST RUNNING MULTICAST

MTU:1500 Metric:1

Team Matriux

http://matriux.com

----------------------- Page 21-----------------------

Issue 27 April 2012 | Page - 21

Local File Inclusion include( board/ .$GET_[ pag

e ];

5/24/2018 apr2012

24/29

}

What is Local File Inclusion??>

Local File Inclusion is a method in PHP for In itself functionssuch as include() are notincluding Local files from the Local web vulnerable butit's wrong use can causeserver itself. serious security is

sue.

This becomes vulnerability when the pages In the above scriptthe include function triesto be included from web servers are not to includes a file from the board sanitized properly and to exploit this subdirectory. Inthis code the developer isvulnerability attacker can send modified not sanitizingthe variable of page forhttp request to the server using a web characters such as periods and slashes (../browser. which is used for m

oving one directory up) and also doesn

tchecks if the file is a webFor example if a developer is using a server systemfile which can allow thevariable from URL (i.e. GET variable) for attacker to include malicious file from thecalling specific file on the server for web server filesystem resulting into criticalinclusion for example the URL is information disclosure or arbitrary code/board/index.php?page=contactus the execution.sample php code for this may be:

For eg. if attacker modifies the page url to:

5/24/2018 apr2012

25/29

vironment variablesand alter them,

such aswww.site.com/board/index.php?page=../../. HTTP_USER_AGENT=Mozilla/5.0./proc/self/environ (Windows NT 6.1; rv:8.0) which we can

tamper and put php script to gain shellThe above URL will cause php to include

environment variables which looks as access.

follows:Following are some of

the PHP functionsused for file inclusion:

PATH=/usr/local/bin:/usr/bin:/binDOCUMENT_ROOT=/hsphere/local/ho include();me/c242949/site.comHTTP_ACCEPT=text/html,application/xhtml+xml,a require();pplication/xml;q=0.9,*/*;q=0.8HTTP_ACCEPT_CHARSET=ISO-8859- include_once();

1,utf- require_once();8;q=0.7,*;q=0.7HTTP_ACCEPT_ENCODING=gzip, Some developers may use their own code fordeflateHTTP_ACCEPT_LANGUAGE=en- filtering these attacks asfollows:us,en;q=0.5HTTP_CONNECTION=keep-aliveHTTP_COOKIE=PHPSESSID=1662i LENAME=/hsphere/shared/php5/bin/phpSERVER_ADDR=98.131.116.1SERVE Beware!! The above code se

ems to be a veryR_ADMIN=webmaster@site.comSERVER a good idea but suchphp filters can be

_NAME=www.site.comSERVER_PORT=80 bypassed easily by making the followingSERVER_SOFTWARE=ApacheGATEWAY_IN request:TERFACE=CGI/1.1SERVER_PROTOCOL=H "index.php?page=....//....//....TTP/1.1REQUEST_METHOD=GETQUERY_S //etc/passwd%00"TRING=filename=/proc/./self/./en

5/24/2018 apr2012

26/29

vironREQUEST_URI=/runner.php?fil

ename=/proc/./self/./environSCRI

PT_NAME=/php5bin/phpPATH_INFO=/runner.phpPATH_TRANSLATED=/hsphere/local/home/c242949/site.com/runner.php

----------------------- Page 23-----------------------

Issue 27 April 2012 | Page - 23

Securing Local File Inclusion case "product":Vulnerabilities:

include("product.php");1. Always try to use if else statement in

following way. For example: default

:

elseif($_GET[

page

]=="produc 2. In the below code:

t")

{

5/24/2018 apr2012

27/29

It will encodethe attackers request

} "index.php?page=../../../etc/

passwd%00" andresult in the

elsefollowing

error:{

Warning:include(pag

e/..%2F..%include("index.php");2F..%2F..%2F..%2Fet

c%2Fpasswd}

%00.php) [function.include]:

?>failed to open s

tream: Nosuch file or direct

oryOr similarly you can use switch case:

3. Use realpath() function in the code:

5/24/2018 apr2012

28/29

4. A good way for restricting the inclusionof /proc/self/environ is to see thatApache server doesnt have access toenviroment variables. We can changethe apache s shell in /etc/passwd to

/sbin/nologin in following way :Vikram Pawar

pawarvikram666@gmail.comapache:x:26:26:Apache:/var/www:/sbin/nologin

Vikram Pawar is a hacking and security

enthusiast. Vikram is currentlyThis restricts apache server to access

pursuing Bachelor's Degree in

environmental variables.

Computer Science and Engineering

from G.H. Raisoni institute of

engineering and technology (Pune).

5/24/2018 apr2012

29/29

----------------------- Page 25-----------------------

Issue 27 April 2012 | Page - 25