Today's article is not going to talk too much about the theory that I have recently encountered in a case. Technically, this example is not very advanced, and there is a little bit of dog poop, but it is also typical enough, typically I can tell a lot of things to pretend to force. So, let's get started.
1.1 A dedicated CRM system within the company
What the CRM system is, if you don't know it, please Google yourself. From the data point of view, it contains all the confidential information of a company's customers, if disclosed, the consequences are serious. Below is a website that I stumbled upon, hangs a download link of a CRM software. At first I thought this was a CRM company, but it didn't look like much.
From the other information on the site, it seems to be a company-internal CRM system, so I downloaded it.
Directly is a login interface, I entered a random user name, did not enter a password.
Then I entered an "admin".
Through a simple attempt, we can determine that this is not a general-purpose CRM system, is customized, and can be used outside the network, whether there are bound computers are not known, the extranet server IP does not know, whether directly connected to the external network of the database server does not know. Let's confirm by grasping the bag below.
1.2 Packet Capture Analysis
Start Wireshark, and then click the Login button, immediately stop grasping the packet, I found a series of TDS package.
The following information confirms that the software is directly connected to the database server and does not return data through the backend service interface.
The query statement is obvious, but also very strange, the developer is using the user name to query the password, and then should do is to use the return password and the user entered the password for comparison. But fortunately, the password it returns is encrypted.
According to the knowledge of SQL Server, in the authentication phase, the default is encrypted transmission, does not expose the user name and password, but we can analyze the database from the packet version and the basic information of the server.
Name of the database accessed:
Of course, from the name should be Win7 system, Win7 do the server is also more wonderful.
SQL Server 10.0, which should be version 2008.
OK, now briefly summarize. Through packet capture analysis, we get the target server IP, open ports at least 80 and 1433, the operating system is Win7, the database is SQLServer2008, the target database name of the connection. Below we have three directions can go to work, one is to find the server and Web application vulnerabilities to penetrate, the second is to continue to exploit the vulnerability of the software itself, the third is to attack the database. We do not know the current application login database to use the permissions of the account, but has been able to roughly determine the software programmer's programming level, from the programming level to infer the likelihood of 90% is the SA user or SA permissions. The following evil ideas come, intercept and modify query statements, create a new database management account, and then use the tool directly connected up, then do not control the database, after the control of the database is there a chance to control the server? Try it and you'll know.
1.3 Test man-in-the-middle attack
There's no need for a middleman attack on this machine, is there? But I still very much want to use Ettercap's filter and replace function, can save a lot of trouble.
Start my Kali Linux in the virtual machine first, then launch the Ettercap in Kali for ARP spoofing test (Ettercap's detailed use please Google, here simple explanation).
The first step is to turn on the route forwarding function.
# Enable the IP routing forwarding feature
Echo 1 >/proc/sys/net/ipv4/ip_forward
The second step is to configure forwarding in "/etc/ettercap/etter.conf".
The third step, ARP spoofing.
Fourth step, test.
Using the driftnet test, it is possible to intercept the picture request of the host, if possible, to prove that the ARP spoofing was successful.
1.4 Filter and replace data constructs
The above test proves the possibility of a man-in-the-middle attack, so let's start constructing the filter script. First create a 1433.filter file and enter the following:
The contents of search and replace are required to be constructed on demand. The contents of search we can get in the capture tool just now, that is, the SQL statement that queries the password from the database, replace the content I want it to execute this statement:
CREATE LOGIN hacker with password= ' yougothacked1# ';
Let's look back at the element requesting data to search for.
Select Employee_username,employee_password from E_employee where employee_state= 217 and employee_username= ' admin '
This data is padded with \x00 's null byte after each character, which is not printable, which means we need to convert everything to 16 and then populate \x00.
There is another problem to note that the replacement data must be the same length as the original data , otherwise it will cause TCP data transmission interruption. It's a bit of a hassle to do it by hand, I'd like to write a little program to get it done.
def stringtohex (string,padlength=0):
S1=[hex (Ord (s)). Replace ("0x", ' \\x ') for s in string];
For S in S1:
result=result+s+ ' \\x00 '
For NUM in range (padlength):
result=result+ ' \\x20\\x00 '
def gethex (Sourcesql,targetsql):
If Len (sourcesql) <len (targetsql):
Print (' Erro ');
Padlength=len (Sourcesql)-len (targetsql);
Print (Stringtohex (sourcesql));
Print (Stringtohex (targetsql,padlength));
def main ():
Source= "Select Employee_username,employee_password from E_employee where employee_state= 217 and Employee_username= ' Admin ' ";
target= "CREATE LOGIN hacker with password= ' yougothacked1# '";
If __name__== ' __main__ ':
A little python, not a clever piece of code, does not explain what the final filter script looks like:
Below we will make 1433.filter files into EF files that ettercap can use.
Run Ettercap again:
At this point, click the Software login button.
Did we see the "success replace" printed out by the filter script that was really successful?
I use the VS2015 database connection tool to connect, and miracles happen:
The connection was successful. But the permissions are a bit problematic, we can modify the SQL statement again, to elevate its permissions, such as the following sentence:
ALTER SERVER ROLE sysadmin ADD MEMBER hacker;
This step is not a detailed demonstration, the process is the same as above. Let's go back to the other branch and look for weaknesses in the software itself.
1.5 anti-compilation and decryption
Look at the following content, you will feel that my above operation is a blind effort, a few minutes to solve the problem. This example is true, but the above method is more general and difficult, and it needs to be mastered.
In the installation directory of the software, I first saw such a few DLL files:
As a veteran. NET programmer, see the name I knew it was. NET write the program. So find the config file first, and see if the programmer writes the database connection string here.
The connection string is really here, but it's encrypted.
But here, I have no desire for this program, even if it is better protection, it is also a. NET program, which is a. NET program, I can Break it (professional hack. NET, never failed). However, it is disappointing that the program does not even have the basic code confused, of course, there is no shell, and no code encryption. Use the Anti-compilation tool to randomly point and then copy a few pieces of code:
Still want to vomit groove This code is too slag, but successfully decrypted the connection string, successfully logged in the database, not the SA user, but has SA permissions, tried the next xp_cmdshell, the default is the database is disabled. Execute the following SQL statement to unpack,
sp_configure ' show advanced options ', 1
sp_configure ' xp_cmdshell ', 1
1.6 Summary-Architecture, rights management, encryption/decryption, source protection
Well, again to the installation force of the link. This summary is to say to like me at ordinary times a heap heap, write code when a Tuo Tuo of programmers.
First, permission management must be tightly controlled. A system used within the company, why hang it out on the internet so anyone can download it? Database permissions control, different systems partition different accounts this is the basic common sense (I also often do not divide, is to lazy), different accounts control different permissions, even the account can be refined to read/write, table, storage process level. Since the user has a role to divide, then our code must also have access rights division. Instead of adding a if-else when you want to access the data inside the code, it should be blocked out before the call has started.
Second, a program that must be networked to use, why not data access, core business logic is placed on the remote server, exposing the interface to the client call it? There is only one reason why the programmer is too lazy. I am the WinForm, you want me to do what service side, not! Even the basic hierarchy and service division are not noticed, in the infrastructure this left a security risk, while the client's security vulnerabilities directly caused the server to be compromised.
Third,. Net/java such applications have no way of absolutely preventing decompile, just a matter of time. But this does not mean that we should not do program protection, packers, source confusion, assembly encryption, combined with the server to obtain RSA encryption and decryption of the dynamic assembly Building technology, is able to 90% of the primary users out of the door. The gate is not open.
These topics will not be launched, a search on the internet a lot.
Well, there's nothing to go on, let's finish it.
Here is the ad time:
Follow the subscription number and continue to push excellent security articles.
Welcome to join the network security group: 147098303.
Latest Online Public lesson notice :
Date: May 24
Content: LAN sniffing and sensitive information detection for Python hacking programming
Registration Address: http://edu.csdn.net/huiyiCourse/detail/126
Sniffer, middleman SQL injection, anti-compilation--a case study of desktop software security