You keep your PC up to date with the latest patches, and run a good Anti-Virus solution, you must be safe right? Have you got old software installed that you don’t use anymore or have forgotten about? Old, discontinued or out of date software can leave a wide open hole into your network. This video shows a port scan and quick exploit of some old software installed on a PC which should have been uninstalled years ago.
Here we have another example of simple Sql Injection. In the previous example we bypassed the authentication controls, in this example we dump the User table which contains all usernames and passwords on the Webpage. This webpage is a simple account search page. We are being asked for our username and password in order to view and edit our account details, and again we can use a simple Sql Injection which will equal true (‘OR 1=1 — ). As the input is not filtered the whole User table can be dumped into the wepage. Again this is a basic example but it shows that you need to carefully consider the security of any table that users can query, as once we have dumped the table we can login as any user! (Again we are using Mutillidae to demonstrate this vulnerability)
Another quick video showing how SQL Injection can be used to bypass a login page. This is a very basic example, but it clearly shows that if you aren’t filtering input your site is as risk. Here we use a simple SQL statement ‘OR 1=1 — to bypass the login authentication control. the ‘ at the start escapes the intended statement which should run when you click the login button and then the SQL statement OR 1=1 will run (This will equal true). For eample a simplified login statement would be “IF Username & Password = true, Login = yes. (This is not a real statement it is written here in simplified form to make it easier to understand). Our Injection statement equals true so therefore even though we have not used a username and password our statement still equals true so we get logged in! The — at the end simply comments out any code which comes after our injection which allows our statement to run without any extra code running afterwards. The site we are using in this demonstration is Mutillidae which is maintained by @webpwnized, and is great for learning how to secure webapps, check it out.
This shows that even with file validation controls an attacker can manipulate file extentions to get the php shell through the filters. The result is the same, from here the attacker can view files or upload their own to inject malicious content into the site. All visitors to the site are then potential victims, as they could be downloading malicious files or being redirected by tampered links without any idea the site has been compromised.
This is how quick it can happen. The site has a simple File Upload control, but it has no validation which allows us to upload a php shell and get access to the whole system. Using this shell we can steal password hashes or upload files to the webserver.
This starts with you receiving an email which asks you to click on the link. It could be a specially crafted email from an attacker to make you believe its from your bank, email provider, or perhaps your amazon account. You click on the link and all appears OK, you also have Facebook open (most people do, or a shopping site!) but what is happening in the background is that the attacker now has access to your browser (Firefox/Chrome/Internet Explorer) and has the ability to intercept all your login credentials. They can also craft popups which look like normal updates to tempt you into downloading something which can compromise your PC permanently, or trick you into logging into a website you are already logged into, and all without you knowing. You’ll also notice that the PC is running up to date anti virus in a fully patched Windows 7 machine.