Escalate Privileges by Bringing in Sophisticated Trojan

Loading...

En provenance du cours de University of Colorado System

Hacking and Patching

28 notes

University of Colorado System

Hacking and Patching

28 notes

Cours 3 sur 4 dans Specialization Fundamentals of Computer Network Security

In this MOOC, you will learn how to hack web apps with command injection vulnerabilities in a web site of your AWS Linux instance. You will learn how to search valuable information on a typical Linux systems with LAMP services, and deposit and hide Trojans for future exploitation. You will learn how to patch these web apps with input validation using regular expression. You will learn a security design pattern to avoid introducing injection vulnerabilities by input validation and replacing generic system calls with specific function calls. You will learn how to hack web apps with SQL injection vulnerabilities and retrieve user profile information and passwords. You will learn how to patch them with input validation and SQL parameter binding. You will learn the hacking methodology, Nessus tool for scanning vulnerabilities, Kali Linux for penetration testing, and Metasploit Framework for gaining access to vulnerable Windows Systems, deploying keylogger, and perform Remote VNC server injection. You will learn security in memory systems and virtual memory layout, and understand buffer overflow attacks and their defenses. You will learn how to clone a Kali instance with AWS P2 GPU support and perform hashcat password cracking using dictionary attacks and known pattern mask attacks.

À partir de la leçon

Hack SQL Databases and Patch Web Apps with SQL Injection Vulnerabilities

In this module we will learn how to hack web app with database backend with SQL injection vulnerability and potentially show the list of passwords by injecting string to overwrite SQL query.We will learn how to perform code review to spot the key statements/their patterns that expose the programs for such injection attacks and learn how to patch them. We will learn the eight-step hacker methodology for exploit systems. For the escalating privilege techniques, we show how to leverage command injection vulnerability to search file systems and deposit/hide Trojans for future exploit.

Escalate Privileges by Bringing in Sophisticated Trojan8:58

Rencontrer les enseignants

Edward Chow
Professor
Computer Science

In this lesson, we solve a mystery by using Google hacking techniques and

show how to bootstraps and bring in a more

sophisticated hacking Trojan into the weak machine.

Years ago, our system administrator come to my office and say, "Yeah,

there is a hidden file .1.php,

were used by the outsider in your server very frequently."

It was in my web programming class php directory.

I look at it and find out,

the content was very strange.

The file has seven line and 23,343 characters,

and the first six line are readable and contain what is showing here.

After the <?php we know it's a php script.

The second line, $auth_pass,

has very strange character string.

And I look at that and say, "Authentication (auh).

There must be some sort of password."

And up to the sixth line.

The seventh line show preg,

which is post group regular expression, replace.

And after that is whole bunch of hexadecimal character indicated by the \x.

The web page, once you execute,

it asks for a password.

So now the question.

What is the password we need to enter?

It appears it has, and so I was puzzled by what will be the password?

And I tried to copy that long string into the password box, it doesn't work.

Actually, think about that,

I will give you a hint, it is the title of the slide.

We kept using the title of the slide as a hint to solve the puzzle.

We know it is a php script.

The first assignments they may indicate is authentication password.

So we need to be careful.

And when we type in this password as it is, it doesn't work.

Google hacking, as defined in the Google website is also named

Google dorking and is a computer hacking technique that use Google search engine to

retrieve the potential information about the victim's site or the victim's code.

You can also use other Google applications to find a security hole either in

the configuration file or in computer code that may

have encrypted kind of password string,

by copying and pasting

the auth_pass valuable value into the Google search engine.

One, we find out the password is root,

and it's actually the MD5 message function value for putting a pentax root.

They are many sites actually show up in the query.

And that actually perform this kind of dictionary look up using

the machine to produce known plain text word and the corresponding SHA hashing value.

Anybody can do a query then by putting

the encrypted string and it will come back with the original plain text.

The second entry in the return,

I show it up in the web page.

Actually even shows actual source code of the .1.php.

The code can be downloaded from

https://www.exploit-dp.com, authentic security website.

And you can also click on the link,

on the second link in the web page to download that from GitHub website.

How to get .1.php over to our midterm directory? That's a question.

Very quickly we'll find out we will be you be using a popular cominco webCAT.

We can via retrieving the web content.

But if we do that,

what we find now.1.php file access,

will actually be execute and we now return

the intended source code of the php file to our written website.

It will be excecute and the return html file is

now the.php source code we rather put into the midterm site.

And how can we solve this?

It turn out, instead of using straightforward wget,

we need to run php code.

We call it download.php.

And this download.php will listen to a query string with name as a key,

and the value will be received as a filename.

Okay. And what is going to do is viewing all the content

of the specified file in the Viva machine,

in this case and which is to provide a lot of source code and really in as a php code,

as a binary content and ship it out with

a mail header Content-Type:application.octet_stream.

And by doing that it bypass the web server.

It will not interpreted,

and the php source data will be saved as a file.

And here basically, showing you the kind of header is going to generated, content type,

the coding is binary, the length,

using file size with the parameter dollar sign over the file name.

And then you're using the file as a php code to read in the whole content file.

Therefore, this command we will use is wget with download.php?

which is followed by the

>name=.1.php and we will have that execute on cs591.

And result is what nicely that we bring in the php.

But unfortunately, it created a file not as .1.php,

it created a file with a strange name 'download.php$name=.1.php.

Using the last part

of the wget your I as a file name.

So the question to you is how can you try to hide

this file because download.php even [inaudible] it will show up.

So I would even figure out this puzzle.

Here we show the layout of these sophisticated Trojan spyware.

It displays the directory content with many useful system informations.

By typing the text into the Mac directory in the bottom part of their four dialog box,

one of them is Make dir.

You can even create a directory.

Making a directory is so powerful.

Explorer notre catalogue

Rejoignez-nous gratuitement et obtenez des recommendations, des mises à jour et des offres personnalisées.

Coursera propose un accès universel à la meilleure formation au monde, en partenariat avec des universités et des organisations du plus haut niveau, pour proposer des cours en ligne.

© 2018 Coursera Inc. Tous droits réservés.

Télécharger dans l'App Store

Disponible sur Google Play