View
6
Download
0
Category
Preview:
Citation preview
Automated vulnerability scanning and exploitation
Dennis Pellikaan Thijs Houtenbos
University of AmsterdamSystem and Network Engineering
October 22, 2013
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 1 / 40
Introduction
Open Source scriptsShared on the internet, can be used by anyoneLots of attention for large projects (Wordpress, Joomla, etc)What about the rest?
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 2 / 40
System overview
Completely automated system which gathers source code as inputand outputs a list of vulnerable servers.
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 3 / 40
Sourceforge
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 4 / 40
Github
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 5 / 40
Github
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 6 / 40
System parts
Collect a large number of projectsAnalyse code for possible vulnerabilitiesExploit the findings in a local environment to confirmSearch installations of the project onlineValidate the found installation matches the project
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 7 / 40
Collect projects
Two sourcesSourceforgeGitHub
Focus on PHP scriptsAutomated download and extraction
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 8 / 40
Collect projects
Collected projects
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 9 / 40
Analyse code
SQL Injectionmysql_query ("SELECT * FROM users WHERE id=’$_GET[id]’");
File Inclusionrequire $_POST["lang_install"].".php";
Command Injectionexec ($_GET[’com’], $result);
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 10 / 40
Regular Expressions
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 11 / 40
Analyse projects
Vulnerable projects
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 12 / 40
Analyse projects
Vulnerable projects
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 13 / 40
Analyse projects
Vulnerability categories
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 14 / 40
Exploit vulnerabilities
SQL Injectionmysql_query ("SELECT * FROM users WHERE id=’$_GET[id]’");
File Inclusionrequire $_POST["lang_install"].".php";
Command Injectionexec ($_GET[’com’], $result);
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 15 / 40
Exploit vulnerabilities
SQL Injectionoverride_function (mysql_query, log_function);
Script sourcesmysql_query ("SELECT * FROM users WHERE id=’$_GET[id]’");
Executedlog_function ("SELECT * FROM users WHERE id=’$_GET[id]’");
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 16 / 40
Exploit vulnerabilities
File Inclusionrequire $_POST["lang_install"].".php";log_function ($_POST["lang_install"].".php");
Command Injectionexec ($_GET[’com’], $result);log_function ($_GET[’com’], $result);
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 17 / 40
Exploit vulnerabilities
Request the pagehttp://localhost/myscript/admin.php?id=hacklu
Log functionWrite the function arguments to a logfile
Logfileadmin.php:137 mysql_querySELECT * FROM users WHERE id =’hacklu’
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 18 / 40
Exploit vulnerabilities
Request the pagehttp://localhost/myscript/admin.php?id=hack’lu
Log functionWrite the function arguments to a logfile
Logfileadmin.php:137 mysql_querySELECT * FROM users WHERE id =’hack’lu’
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 19 / 40
Exploit vulnerabilities
Confirmation of results
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 20 / 40
Search
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 21 / 40
Search
Google Advanced Search Operators
allinurlpage.php: require $_GET[’page_id’];allinurl:"/page.php?page_id="allintitleindex.php: echo "<title>" . $title . "</title>";allintitle:"My special script v0.2a"
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 22 / 40
Search
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 23 / 40
Search
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 24 / 40
Search
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 25 / 40
Search
Rotate between 13 IPv4 addressesPause for 8 seconds between each request
20,000 search queries per day120,000 results with 22,000 queries
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 26 / 40
Validate search results
Find the project’s installation rootIdentify six common file typesCompare locally identified files with the remote hostCalculate a score
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 27 / 40
Validate search results
Installation root: deterministic approach
Google result: http://example.com/user/app/login.php?token=432
Local script Remote script/script/app/admin/login.php /example.com/user/app/admin/login.php/script/app/admin/ /example.com/user/app/admin//script/app/ /example.com/user/app//script/ /example.com/user/
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 28 / 40
Validate search results
Installation root: probabilistic approach
Google result: http://example.com/user/app/guide.html
Local script/script/a/docs/examples/index.php/script/b/index.html/script/index.php/script/
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 29 / 40
Validate search results
Common file types
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 30 / 40
Validate search results
Comparing files
Local file Remote file/script/images/file1.gif /example.com/user/images/file1.gif/script/images/logo.png /example.com/user/images/logo.png/script/app/js/code.js /example.com/user/app/js/code.js/script/contact.html /example.com/user/contact.html
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 31 / 40
Validate search results
Text matching
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 32 / 40
Validate search results
Text matching
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 33 / 40
Validate search results
MD5 Hash Matching
md5(Local File) 6= md5(Remote File)LocalScore = 0RemoteScore = 0
md5(Local File) = md5(Remote File)LocalScore = 100RemoteScore = 100
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 34 / 40
Validate search results
Calculating the final score
Score between 0 and 100Number of identified files is taken into accountLocalScore and the RemoteScore are weighted
Score =∑N
i=1 SiN +
∑Ni=1 Si ∗ 1
6
Si = LocalScorei+RemoteScorei4
N = Total number of selected files
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 35 / 40
Validate search results
Validated website scores
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 36 / 40
Results
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 37 / 40
System overview
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 38 / 40
Questions
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 39 / 40
Contact
Contact:Dennis: dennis.pellikaan@os3.nlThijs: thijs.houtenbos@os3.nl
Paper reference:http://rp.delaat.net/2012-2013/p91/report.pdf
Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 40 / 40
Recommended