SlideShare ist ein Scribd-Unternehmen logo

Denis Baranov - Root via XSS

DefconRussia
DefconRussia

International Security Conference "ZeroNights 2011" - http://www.zeronights.org/

Technologie
1 von 14
Downloaden Sie, um offline zu lesen
Root via XSS Positive Technologies November 2011
How To Get into Troubles Popular builds for web development: • Denwer; • XAMPP; • AppServ.
How to Use Them Peculiarities: • usually run automatically; • contain phpMyAdmin; • have weak passwords; • have full rights (for Windows systems); • contain vulnerabilities; • operate legitimately without alerting antiviruses.
Denwer Current versions have the following vulnerabilities: 1) Service scripts: XSS and SQL Injection; 2) PhpMyAdmin 3.2.3 (CVE 2011-2505, 2009-1151, and etc.); 3) Default login/password for DB connection.
Denwer XSS Peculiarities: • is present in the BD creation script; • all parameters are vulnerable; • is convenient for bypassing browser protections. Examples: • Chrome - /index.php?eBadRootPass=<script>/*&eSqlError=*/alert(' XSS');</script> • IE – /index.php?eBadRootPass=<img%0donerror=alert(1)%20s rc=s%20/> • FF - /index.php?eBadRootPass=<script>alert(/XSS/);</script>
Using XSS Implementation stages: • upload your JS file by means of XSS; • add the SCRIPT tag into the HEAD to upload the file dynamically; • the commands are passed over according to the reverse shell principle; • Use a standard AJAX to address the scripts on the localhost; • Use JSONP to address the script backconnect; • Hide it in the IFRAME tag of the site.
Operating PhpMyAdmin Peculiarities: • requires no authentication for the entrance; • uses a token transferred in the body of the HTML response; • you need just to pass over the token in the GET request to implement the SQL requests.
Access to the File System Access to DB with root rights: • granted rights on reading/writing files; • MySQL located at the victim’s home system. Convenient to use: • Use INTO OUTFILE to create a PHP web shell; • After executing each request from JavaScript, the shell automatically deletes itself; • No need to store the shell since, in general case, it is inaccessible from the outside (by default, Apache in Denwer processes only requests from localhost).
Implementing the Attack Approach: • user opens the attacker’s page; • the script is uploaded to IFRAME via XSS; • the script requests commands from JSONP, its control server; • when the command is received, the script addresses PhpMyAdmin to get a token, and then sends an SQL request for creating a web shell file; • the web shell executes the command and deletes itself.
Hard-Coded Commands The script allows hard-coding the following: • certain sites and an IP router to visit (CSS History Hack); • a list of hard disks to obtain: «echo list volume|diskpart»; • ipconfig /ALL; • values of the environment variables to obtain; • a list of sites on the local system; • the obtained data can be processed on a Client to bypass directories automatically and for other reasons.
Video
Protection Against Attacks Keep an eye on application updates, even on those used in builds Check the default configuration before using a program Use browser plugins analogous to «Noscript» For browser developers: use zone division
Questions?
Thank you for your attention! dbaranov@ptsecurity.ru

Empfohlen

Root via XSS
Root via XSSRoot via XSS
Root via XSS
Positive Hack Days
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShell
kieranjacobsen
 
[Mas 500] Various Topics
[Mas 500] Various Topics[Mas 500] Various Topics
[Mas 500] Various Topics
rahulbot
 
Selenium grid workshop london 2016
Selenium grid workshop london 2016Selenium grid workshop london 2016
Selenium grid workshop london 2016
Marcus Merrell
 
JavaCro'14 - Continuous deployment tool – Aleksandar Dostić and Emir Džaferović
JavaCro'14 - Continuous deployment tool – Aleksandar Dostić and Emir DžaferovićJavaCro'14 - Continuous deployment tool – Aleksandar Dostić and Emir Džaferović
JavaCro'14 - Continuous deployment tool – Aleksandar Dostić and Emir Džaferović
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Chrome O S
Chrome O SChrome O S
Chrome O S
Freelance android developer
 
Selenium Grid
Selenium GridSelenium Grid
Selenium Grid
nirvdrum
 
Java selenium web driver
Java selenium web driverJava selenium web driver
Java selenium web driver
KadarkaraiSelvam
 

Empfohlen

Root via XSS
Root via XSSRoot via XSS
Root via XSS
Positive Hack Days
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShell
kieranjacobsen
 
[Mas 500] Various Topics
[Mas 500] Various Topics[Mas 500] Various Topics
[Mas 500] Various Topics
rahulbot
 
Selenium grid workshop london 2016
Selenium grid workshop london 2016Selenium grid workshop london 2016
Selenium grid workshop london 2016
Marcus Merrell
 
JavaCro'14 - Continuous deployment tool – Aleksandar Dostić and Emir Džaferović
JavaCro'14 - Continuous deployment tool – Aleksandar Dostić and Emir DžaferovićJavaCro'14 - Continuous deployment tool – Aleksandar Dostić and Emir Džaferović
JavaCro'14 - Continuous deployment tool – Aleksandar Dostić and Emir Džaferović
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Chrome O S
Chrome O SChrome O S
Chrome O S
Freelance android developer
 
Selenium Grid
Selenium GridSelenium Grid
Selenium Grid
nirvdrum
 
Java selenium web driver
Java selenium web driverJava selenium web driver
Java selenium web driver
KadarkaraiSelvam
 
Selenium RC Overview
Selenium RC OverviewSelenium RC Overview
Selenium RC Overview
Ganesh Mandala
 
Ejabberd installation configuration
Ejabberd installation configurationEjabberd installation configuration
Ejabberd installation configuration
Shaojie Yang
 
Introduction to Wildfly 8 - Marchioni
Introduction to Wildfly 8 - MarchioniIntroduction to Wildfly 8 - Marchioni
Introduction to Wildfly 8 - Marchioni
Codemotion
 
What's New in WildFly 9?
What's New in WildFly 9?What's New in WildFly 9?
What's New in WildFly 9?
Virtual JBoss User Group
 
Open Source Citrix Windows PV Drivers - Paul Durrant, Citrix
Open Source Citrix Windows PV Drivers - Paul Durrant, CitrixOpen Source Citrix Windows PV Drivers - Paul Durrant, Citrix
Open Source Citrix Windows PV Drivers - Paul Durrant, Citrix
The Linux Foundation
 
Selenium StudyGroup
Selenium StudyGroupSelenium StudyGroup
Selenium StudyGroup
Marc Myers
 
Managing Large Selenium Grid
Managing Large Selenium Grid�Managing Large Selenium Grid�
Managing Large Selenium Grid
dimakovalenko
 
Intro
IntroIntro
Intro
Vivek Rajasekar
 
Asp.net core 1.0 (Peter Himschoot)
Asp.net core 1.0 (Peter Himschoot)Asp.net core 1.0 (Peter Himschoot)
Asp.net core 1.0 (Peter Himschoot)
Visug
 
Appache1
Appache1Appache1
Appache1
ANTONY P SAIJI
 
Ejabberd Session
Ejabberd SessionEjabberd Session
Ejabberd Session
Kunal Saxena
 
Maven
MavenMaven
Maven
Sandesh Sharma
 
High performance java ee with j cache and cdi
High performance java ee with j cache and cdiHigh performance java ee with j cache and cdi
High performance java ee with j cache and cdi
Payara
 
Play Framework Tutorial
Play Framework Tutorial Play Framework Tutorial
Play Framework Tutorial
AssistSoftware
 
Boris Stoyanov - Troubleshooting the Virtual Router - Run and Get Diagnostics
Boris Stoyanov - Troubleshooting the Virtual Router - Run and Get DiagnosticsBoris Stoyanov - Troubleshooting the Virtual Router - Run and Get Diagnostics
Boris Stoyanov - Troubleshooting the Virtual Router - Run and Get Diagnostics
ShapeBlue
 
INTRODUCTION TO IIS
INTRODUCTION TO IISINTRODUCTION TO IIS
INTRODUCTION TO IIS
sanya6900
 
XMPP Academy #2
XMPP Academy #2XMPP Academy #2
XMPP Academy #2
Mickaël Rémond
 
How to Secure Your WordPress Site
How to Secure Your WordPress SiteHow to Secure Your WordPress Site
How to Secure Your WordPress Site
QBurst
 
Introduction to Desired State Configuration (DSC)
Introduction to Desired State Configuration (DSC)Introduction to Desired State Configuration (DSC)
Introduction to Desired State Configuration (DSC)
Jeffery Hicks
 
Aem maintenance
Aem maintenanceAem maintenance
Aem maintenance
Ashokkumar T A
 
Artyom Shishkin - Printing interception via modifying Windows GDI
Artyom Shishkin - Printing interception via modifying Windows GDIArtyom Shishkin - Printing interception via modifying Windows GDI
Artyom Shishkin - Printing interception via modifying Windows GDI
DefconRussia
 
Alexey Krasnov - We all meandered through our schooling haphazardly
Alexey Krasnov - We all meandered through our schooling haphazardlyAlexey Krasnov - We all meandered through our schooling haphazardly
Alexey Krasnov - We all meandered through our schooling haphazardly
DefconRussia
 

Weitere ähnliche Inhalte

Was ist angesagt?

What's New in WildFly 9?
What's New in WildFly 9?What's New in WildFly 9?
What's New in WildFly 9?
Virtual JBoss User Group
 
Selenium StudyGroup
Selenium StudyGroupSelenium StudyGroup
Selenium StudyGroup
Marc Myers
 
Boris Stoyanov - Troubleshooting the Virtual Router - Run and Get Diagnostics
Boris Stoyanov - Troubleshooting the Virtual Router - Run and Get DiagnosticsBoris Stoyanov - Troubleshooting the Virtual Router - Run and Get Diagnostics
Boris Stoyanov - Troubleshooting the Virtual Router - Run and Get Diagnostics
ShapeBlue
 
INTRODUCTION TO IIS
INTRODUCTION TO IISINTRODUCTION TO IIS
INTRODUCTION TO IIS
sanya6900
 

Was ist angesagt? (20)

Selenium RC Overview
Selenium RC OverviewSelenium RC Overview
Selenium RC Overview
 
Ejabberd installation configuration
Ejabberd installation configurationEjabberd installation configuration
Ejabberd installation configuration
 
Introduction to Wildfly 8 - Marchioni
Introduction to Wildfly 8 - MarchioniIntroduction to Wildfly 8 - Marchioni
Introduction to Wildfly 8 - Marchioni
 
What's New in WildFly 9?
What's New in WildFly 9?What's New in WildFly 9?
What's New in WildFly 9?
 
Open Source Citrix Windows PV Drivers - Paul Durrant, Citrix
Open Source Citrix Windows PV Drivers - Paul Durrant, CitrixOpen Source Citrix Windows PV Drivers - Paul Durrant, Citrix
Open Source Citrix Windows PV Drivers - Paul Durrant, Citrix
 
Selenium StudyGroup
Selenium StudyGroupSelenium StudyGroup
Selenium StudyGroup
 
Managing Large Selenium Grid
Managing Large Selenium Grid�Managing Large Selenium Grid�
Managing Large Selenium Grid
 
Intro
IntroIntro
Intro
 
Asp.net core 1.0 (Peter Himschoot)
Asp.net core 1.0 (Peter Himschoot)Asp.net core 1.0 (Peter Himschoot)
Asp.net core 1.0 (Peter Himschoot)
 
Appache1
Appache1Appache1
Appache1
 
Ejabberd Session
Ejabberd SessionEjabberd Session
Ejabberd Session
 
Maven
MavenMaven
Maven
 
High performance java ee with j cache and cdi
High performance java ee with j cache and cdiHigh performance java ee with j cache and cdi
High performance java ee with j cache and cdi
 
Play Framework Tutorial
Play Framework Tutorial Play Framework Tutorial
Play Framework Tutorial
 
Boris Stoyanov - Troubleshooting the Virtual Router - Run and Get Diagnostics
Boris Stoyanov - Troubleshooting the Virtual Router - Run and Get DiagnosticsBoris Stoyanov - Troubleshooting the Virtual Router - Run and Get Diagnostics
Boris Stoyanov - Troubleshooting the Virtual Router - Run and Get Diagnostics
 
INTRODUCTION TO IIS
INTRODUCTION TO IISINTRODUCTION TO IIS
INTRODUCTION TO IIS
 
XMPP Academy #2
XMPP Academy #2XMPP Academy #2
XMPP Academy #2
 
How to Secure Your WordPress Site
How to Secure Your WordPress SiteHow to Secure Your WordPress Site
How to Secure Your WordPress Site
 
Introduction to Desired State Configuration (DSC)
Introduction to Desired State Configuration (DSC)Introduction to Desired State Configuration (DSC)
Introduction to Desired State Configuration (DSC)
 
Aem maintenance
Aem maintenanceAem maintenance
Aem maintenance
 

Andere mochten auch

Fast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya SerebryanyFast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya Serebryany
yaevents
 

Andere mochten auch (9)

Artyom Shishkin - Printing interception via modifying Windows GDI
Artyom Shishkin - Printing interception via modifying Windows GDIArtyom Shishkin - Printing interception via modifying Windows GDI
Artyom Shishkin - Printing interception via modifying Windows GDI
 
Alexey Krasnov - We all meandered through our schooling haphazardly
Alexey Krasnov - We all meandered through our schooling haphazardlyAlexey Krasnov - We all meandered through our schooling haphazardly
Alexey Krasnov - We all meandered through our schooling haphazardly
 
Alexey lukatsky - Boston cybercrime matrix or what is the business model of ...
Alexey lukatsky - Boston cybercrime matrix or what is the business model of ...Alexey lukatsky - Boston cybercrime matrix or what is the business model of ...
Alexey lukatsky - Boston cybercrime matrix or what is the business model of ...
 
Anton Karpov - Black and white world of information security
Anton Karpov - Black and white world of information securityAnton Karpov - Black and white world of information security
Anton Karpov - Black and white world of information security
 
Fyodor Yarochkin - Dissecting unlawful Internet activities
Fyodor Yarochkin - Dissecting unlawful Internet activitiesFyodor Yarochkin - Dissecting unlawful Internet activities
Fyodor Yarochkin - Dissecting unlawful Internet activities
 
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
 
Ivan Medvedev - Security Development Lifecycle Tools
Ivan Medvedev - Security Development Lifecycle ToolsIvan Medvedev - Security Development Lifecycle Tools
Ivan Medvedev - Security Development Lifecycle Tools
 
Fast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya SerebryanyFast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya Serebryany
 
Marcus Niemietz - UI Redressing and Clickjacking About click fraud and data t...
Marcus Niemietz - UI Redressing and Clickjacking About click fraud and data t...Marcus Niemietz - UI Redressing and Clickjacking About click fraud and data t...
Marcus Niemietz - UI Redressing and Clickjacking About click fraud and data t...
 

Ähnlich wie Denis Baranov - Root via XSS

Denis Baranov: Root via XSS
Denis Baranov: Root via XSSDenis Baranov: Root via XSS
Denis Baranov: Root via XSS
qqlan
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
Conviso Application Security
 
Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing Levels
Positive Hack Days
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
beched
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
Xavier Ashe
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
DefconRussia
 
Uncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRCUncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRC
Derek Callaway
 
Stress Free Deployment - Confoo 2011
Stress Free Deployment - Confoo 2011Stress Free Deployment - Confoo 2011
Stress Free Deployment - Confoo 2011
Bachkoutou Toutou
 

Ähnlich wie Denis Baranov - Root via XSS (20)

Denis Baranov: Root via XSS
Denis Baranov: Root via XSSDenis Baranov: Root via XSS
Denis Baranov: Root via XSS
 
Root via XSS
Root via XSSRoot via XSS
Root via XSS
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing Levels
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Securing Your Webserver By Pradeep Sharma
Securing Your Webserver By Pradeep SharmaSecuring Your Webserver By Pradeep Sharma
Securing Your Webserver By Pradeep Sharma
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
 
AOEconf17: Application Security - Bastian Ike
AOEconf17: Application Security - Bastian IkeAOEconf17: Application Security - Bastian Ike
AOEconf17: Application Security - Bastian Ike
 
AOEconf17: Application Security
AOEconf17: Application SecurityAOEconf17: Application Security
AOEconf17: Application Security
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
 
Uncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRCUncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRC
 
An introduction to php shells
An introduction to php shellsAn introduction to php shells
An introduction to php shells
 
Attacking HTML5
Attacking HTML5Attacking HTML5
Attacking HTML5
 
Stress Free Deployment - Confoo 2011
Stress Free Deployment - Confoo 2011Stress Free Deployment - Confoo 2011
Stress Free Deployment - Confoo 2011
 

Mehr von DefconRussia

[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
DefconRussia
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
DefconRussia
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
DefconRussia
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
DefconRussia
 

Mehr von DefconRussia (20)

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golang
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей Тюрин
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
 

Kürzlich hochgeladen

How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
Srushith Repakula
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
Femke de Vroome
 
The UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, OcadoThe UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, Ocado
UXDXConf
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
Syngulon
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
ScyllaDB
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
CzechDreamin
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 

Kürzlich hochgeladen (20)

Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
The UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, OcadoThe UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, Ocado
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
THE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreelTHE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreel
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 

Denis Baranov - Root via XSS

  • 1. Root via XSS Positive Technologies November 2011
  • 2. How To Get into Troubles Popular builds for web development: • Denwer; • XAMPP; • AppServ.
  • 3. How to Use Them Peculiarities: • usually run automatically; • contain phpMyAdmin; • have weak passwords; • have full rights (for Windows systems); • contain vulnerabilities; • operate legitimately without alerting antiviruses.
  • 4. Denwer Current versions have the following vulnerabilities: 1) Service scripts: XSS and SQL Injection; 2) PhpMyAdmin 3.2.3 (CVE 2011-2505, 2009-1151, and etc.); 3) Default login/password for DB connection.
  • 5. Denwer XSS Peculiarities: • is present in the BD creation script; • all parameters are vulnerable; • is convenient for bypassing browser protections. Examples: • Chrome - /index.php?eBadRootPass=<script>/*&eSqlError=*/alert(' XSS');</script> • IE – /index.php?eBadRootPass=<img%0donerror=alert(1)%20s rc=s%20/> • FF - /index.php?eBadRootPass=<script>alert(/XSS/);</script>
  • 6. Using XSS Implementation stages: • upload your JS file by means of XSS; • add the SCRIPT tag into the HEAD to upload the file dynamically; • the commands are passed over according to the reverse shell principle; • Use a standard AJAX to address the scripts on the localhost; • Use JSONP to address the script backconnect; • Hide it in the IFRAME tag of the site.
  • 7. Operating PhpMyAdmin Peculiarities: • requires no authentication for the entrance; • uses a token transferred in the body of the HTML response; • you need just to pass over the token in the GET request to implement the SQL requests.
  • 8. Access to the File System Access to DB with root rights: • granted rights on reading/writing files; • MySQL located at the victim’s home system. Convenient to use: • Use INTO OUTFILE to create a PHP web shell; • After executing each request from JavaScript, the shell automatically deletes itself; • No need to store the shell since, in general case, it is inaccessible from the outside (by default, Apache in Denwer processes only requests from localhost).
  • 9. Implementing the Attack Approach: • user opens the attacker’s page; • the script is uploaded to IFRAME via XSS; • the script requests commands from JSONP, its control server; • when the command is received, the script addresses PhpMyAdmin to get a token, and then sends an SQL request for creating a web shell file; • the web shell executes the command and deletes itself.
  • 10. Hard-Coded Commands The script allows hard-coding the following: • certain sites and an IP router to visit (CSS History Hack); • a list of hard disks to obtain: «echo list volume|diskpart»; • ipconfig /ALL; • values of the environment variables to obtain; • a list of sites on the local system; • the obtained data can be processed on a Client to bypass directories automatically and for other reasons.
  • 11. Video
  • 12. Protection Against Attacks Keep an eye on application updates, even on those used in builds Check the default configuration before using a program Use browser plugins analogous to «Noscript» For browser developers: use zone division
  • 14. Thank you for your attention! dbaranov@ptsecurity.ru