CS计算机代考程序代写 SQL python javascript dns database Java android JDBC interpreter 6. Cyberattack 3 – Web-based Attacks and Ransomware

6. Cyberattack 3 – Web-based Attacks and Ransomware

Cyberattack 3:
Web-based Attacks and
Ransomware

CITS3004
Alvaro Monsalve

1

1. Web-based attacks
1.1. SQL injection
1.2. XSS

2. Ransomware

Agenda

2

• Attacks that are carried out over the web-based
architecture
– E.g., client and server, P2P, etc.

• Servers can be attacked, or become malicious in many
ways
– SQL injection
– Malvertising
– URL Redirection
– Cross-site scripting (XSS)
– Etc…

3

1. Web-based Attacks

• Injection attacks introduce malicious code as an input to
cause harm to the system

• Such attacks include:
– SQL injection
– XPath injection
– BoF
– LDAP injection
– OS Commanding
– Etc.

4

Injections

Database – a domain specific collection of data
Relational database – the primary current model used in database systems

– Utilising relational tables with a row being an instance set of data in some
domain, and a column being a field about that domain

5

Intro: SQL Databases

Achievements

CreatureID SkillCode

1 F

2 S

2 F

3 S

5 C

– E.g., the achievements table has two
columns and five rows

– Rows are uniquely identified by the
values in one or more columns (e.g.,
both the Creature_ID and SkillCode
columns identify one row (or instance)
of Achievement)

• Structured Query Language (SQL) is the most prominent of
several query languages for relational database systems

• SQL is powerful, but monolithic, and can be difficult to
generate correct queries for complex questions

• Examples:

SELECT Creature_ID FROM Achievements;
SELECT * FROM Achievements WHERE Creature_ID > 3;
SELECT COUNT(*) FROM Achievements WHERE Creature_ID > 3;
SELECT * FROM Achievements WHERE SkillCode = ‘S’ OR SkillCode = ‘F’;

6

Intro: SQL Database

SQL – Example

SELECT Creature_ID FROM Achievements;

7

Achievements
CreatureID SkillCode
1 F
2 S
2 F
3 S
5 C

Achievements
CreatureID SkillCode
1 F
2 S
2 F
3 S
5 C

SQL – Example

SELECT * FROM Achievements WHERE Creature_ID > 2;

8

Achievements
CreatureID SkillCode
1 F
2 S
2 F
3 S
5 C

Achievements
CreatureID SkillCode
1 F
2 S
2 F
3 S
5 C

SQL – Example

SELECT COUNT(*) FROM Achievements WHERE Creature_ID > 2;

9

Returns value 2

Achievements
CreatureID SkillCode
1 F
2 S
2 F
3 S
5 C

SQL – Example

SELECT * FROM Achievements WHERE SkillCode = ‘S’ OR
SkillCode = ‘F’;

10

Achievements
CreatureID SkillCode
1 F
2 S
2 F
3 S
5 C

Achievements
CreatureID SkillCode
1 F
2 S
2 F
3 S
5 C

1.1. SQL Injection (SQLi)

SQLi – inserting malicious SQL code through an
application interface

– Often through web application, but possible with any
interface
• E.g., SQLi through URL

– Example of general issue of interpreter injection (injection
of malicious code into any interpreted language)

11

• Three types of SQLi
– In-band

• Error-based
• Union-based

– Inferential
• Boolean-based blind
• Time-based

– Out-of-band
• Enabled feature-based

12

SQLi

Easiest based on the responses received
(and what we will talk about)

To extract data, but time consuming

Features (i.e., DNS or HTTP requests)
need to be enabled to carry this out

SQLi

• Example SQL injection scenario
– Three-tier application (web interface, application, database)
– Overall application tracks own usernames and passwords in

database (advantage: can manage users in real time)
• Example: table named Users_Table has two columns, username and

password, with example rows being something like:
User1, Password1
User2, Password2
etc…

– Web interface accepts username and password in text fields,
passes these to application layer as parameters

13

14

SQLi

SQLi

• Python code uses the SQLite3 application interface, and
contains a dynamically formed SQL statement:
– String query = “SELECT * FROM Users_Table ” +

” WHERE username = ” + ” ‘ ” + username + ” ‘ ” +
” AND password = ” + ” ‘ ” + password + ” ‘ ” ;

• Note: String values must be single quoted in SQL, so
application provides this for each passed string parameter

• Expecting one row to be returned if success, no rows if failure
• Common variant – SELECT COUNT(*) FROM …

15

SQLi

• Normal (valid) Usage
– Username: User1
– Password: Password1

• Generated SQL query
SELECT * FROM Users_Table
WHERE username = ‘User1’
AND password = ‘Password1’

16

17

SQLi

SQLi

• However, attacker can enter the following into the login fields:
– Username: (any username)
– Password: None’ OR ‘a’ = ‘a

• Then, the query becomes:
SELECT * FROM Users_Table
WHERE username = ‘None’
AND password = ‘None’ OR ‘a’ = ‘a’

• Note: WHERE clause => F and F or T => F or T => T
18

19

SQLi

• What went wrong?
– The server did not check the inputs properly

• Specifically, the control string inputs
– There are many ways that an SQL injection can happen

• Regular inclusion of SQL metacharacters through:
– Variable interpolation (changing the value)
– String concatenation with variables and/or constants
– String format functions
– String templating with variable replacement

• Hexadecimal or Unicode encoded metacharacters
20

SQLi – Prevention

• How to resolve this problem?
– Trial 1: Check content

• Client code checks to ensure certain content rules are met
• Server code should check content as well
• Specifically – don’t allow apostrophes to be passed

– Will solve our specific problem case from before
• Problem: there are other characters that can cause problems

– E.g., — (comment), ; (command separator), % (wildcard) etc.
• Which characters do you filter (blacklist) / keep (whitelist)?
• Which approach is better – blacklisting or whitelisting?

21

SQLi – Prevention

• Any username, password = ’ or 1 = 1 —
– Note: –, as the “to-end-of-line comment” special

character, comments out rest of dynamically generated
SQL command line, including terminating single quote in
application

• Then, the query becomes:
SELECT * FROM Users_Table
WHERE username = ‘hello’
AND password = ‘’ OR 1 = 1 –‘

22

SQLi – Variant 1

Commented out

• Any username, password = foo’; DELETE FROM Users_Table WHERE
username LIKE ‘%

• Then, the query becomes:

• Note: system executes two statements separated by ;
– First query will do nothing
– Second query will delete the data depending on the database type

and the level of privilege of the user 23

SQLi – Variant 2

SELECT * FROM Users_Table
WHERE username = ‘hello’
AND password = ‘foo’;
DELETE FROM Users_Table
WHERE username LIKE ‘%’

• Open DataBase Connectivity (ODBC) application
interface allows shell injection using ‘|’ character
– ‘|shell(“cmd /c echo “ & char(124 & “format c:”)|’

• Similar issue has existed with MS SQL Server
Extended Stored Procedures

24

SQLi – Variant 3

• Second-Order SQL Injection
– Attacker creates account with user = root’–

• Application escapes the special character (apostrophe) and inserts
as root ’’–

– Attacker resets password using an existing application
• System query probably fetches username from database to verify

account exists with correct old password, and then updates the
password for that username

• UPDATE users_table SET PASSWORD= ‘pass’ where username =
‘root’–’

25

SQLi – Variant 4

• PL/SQL Cursor Injection
• Structure

– PL/SQL is a procedural language in Oracle built on top of SQL
– Functions and procedures can be defined which set up cursors that

allow execution of dynamically-defined SQL statements
– Injection techniques can be used with these structures as well

26

SQLi – Variant 5

http://www.davidlitchfield.com/cursor-injection.pdf

http://www.davidlitchfield.com/cursor-injection.pdf

• Blind Injection – finding vulnerability through server responses
• Assume web page that gets press releases from db

– http://www.company.com/pressRelease.jsp?id=5
– This generates:

• SELECT title, description, releaseDate, body FROM pressReleases WHERE id = 5
– What if we send:

• http://www.company.com/pressRelease.jsp?id=5 AND 1=1
• If we get press release 5 back, we just found a vulnerability!

– Now, we can craft an SQL query and send
• http://www.company.com/pressRelease.jsp?id=5 AND user_name() = ‘dbo’
• If you get press release 5, you know that you’re running as user dbo

27

SQLi – Variant 6

• Example:
– http://testphp.vulnweb.com/artists.php?artist=1

28

SQLi – vulnweb example

You should be able to access this page (it is public)

http://testphp.vulnweb.com/artists.php?artist=1

• Test to see if it would be vulnerable to an SQLi
– testphp.vulnweb.com/artists.php?artist=1’

29

SQLi – vulnweb example

Note: %27 is a
single quote

• Discover the number of columns using “order by”
– testphp.vulnweb.com/artists.php?artist=1 order by 1

30

SQLi – vulnweb example

Eventually, you will
discover it fails at 4,
meaning there are 3
columns.

• Discover other table contents
– testphp.vulnweb.com/artists.php?artist=-1 union select 1,2,3

31

SQLi – vulnweb example

Now we can port
other schema info to
fields 2 and 3!

• Let’s find out the database name
– testphp.vulnweb.com/artists.php?artist=-1 union select 1,database(),3

32

SQLi – vulnweb example

The database name is:
acuart

• You can now find many other details of the schema,
such as:
– Version
– Current user
– Table names
– Other table fields
– Etc.

33

SQLi – vulnweb example

• Eventually, find some sensitive info stored

34

SQLi – vulnweb example

Username : test
Password : test

• Prepared Statements
– This is supported by database application interfaces, such as

JDBC
• SQL query is precompiled with placeholders
• Data is added in at run-time, converted to correct type for the

given fields

35

SQLi – Prevention

• For example, if an attacker enters
– Username – asdf’ or ‘1’ = ‘1

• Using the prepared statements will cause the query to
look up the username that matches the entered string
– Exactly the string “asdf’ or ‘1’ = ‘1”

36

SQLi – Prevention

• Issues with Prepared Statements
– Cannot use them in all situations

• Generally limited to replacing field values in SELECT, INSERT, UPDATE,
DELETE statements

• E.g., our use for username field value, password field value

– Example: if we also ask the user for information that
determines the choice of table name, cannot use a prepared
statement

37

SQLi – Prevention

• Additional Precautions
– Do not access the database as a privileged user

• Anyone who gains access will have that user’s privilege
– Limit database user to only what they need to do

• E.g., reading information from database, no insert/update/delete
– Do not allow direct access to database from the Internet

• Require users to go through your applications, so you can better control the
activities

– Do not embed database account passwords in your code
• Encrypt and store them in a repository that is read at application startup

– Do not expose information in error messages
• E.g., do not display application stack traces if error occurs

38

SQLi – Prevention

39

SQLi – Prevention

• Cross-Site Scripting (XSS, CSS etc)
• Exploiting the fact that web browsers can execute commands

– Embedded in HTML page
– Support different languages (javascript, ActiveX, etc)

• Cross-Site means sending foreign script from server to client
– Exploiting servers to send attacker’s malicious script codes to the

client
– Client executes the malicious script on its web browser

• Attacker can execute any commands on the client’s computer
– access credentials, DoS, modify web pages

40

1.2. XSS

41

XSS

https://www.acunetix.com/websitesecurity/cross-site-scripting/

The attacker injects a payload in the website’s
database by submitting a vulnerable form with
some malicious JavaScript

The victim requests the web
page from the website

The website serves the
victim’s browser the
page with the attacker’s
payload as part of the
HTML body.

The victim’s
browser will
execute the
malicious script
inside the HTML
body. In this case
it would send the
victim’s cookie to
the attacker’s
server.

42

Stored XSS – Example

• This scenario is Stored XSS
• Consider the user searching for some items on the site

– Parsed in as: http://site.com/search.php?term=batman
• The implementation of search.php:


Search Results

Results for :


Echo search
term into
response

43

Stored XSS – Example

• Now, consider the following link
– http://site.com/search.php?term=

• What happens when the user clicks the link?
1. Browser goes to malicious.com/search.php
2. site.com returns Results for
3. Browser executes the returned script:

• Send the bad guy cookie for site.com

44

Stored XSS – Example

document
.cookie


Results for