Post Thu Apr 13, 2006 11:26 am

Example 1: Winning Entry #2 - Joe Klein

By Joe Klein, CISSP NSA-IAM

Years before, Trinity was browsing government sites and ran into the IRS site. She went to http://news.netcraft.com/ and entered in www.irs.gov to find what type of web server was used. She found that it was Microsoft IIS 5 server and last change date was 2000, before the "Trusted Microsoft" ad campaign was launched.

With a twinkle in her eyes, and a computer on her lap, she started looking for the one asp that would give her access to IRS records. Quickly jumping in to the advanced search features of goggle, typing in asp, entering the domain of "irs.gov", she found a list of the asp's on that server. Searching the list she found pay dirt, irsfile.asp.

Using the proxy features in AltaVista babble fish, she decides to see if the systems at the IRS were vulnerable to SQL injection. She looked at the source code of the webpage. After a short time, she realized that the HTML field name "username" field was required to do a search.

Knowing that an un-secured SQL server would allow execution of xp_cmdshell, she decided that, the best way to test for the vulnerability was to ping a system she know was up. That server, would be the server of the agency, where agent Smith worked.

Entered the command:

"irsfile.asp?username='test';+exec+master..xp_cmdshell+'ping+209.171.43.28';--"

She receives a result. Yes, she thought, this could be very good.

Further review of the irsfile.asp, she found the name of the database irs_dbase and name of the table she was looking for. No, she thought, it could not be true; the web developers included this information in the
html. She shook her head, laughed and went on.

Now it was time to find out the names of the fields, in the table, she quickly typed:

irsfile.asp?username='test'+UNION+SELECT+name,1,'1',1,'1'+FROM+irs_dbase..sysobjects+WHERE+xtype+=+'U';--

Yes, again this was just too easy.

The fields revealed themselves easily. Time for the payoff, she thought. Its time to find Neo! Knowing his last name was Anderson, she formed the SQL injection statement:

irsfile.asp?username='Trinity'+UNION+SELECT+phone_number+FROM+irs_dbase.
.account+WHERE+taxpayer_lastname+=+'Anderson';--

There it was, the phone number she was looking for, 555.555.6366.

Her job was done, but she had to tell someone. So she went on to #hack IRC and logged on with the handle Trinity. This name, she thought, would make people think it was a guy that perpetrated this hack.

With 100's of people listening in, she boldly stated, "I hacked the IRS D-Base". Suddenly she was disconnected. It was just a twist of fait, that a hacker called Neo was on-line and had read this strange posting.
Last edited by don on Thu Apr 13, 2006 12:37 pm, edited 1 time in total.
CISSP, MCSE, CSTA, Security+ SME