Analyze hacker attacks on Microsoft-UK website

Jonathan Spiteri

A detailed analysis of how a website is hacked is a way to avoid similar attacks.

The Microsoft event website's partner event registration page in the UK has been embarrassed by a hacker who exploited the application's vulnerability in one of the parameters used by the form above. The website, the previous link of the website is accessed:

 http://www.microsoft.co.uk/events/net/eventdetail.aspx?eventid=8399 [taken offline] 

The attacker named " rEmOtEr ", invaded Microsoft's site by taking advantage of the SQL Injection vulnerability in the parameter used by the embedded form on the page URL. This private parameter is not filtered, so it allows hackers to pass through and enter the database being used by this form.

In addition, the hacker exploited the table and column names (data fields) inside the database called and displayed on the page - this means the text or even the code snippet is inserted inside the column. This will be displayed on the page.

The attacker actions taken to view the database password

The following is a brief rebuild context to document some of the steps taken by an attacker to exploit the SQL Injection vulnerability in the registration form, which allows the hacker to observe the name. and password in the system:

1. The parameters of the form are filled in with unusual characters (like '' 'and' - ') to see the website's interaction. These characters are often filtered out because they are used in SQL as special commands to manipulate the database. Tested parameters include:

1. Tangible inputs (textbox, dropdown list, .) in the form (POST method)
2. The invisible input from the HTML source code of the page (POST method)
3. Parameters used in URL (GET method)

2. The website URL in this case uses two parameters eventID and v2:

 http://www.microsoft.co.uk/events/net/PreRegister.aspx?eventID=p83968&v2=1 

Just add an apostrophe on (') to the URL, the result will be obtained as shown in Figure 1 below:

 http://www.microsoft.co.uk/events/net/PreRegister.aspx?eventID=p83968&v2=1 ' 

Analyze hacker attacks on Microsoft-UK website Picture 1
Figure 1

Taking advantage of this error, can confirm 2 things:

1. Server-Side error messages are ENABLED on the web server ( MAIN server error messages are allowed on the web server ) These errors are usually enabled only during development and error checking. When the website is launched, the server error message is usually disabled so that no sensitive information is available online.
2. The v2 parameter is NOT being filtered for malicious characters / code - ( v2 parameter DOES NOT filter dangerous code / characters ) This means that whatever this parameter is, it will be passed to SQL Server. use without filtering.
   
   This long SQL error has exposed a lot of information under the database, which can be used by hackers to attack and change the data stored in this database.

3. Hackers have obtained valuable information directly from the database by using SQL Command commands to infiltrate through this parameter by trial and error. The attacker also gets more help with error messages displayed on the page.

The SQL Command 1 having 1 = 1 - was sent with the v2 parameter to get the main SQL query sent to the database. This action added a condition to the SQL query, always true (1 = 1), and in this case it is unclear to SQL Server because the GROUP BY command generates the following error:

 http://www.microsoft.co.uk/events/net/PreRegister.aspx?eventID=p83968&v2=1 having 1 = 1-- 

The result is more database information has been leaked!

The table name MultivenueLists and some column names such as recordID and venueStatus have been exposed, from which the attacker exploits more deeply about the database structure.

Note :
In Structured Query Language (SQL) columns are referred to by the symbol TABLE (dot) COLUMN (for example MultivenueLists.recordID ).

4. When a hacker knows the table and column names, he will infiltrate some text within a column, specifically by adding a command like an update MultivenueLists set venueStartDate = 'hacked by rEmOtEr'; output of v2 parameter in URL:

 . ster.aspx? EventID = p83968 & v2 = 1 update MultivenueLists set venueStartDate = 'hacked by rEmOtEr'; - 

Analyze hacker attacks on Microsoft-UK website Picture 2
Figure 2: The resulting page has no errors, but the text has been inserted
The database will be displayed on the page.

5. Using the UNION SELECT statement, a hacker can obtain a list of user names and passwords from the system by guessing the names of the two columns (users and passwords) and tables (users - users).

This is the SQL Command used for v2 parameter to obtain username:

 . ster.aspx? EventID = p83968 & v2 = -1 union select 1,2,3,4, username, 6.7 from users-- 

Analyze hacker attacks on Microsoft-UK website Picture 3
Figure 3

This is the SQL Command for v2 parameter to obtain the password:

 . ster.aspx? EventID = p83968 & v2 = -1 union select 1,2,3,4, password, 6,7 from users— 

Analyze hacker attacks on Microsoft-UK website Picture 4
Figure 4

6. Using a combination of queries with userIDs, hackers can determine which password goes with which username.

Attack actions performed to change the content of the page

Below is a brief reconstructed context to document some of the steps taken by an attacker to exploit the SQL Injection vulnerability in the registration form:

1. When the hacker knows enough information to put his code into the website database, he prepares a simple HTML page on the third-party remote server to attack.

2. Using commands similar to those used to display text in a page, hackers insert after a URL a simple HTML website kept by a third-party remote server:

3. The form page on the Microsoft site is also created in the same way, it uploads documents from the database when users browse on the page (typically CMS system). When this text is replaced by the above xhref link, it will display the entire content of the page from the extension server.

4. This is what the website shows when attacked:

Analyze hacker attacks on Microsoft-UK website Picture 5
Figure 5

The cause of the attack

There is a combination of the two components that cause this attack - except for an attacker who is determined to visit a sample page on Microsoft's website - that is:

1. SQL Injection - One of the parameters in the URL is sent directly to the database without previous filtering. This is a channel for an attacker to interact directly with the database.

2. Error messages - From the error messages on the website, an attacker can find out the structure of the database. This helps hackers in selecting SQL commands to insert their code into the database thereby changing the content of the page.

How to prevent?

The best way to prevent this attack is to regularly check for website vulnerabilities. That way, these SQL injection vulnerabilities can be detected and patched before the website is hacked.

How to make your website safe

Most complex websites are often difficult to check for vulnerabilities for each page. The hacked site on Microsoft's site is just a small part of a large website that can be missed - a common error if you perform manual security auditing.

This complexity can be overcome by using an automated website application scanner such as Acunetix Web Vulnerability Scanner. With this tool you can use it to scan each parameter on the page and on the forms on your website, with hundreds of holes automatically. This will reduce the complexity and time required to perform security auditing on each website.

Using an automated website application scanner also means that anyone who performs the audit does not require a lot of technical knowledge of the web vulnerability, instead the user only needs to run the application to scan the website. and obtained error reports.