Analyze hacker attacks on Microsoft-UK website
Jonathan Spiteri
A detailed analysis of how a website is hacked is a way to avoid similar attacks.
The Microsoft event website's partner event registration page in the UK has been embarrassed by a hacker who exploited the application's vulnerability in one of the parameters used by the form above. The website, the previous link of the website is accessed:
http://www.microsoft.co.uk/events/net/eventdetail.aspx?eventid=8399 [taken offline]
The attacker named " rEmOtEr ", invaded Microsoft's site by taking advantage of the SQL Injection vulnerability in the parameter used by the embedded form on the page URL. This private parameter is not filtered, so it allows hackers to pass through and enter the database being used by this form.
In addition, the hacker exploited the table and column names (data fields) inside the database called and displayed on the page - this means the text or even the code snippet is inserted inside the column. This will be displayed on the page.
The attacker actions taken to view the database password
The following is a brief rebuild context to document some of the steps taken by an attacker to exploit the SQL Injection vulnerability in the registration form, which allows the hacker to observe the name. and password in the system:
1. The parameters of the form are filled in with unusual characters (like '' 'and' - ') to see the website's interaction. These characters are often filtered out because they are used in SQL as special commands to manipulate the database. Tested parameters include:
- Tangible inputs (textbox, dropdown list, .) in the form (POST method)
- The invisible input from the HTML source code of the page (POST method)
- Parameters used in URL (GET method)
2. The website URL in this case uses two parameters eventID and v2:
http://www.microsoft.co.uk/events/net/PreRegister.aspx?eventID=p83968&v2=1
Just add an apostrophe on (') to the URL, the result will be obtained as shown in Figure 1 below:
http://www.microsoft.co.uk/events/net/PreRegister.aspx?eventID=p83968&v2=1 '
Figure 1
Taking advantage of this error, can confirm 2 things:
- Server-Side error messages are ENABLED on the web server ( MAIN server error messages are allowed on the web server ) These errors are usually enabled only during development and error checking. When the website is launched, the server error message is usually disabled so that no sensitive information is available online.
- The v2 parameter is NOT being filtered for malicious characters / code - ( v2 parameter DOES NOT filter dangerous code / characters ) This means that whatever this parameter is, it will be passed to SQL Server. use without filtering.
This long SQL error has exposed a lot of information under the database, which can be used by hackers to attack and change the data stored in this database.
3. Hackers have obtained valuable information directly from the database by using SQL Command commands to infiltrate through this parameter by trial and error. The attacker also gets more help with error messages displayed on the page.
The SQL Command 1 having 1 = 1 - was sent with the v2 parameter to get the main SQL query sent to the database. This action added a condition to the SQL query, always true (1 = 1), and in this case it is unclear to SQL Server because the GROUP BY command generates the following error:
http://www.microsoft.co.uk/events/net/PreRegister.aspx?eventID=p83968&v2=1 having 1 = 1--
The result is more database information has been leaked!
The table name MultivenueLists and some column names such as recordID and venueStatus have been exposed, from which the attacker exploits more deeply about the database structure.
Note :
In Structured Query Language (SQL) columns are referred to by the symbol TABLE (dot) COLUMN (for example MultivenueLists.recordID ).
4. When a hacker knows the table and column names, he will infiltrate some text within a column, specifically by adding a command like an update MultivenueLists set venueStartDate = 'hacked by rEmOtEr'; output of v2 parameter in URL:
. ster.aspx? EventID = p83968 & v2 = 1 update MultivenueLists set venueStartDate = 'hacked by rEmOtEr'; -
Figure 2: The resulting page has no errors, but the text has been inserted
The database will be displayed on the page.
5. Using the UNION SELECT statement, a hacker can obtain a list of user names and passwords from the system by guessing the names of the two columns (users and passwords) and tables (users - users).
This is the SQL Command used for v2 parameter to obtain username:
. ster.aspx? EventID = p83968 & v2 = -1 union select 1,2,3,4, username, 6.7 from users--
Figure 3
This is the SQL Command for v2 parameter to obtain the password:
. ster.aspx? EventID = p83968 & v2 = -1 union select 1,2,3,4, password, 6,7 from users—
Figure 4
6. Using a combination of queries with userIDs, hackers can determine which password goes with which username.
Attack actions performed to change the content of the page
Below is a brief reconstructed context to document some of the steps taken by an attacker to exploit the SQL Injection vulnerability in the registration form:
1. When the hacker knows enough information to put his code into the website database, he prepares a simple HTML page on the third-party remote server to attack.
2. Using commands similar to those used to display text in a page, hackers insert after a URL a simple HTML website kept by a third-party remote server:
3. The form page on the Microsoft site is also created in the same way, it uploads documents from the database when users browse on the page (typically CMS system). When this text is replaced by the above xhref link, it will display the entire content of the page from the extension server.
4. This is what the website shows when attacked:
Figure 5
The cause of the attack
There is a combination of the two components that cause this attack - except for an attacker who is determined to visit a sample page on Microsoft's website - that is:
1. SQL Injection - One of the parameters in the URL is sent directly to the database without previous filtering. This is a channel for an attacker to interact directly with the database.
2. Error messages - From the error messages on the website, an attacker can find out the structure of the database. This helps hackers in selecting SQL commands to insert their code into the database thereby changing the content of the page.
How to prevent?
The best way to prevent this attack is to regularly check for website vulnerabilities. That way, these SQL injection vulnerabilities can be detected and patched before the website is hacked.
How to make your website safe
Most complex websites are often difficult to check for vulnerabilities for each page. The hacked site on Microsoft's site is just a small part of a large website that can be missed - a common error if you perform manual security auditing.
This complexity can be overcome by using an automated website application scanner such as Acunetix Web Vulnerability Scanner. With this tool you can use it to scan each parameter on the page and on the forms on your website, with hundreds of holes automatically. This will reduce the complexity and time required to perform security auditing on each website.
Using an automated website application scanner also means that anyone who performs the audit does not require a lot of technical knowledge of the web vulnerability, instead the user only needs to run the application to scan the website. and obtained error reports.
You should read it
- Viber website and database are hacked
- Top 5 steps to speed up your website
- Learn about SEO On Page
- How to design a website in Photoshop (Part 2): Create a Landing page for travel websites
- 4 tools to help build a website for beginners
- Learn about Off-Page SEO techniques
- Use the ALTER DATABASE command to migrate DATABASE in SQL Server
- A serious vulnerability on phpMyAdmin allows an attacker to destroy the database
May be interested
- Viber website and database are hackedsyrian electronic army hacker group (sea) announced that it had successfully attacked viber's website and database. sea is the hacker group that attacked the twitter accounts of major news agencies such as associated press, the guardian.
- Check out the 10 most notorious 'hacker groups' in the worldbelow is a list of the 10 most notorious 'hacker groups' in the world, the culprits behind the biggest cyber attacks in history.
- Hacker took control of the London Police Department website, posting 'unacceptable' content.the metropolitan police website has been hijacked for hours, causing almost all london police department online activities to be completely paralyzed.
- Hacker purged two-factor security just by automated phishing attackssurely many people still believe that protecting online accounts with two-factor authentication can be an effective way to fight hackers, but after the incident, we may need to think think!
- Prank websites turn you into a tech 'genius'fake hacker websites actually exist quite a lot on the internet. are you looking for a hacker simulation website to prank your friends? here are some suggestions worth trying for you.
- Microsoft warns of an increasing trend of attacks targeting firmware and worrying public indifferencethis is indeed a worrying 'lethargy', especially given the recent increase in the number of attacks targeting system software.
- Prepare the total force to respond to DDoS attacks in 2014mr. vu quoc khanh, director of vietnam computer emergency response center (vncert) said in 2014, the risk of hacker attacks by denial of service (ddos) is not ruled out.
- Lotteria Vietnam website was attacked by the notorious Anonymus hacker group?on the evening of 7/3, the website of lotteria vietnam showed signs of being attacked. when accessing the lotteria main website, users find the name and logo of the 'notorious' hacker group anonymus.
- ZIP bomb can protect websites from hackerswebsite owners can now use a tool called zip bomb to damage the port scanner, hacker website vulnerability and prevent him from accessing his website.
- How to Hire an Ethical Hackerwhen it comes to protecting your business, you can never be too careful. that's why in an age of ddos attacks and phishing, it can help to have some insurance on your side. ethical hackers, sometimes referred to as 'white hats,' possess...