Post Thu Apr 13, 2006 12:34 pm

Example 1: Runner-Up Entry #3 - Camillo Särs

Agent Smith quickly determined what really had happened. He mentally filed Nick into his "dangerous, creative fools" category, and told his agents to be really careful when watching Nick.

Agent Smith immediately recognized the first set of user input:

irsfile.asp?username='test';+exec+master..xp_cmdshell+'ping+209.171.43.28';--

Here the attacker probed a vulnerable ASP application called "irsfile" by launching the "ping" command against ip address 209.171.43.28. This was done using a technique called "SQL injection", and even more connivingly, by using it to actually launch a command in a cmd prompt. Apparently the username "test" had some privileges it should not have.

As the attacker continued, the probe evidently caused ICMP ping packets to be sent to that ip address. Agent Smith immediately dispatched Special Agent Dogbert to trace down the address and submit the moronic attacker to the disabling inquiries only Special Consultant Agents such as Dogbert can mount. Leaving this clear traces would not be tolerated. Good thing Nick didn't grasp the situation.

The following line was interesting:

irsfile.asp?username='test'+UNION+SELECT+name,1,'1',1,'1'+FROM+
irs_dbase..sysobjects+WHERE+xtype+=+'U';--

Here the attacker did a UNION of user names and rows in the system objects table, to retrieve a result table which showed which user names had what privileges in the database. Once the attacker had this table, his next task would be to pick a user with sufficient privileges to retrieve further information from the database. "test" apparently did not have all the necessary privileges, but just enough for the attacker to elevate his privileges.

And truly, the attacker seems to have found username "Trinity" with the desired privileges:

irsfile.asp?username='Trinity'+UNION+SELECT+phone_number+FROM+irs_dbase..acco
u nt+WHERE+taxpayer_lastname+=+'Anderson';--

Here the attacker used the "Trinity" user name to retrieve the phone numbers of taxpayers with the last name "Anderson". This would eventually reveal the phone number of Neo, something that Agent Smith knew very well. After all, hadn't he ordered Novice Agent Dilbert to perform the attack in an attempt
to track down Neo? Fortunately Nick was to much of an idiot to be a threat in this situation. It was well that he was hunting religious Chinese spys in his union.
CISSP, MCSE, CSTA, Security+ SME