Advertisement

“Can we deface your Web in 10 mins?” - Edu 3.4

eLearning Consortium 電子學習聯盟
Apr. 8, 2016
Advertisement

More Related Content

Advertisement

More from eLearning Consortium 電子學習聯盟(20)

Advertisement

“Can we deface your Web in 10 mins?” - Edu 3.4

  1. Knownsec Hong Kong  Can we deface your Web in 10 mins?
  2.  News Ref: http://hk.on.cc/hk/bkn/cnt/news/20150708/bkn-20150708133226995-0708_00822_001.html
  3.  News Ref: http://abcnews.go.com/US/ny-high-school-students-accused-hacking-computer-system/story?id=34617530
  4.  News Ref: http://www.appledaily.com.tw/realtimenews/article/new/20151024/718116/
  5.  Some Common Hacking Incidents •  Defacement •  Changing the look of the website – e.g. hackers break into into the web server and modify the content •  Stealing Information •  Getting some sensitive information (e.g. exam paper) because they are not properly protected Ref: https://www.pinoyhacknews.com/web-hacking-terms-what-is- website-defacedefacement
  6. •  Modifying Information •  E.g. Hackers break into the server / through websites vulnerability to modify the database content, like school grades •  Upload Trojan / Shell •  Hackers upload a backdoor to control the webserver, they can change website content, spread virus, make webserver as zombie, etc… •  Etc… Ref: http://vanish.org/t/images/bot1.jpg
  7.  Some Common Vulnerabilities •  SQL Injection •  A website vulnerability that allow hackers to input gain access to database or even execute commands, e.g. dump database, modify content, upload files •  Vulnerable Components •  Using some vulnerable software like outdated CMS, vuln version of Wordpress plugin, old web servers (e.g. webdav exploit)… Ref: http://imgs.xkcd.com/comics/exploits_of_a_mom.png
  8. •  Sensitive Files •  Important files are not properly protected, e.g. simply putting them to be internet accessible •  Weak Passwords •  Using weak password like 000000 and no brute force protection
  9.  Demo – Can we deface your Web in 10mins? •  There is a sample Educational Website
  10.  Can we deface your Web in 10mins? •  Hacking in progress… •  Browsing the website •  Finding vulnerabilities •  Uploading a shell… •  Defacing the homepage…
  11.  Can we deface your Web in 10mins? – Yes!!
  12.  What did the hacker do? •  Browsing the website •  Got interesting directories: /intranet •  Have to login? •  Got an interesting page: /intranet/fck.php using FKCEditor? •  Finding vulnerabilities •  Bypass login by SQL Injection… •  Misconfigured FCKEditor, a vulnerable component J •  Uploading a shell… •  A file that can control the website •  Defacing the homepage… •  Mission completed
  13.  Tips •  Do security assessment on your websites •  Websites vulnerabilities •  Servers configuration •  Apply countermeasures if necessary •  Improve security awareness •  Be aware of the news about the technology that the school is using •  Education
  14.  Contact •  Alan Ho •  alanho@knownsec.com
  15. Thank you!
Advertisement