Todd Keup :: magnifisites.com

What Every Webmaster Should Know About

Code Installation

Cracking and Hacking

Todd Keup@toddkeup

Todd Keup :: magnifisites.com

Cracker versus hacker

Todd Keup :: magnifisites.com

Overview

• Motivation• Tools of the trade• Common attacks• Defending yourself

Todd Keup :: magnifisites.com

Motivation• Drop links or cookies• Steal logins, blackmail people• Building botnets• Redirect advertising• Crush competition• Steal credit cards• Abuse your server (email, attacks, etc.)

Todd Keup :: magnifisites.com

Tools of the trade

• Basic hacking became easier• Portscanners, evil software suites

are available to the public• SARA, brutus, etc.: endless list

Todd Keup :: magnifisites.com

Common attacks

• SQL injection• Additional software problems• How to protect yourself• Your checklist

Todd Keup :: magnifisites.com

SQL Injection

• How it looks• What happens when it succeeds• Recovery

– Cleanup– Plugging the hole (prevention)

• Monitoring and discovery

Todd Keup :: magnifisites.com

SQL Injection

Todd Keup :: magnifisites.com

SQL Injection<form method="post" action="process">

Username: <input name="username" type="text" value="">

Password: <input name="password" type="password" value="">

<input name="submitform" type="submit" value="Submit">

</form>

Incorrectly filtered escape characters

query = "SELECT * FROM users WHERE

name = '" + username + "' AND pass = '" + password + "';"

Todd Keup :: magnifisites.com

SQL Injection

Incorrectly filtered escape characters

query = "SELECT * FROM users WHERE

name = '" + username + "' AND pass = '" + password + "';"

Renders:

query = "SELECT * FROM users WHERE

name = '' OR 1=1 -- '' AND pass = 'doesNotMatter';"

Todd Keup :: magnifisites.com

SQL Injection

Incorrectly filtered escape characters

<?php

$offset = $_GET['start'];

$query = "SELECT id, name FROM products ORDER BY name

LIMIT 20 OFFSET $offset;";

$result = pg_query($connection, $query);

?>

// cracker encodes the following into the "start" value of the url

0;

insert into pg_shadow(usename,usesysid,usesuper,usecatupd,passwd)

select 'cracker', usesysid, 'yes','yes','jack'

from pg_shadow where usename='postgres'; --

Todd Keup :: magnifisites.com

SQL InjectionIncorrectly filtered escape characters

query = "UPDATE users SET pwd='$pwd' WHERE uid='$uid';";

// user enters: ' OR name LIKE '%admin%'; -- ' and it renders:

UPDATE users SET pwd='abc' WHERE uid='me' OR name LIKE '%admin%'; -- ';

Incorrect type handling

query = "SELECT * FROM students WHERE id = " + expectedInteger + ";"

// user enters: 1;DROP TABLE students

SELECT * FROM students WHERE id = 1;DROP TABLE students;

Todd Keup :: magnifisites.com

SQL Injection

Image courtesy of http://xkcd.com/327/

Todd Keup :: magnifisites.com

SQL InjectionCleanup, aisle nine

Check your access logsCheck file modification timeRevert to backup?Change passwordsPatch the hole

Todd Keup :: magnifisites.com

SQL InjectionCasting a type value

$ticket = (integer) $_POST['ticketnumber'];

Properly filtering data

$query =

sprintf(

"SELECT * FROM Users WHERE user='%s' AND pass='%s'",

mysql_real_escape_string($user),

mysql_real_escape_string($pass)

);

mysql_query($query);

Todd Keup :: magnifisites.com

SQL InjectionMonitor and Discover

Audit your site regularly• Log form submissions• Monitor changes to user files• Use your system tools• Use the same tools crackers employ• Identify access patterns of automated

tools• Blacklist hosts that initiate attacks

Todd Keup :: magnifisites.com

SQL InjectionMonitor and Discover

• Never connect to the database as a superuser or as the database owner.

• Check expected data type• Escape user supplied values• Do not print out any database specific

information, especially about the schema

• Do not dump raw errors to the display

Todd Keup :: magnifisites.com

Botnets

Todd Keup :: magnifisites.com

Thank You

Todd Keuptodd@magnifisites.com

@toddkeup