Automated vulnerability scanning and exploitation

Similar documents
Automated vulnerability scanning and exploitation

Automated vulnerability scanning and exploitation

Application Security Testing. Generic Test Strategy

Passing PCI Compliance How to Address the Application Security Mandates

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Thick Client Application Security

WordPress Security Scan Configuration

Web Application Security

Penetration: from Application down to OS

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Webapps Vulnerability Report

WHITEPAPER. Nessus Exploit Integration

Attack Vector Detail Report Atlassian

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

SQL Injection 2.0: Bigger, Badder, Faster and More Dangerous Than Ever. Dana Tamir, Product Marketing Manager, Imperva

Securing PostgreSQL From External Attack

Lecture 15 - Web Security

The Top Web Application Attacks: Are you vulnerable?

CS 558 Internet Systems and Technologies

OWASP OWASP. The OWASP Foundation Selected vulnerabilities in web management consoles of network devices

External Network & Web Application Assessment. For The XXX Group LLC October 2012

1. Building Testing Environment

IP Application Security Manager and. VMware vcloud Air

INTRUSION PROTECTION AGAINST SQL INJECTION ATTACKS USING REVERSE PROXY

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Guarding Against SQL Server Attacks: Hacking, cracking, and protection techniques.

SQL Injection for newbie

Hacking the WordpressEcosystem

1. What is SQL Injection?

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

WebCruiser Web Vulnerability Scanner User Guide

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Criteria for web application security check. Version

by Debasis Mohanty (Orissa, India)

Concepts Design Basics Command-line MySQL Security Loophole

Serious Threat. Targets for Attack. Characterization of Attack. SQL Injection 4/9/2010 COMP On August 17, 2009, the United States Justice

Magento Security and Vulnerabilities. Roman Stepanov

WEB Penetration Testing

Application Design and Development

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

SQL Injection January 23, 2013

Pentests more than just using the proper tools

SQL Injection Vulnerabilities in Desktop Applications

A Tokenization and Encryption based Multi-Layer Architecture to Detect and Prevent SQL Injection Attack

Pentests more than just using the proper tools

Kentico CMS security facts

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

SQL injection: Not only AND 1=1. The OWASP Foundation. Bernardo Damele A. G. Penetration Tester Portcullis Computer Security Ltd

SQL Injection. By Artem Kazanstev, ITSO and Alex Beutel, Student

Security Awareness For Website Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Attack and Penetration Testing 101

5 Simple Steps to Secure Database Development

Hardening Joomla 1. HARDENING PHP. 1.1 Installing Suhosin. 1.2 Disable Remote Includes. 1.3 Disable Unneeded Functions & Classes

WebCruiser User Guide

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

SECURING APACHE : THE BASICS - III

Exposed Database( SQL Server) Error messages Delicious food for Hackers

Web Application Report

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

A basic create statement for a simple student table would look like the following.

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Automating SQL Injection Exploits

Offensive Security. Advanced Web Attacks and Exploitation. Mati Aharoni Devon Kearns. v. 1.0

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

Advanced PostgreSQL SQL Injection and Filter Bypass Techniques

Web Application Report

SQL Injection Attack Lab Using Collabtive

Web Applications The Hacker s New Target

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

Web Application Security Considerations

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

Louis Luke

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

Security and Control Issues within Relational Databases

Overview of the Penetration Test Implementation and Service. Peter Kanters

Understanding Sql Injection

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Last update: February 23, 2004

Web application vulnerability scanners are good

Penetration Testing Lessons Learned. Security Research

Cyber Essentials. Test Specification

Detecting SQL Injection Vulnerabilities in Web Services

NNT CIS Microsoft SQL Server 2008R2 Database Engine Level 1 Benchmark Report 0514a

Manipulating Microsoft SQL Server Using SQL Injection

Analysis of SQL injection prevention using a proxy server

The Anonymous attack on HBGary. Jarib Rahman March 19 th, 2012

Web Applications Security: SQL Injection Attack

Penetration Testing with Kali Linux

Transcription:

Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering July 4, 2013 Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 1 / 20

Introduction Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 2 / 20

Research question How feasible is an automated approach to compromise servers using a known source code attack on a large scale? Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 3 / 20

Collect scripts Collected scripts Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 4 / 20

Analyse scripts SQL Injection mysql_query ("SELECT * FROM users WHERE id= $_GET[id] "); File Inclusion require $_POST["lang_install"].".php"; Command Injection exec ($_GET[ com ], $result); Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 5 / 20

Analyse scripts Vulnerable scripts Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 6 / 20

Analyse scripts Vulnerable categories Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 7 / 20

Exploit vulnerabilities SQL Injection mysql_query ("SELECT * FROM users WHERE id= $_GET[id] "); File Inclusion require $_POST["lang_install"].".php"; Command Injection exec ($_GET[ com ], $result); Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 8 / 20

Exploit vulnerabilities SQL Injection override_function (mysql_query, log_function); File Inclusion 338 require $_POST["lang_install"].".php"; 338 log_function ($_POST["lang_install"].".php"); Command Injection 183 exec ($_GET[ com ], $result); 183 log_function ($_GET[ com ], $result); Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 9 / 20

Exploit vulnerabilities Exploitability Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 10 / 20

Search Google Advanced Search Operators allinurl:"/page.php?page_id=" allintitle:"my special script v0.2a" Selective results Rate-limiting, CAPTCHA, IPv6 20,000 search queries per day 120,000 results with 22,000 queries Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 11 / 20

Search Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 12 / 20

Validate search results Installation root http://www.example.com/users/script/install/admin.php /sourceforge/special1.0/install/admin.php File comparison with bundled files (readme.txt, style.css, etc) Hash and text matching Scoring system based on matching 1,555 results had a perfect match 4,214 results had a partial match Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 13 / 20

Results Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 14 / 20

Example (1) 42 $sql = mysql_query("update users SET userid= $_GET[userid] Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 15 / 20

Example (1) 42 $sql = mysql_query("update users SET userid= $_GET[userid] Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 16 / 20

Example (2) 47 $sql="update staff set first_name= $_POST[fname], last_name= $_POST[lname], middle_name= $_POST[mname], username= ".$_SESSION[ admin_name ].", password= ".$_SESSION[ admin_pwd ].", profile_id=1 where username= admin "; 48 $result = mysql_query($sql); Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 17 / 20

Example (2) 47 $sql="update staff set first_name= $_POST[fname], last_name= $_POST[lname], middle_name= $_POST[mname], username= ".$_SESSION[ admin_name ].", password= ".$_SESSION[ admin_pwd ].", profile_id=1 where username= admin "; 48 $result = mysql_query($sql); Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 18 / 20

Conclusion How feasible is an automated approach to compromise servers using a known source code attack on a large scale? Lots of components in the system, all with own quirks Almost 6,000 vulnerable servers identified Process can run continuously for more results More input is more output :-) Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 19 / 20

Questions Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 20 / 20

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information