“can we deface your web in 10 mins?” - edu 3.4
TRANSCRIPT
Knownsec Hong Kong
Can we deface your Web in 10 mins?
News
Ref: http://hk.on.cc/hk/bkn/cnt/news/20150708/bkn-20150708133226995-0708_00822_001.html
News
Ref: http://abcnews.go.com/US/ny-high-school-students-accused-hacking-computer-system/story?id=34617530
News
Ref: http://www.appledaily.com.tw/realtimenews/article/new/20151024/718116/
Some Common Hacking Incidents
• Defacement • Changing the look of the website – e.g. hackers break into into
the web server and modify the content
• Stealing Information • Getting some sensitive information (e.g. exam paper) because
they are not properly protected
Ref: https://www.pinoyhacknews.com/web-hacking-terms-what-is-website-defacedefacement
• Modifying Information • E.g. Hackers break into the server / through websites
vulnerability to modify the database content, like school grades
• Upload Trojan / Shell • Hackers upload a backdoor to control the webserver, they can
change website content, spread virus, make webserver as zombie, etc…
• Etc…
Ref: http://vanish.org/t/images/bot1.jpg
Some Common Vulnerabilities
• SQL Injection • A website vulnerability that allow hackers to input gain access
to database or even execute commands, e.g. dump database, modify content, upload files
• Vulnerable Components
• Using some vulnerable software like outdated CMS, vuln version of Wordpress plugin, old web servers (e.g. webdav exploit)…
Ref: http://imgs.xkcd.com/comics/exploits_of_a_mom.png
• Sensitive Files • Important files are not properly protected, e.g. simply putting
them to be internet accessible
• Weak Passwords • Using weak password like 000000 and no brute force
protection
Demo – Can we deface your Web in 10mins?
• There is a sample Educational Website
Can we deface your Web in 10mins?
• Hacking in progress… • Browsing the website
• Finding vulnerabilities
• Uploading a shell…
• Defacing the homepage…
Can we deface your Web in 10mins? – Yes!!
What did the hacker do?
• Browsing the website • Got interesting directories: /intranet
• Have to login?
• Got an interesting page: /intranet/fck.php using FKCEditor?
• Finding vulnerabilities • Bypass login by SQL Injection…
• Misconfigured FCKEditor, a vulnerable component J
• Uploading a shell… • A file that can control the website
• Defacing the homepage… • Mission completed
Tips
• Do security assessment on your websites • Websites vulnerabilities
• Servers configuration
• Apply countermeasures if necessary
• Improve security awareness • Be aware of the news about the technology that the school is
using
• Education
Thank you!