Following the White Rabbit - A Practical Security Blog
Welcome! Let's follow the White Rabbit down the Web Application Security rabbit-hole... This blog is less about awesome h@><0ring and more about practical, real-world web app security measure and counter-measures. If you're looking for a blog to relate to your day-job - this may just be it. As long as you're here, bookmark (Ctrl + D) it, drop it in your reader and leave a comment!

Episode 30 - "But wait! there's more!"

I saved this gem for last on purpose. If you're reading this and say to yourself ..."Hey! That's my company" then I think you can thank your one appsec guy (you know who he is) because he's driving awareness, process and tools into your environment to help fix these "neon welcome sign" equivalents in your environment.  Also ... if you're reading this and you remember this meeting ... I congratulate you for continuing the awareness that was started over a year ago... you're on your way, just don't give up!

------ now, on to the final chapter

Truth is, sometimes people in massive IT organizations that work with patient and health information just don't believe they have security issues until you show them... with their manager watching.  This incident took place a little over a year ago when I was visiting a company who was struggling with web app security like everyone else ... and losing.  The one IT guy who really did care about web app sec was not being heard and the proof just wasn't there that issues were plentiful within the organization's infrastructure.  I was invited to demo our web app sec testing suite to these guys and my contact wanted to make sure we found as much impactful stuff as possible ... and we sure did.  Given only 2 days we had to make fast work of our findings, but sadly it was almost too easy... like shooting dead fish in a bucket.  After a day and a half of findings and putting together a presentation I got a chance to present to the CISO and some senior IT staff which was great ... and we started talking security vulnerabilities and the issues we found.

little did I know how crazy things would get ...

So, as soon as I dived in I was asked the typical question ... "So what?" ... so I decided to fire up our SQL Injector tool (just for the record, if SQL Injector can pull out your database it's time to shut down your web site ....just sayin') and go to town.  I started with the company's home page which had had a login form ...and things went sideways from there.  Immediately SQL Injector was able to determine that the application was easily vulnerable to SQL injection.  Since this was a panel of seasoned skeptics, I decided to take it a step further and get SQL Injector to pull back the database name, version and some basic information.  I was still faced with the "so what?" question ...

Not wanting to be stumped by apathy I went a step further and started explaining what this tool was doing ...and then went ahead and pulled the database table names for the audience.  NOW I was getting a silghtly panicked look from the DBAs and developers in the audience ... finally!  Next, I showed that with the click of the mouse I could pull the columns and start "pumping data" ... all without setting off any of their IPS alarms ... whoops #1.

In the spirit of "But wait! there's more" ...the DBA manager started looking a little worried.  I was explaining that the typical xp_cmdshell commands could be used to entirely take over the system ...and just before I was going to execute the command to add myself as an admin user on this machine through SQL injection ...I was stopped.

I was fairly proud of myself that this demo and talk was going so well and that i was effectively able to demonstrate totally owning their database and server ... but there was more to this.  The DBA lead stopped me from adding myself to the system, because, as he explained, this system was clustered ... and it shared the instance with their ERP application.

Ouch, right?  But wait ...there's more...

This system which I could completely exploit through SQL injection was not only clustered and shared with their ERP system - but because it was also hosting their ERP system was not in the DMZ but on their internal network.

But wait ... there's more.

OK, let's review ... I can steal the database, add myself as a user on a box that is on their internal network ... how much worse can it get?!

Well ... as was explained to me and the audience, as this machine was on their internal network ... it was also participating on their internal AD environment.

Wait ... seriously?!  Yes.

So ... to summarize ... I was able to (without triggering any alerts) using SQL injection steal their database (or modify it), and not only compromise their server but also add myself as an administrator on their internal Active Directory ...

... I think my mouth hung open, and my eyes were wide.  What do you say to this sort of situation but - "Wow".

Whoops?  Yea ...whoops indeed boys and girls.

Labels: 30_in_30| OOPS
Showing results for 
Search instead for 
Do you mean 
About the Author
Rafal "Raf" Los, is a web application security evangelist for the HP Software & Solutions business at HP. Los is responsible for bridging t...

Follow Us
Follow the White Rabbit on Twitter! Home
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.