SANGFOR NGFW Web-based Attack27/09/2015
Published on Apr 18, 2014
This demo shows a hacking process to a jcsweb server and the SANGFOR NGFW's capability to defend the intrusion.
The final objective of this intrusion is to tamper the logo of a social security website to a HACKER jpg file.
To start hacking, we use the IBM rational scanner to scan the targeted server (http://192.168.3.100/), aiming to find out the server information and loopholes that can be utilized for the hacking.
The scan has exposed 32 security issues on the targeted application. For this demo, we will utilize the SQL injection vulnerability to conduct the intrusion.
We will use Pangolin injection, which can take advantage of SQL injection vulnerabilities on web applications for hacking purpose.
As we can see, it has already managed to strip down the website and retrieve the database, getting the sensitive database information of user, password and phone. This is the initial stage of the intrusion.
To achieve further target, we will use these user information to log into the website.
Go to homepage, use a retrieved username and password to log in to the website and gain user access privilege.
The next step for us is to upload a webshell Trojan "xiaofan" to the website.
Since we are using an authorized user identity "zhangshan" to upload file, and apparently the website haven't restrict the file format, we can manage to upload the Trojan file without being detected and blocked.
The Trojan uploaded to the website is to gain the control authority, which will read and retrieve the files and path, further to tamper, or upload/download files to its hosted website.
Now the process can be fairly simple. The next step for us is to log into the injected Trojan.
Utilize the hosted Trojan to upload the "hacker" file to website, change the file name to "header.jpg" which is supposed to be the picture file of the website's logo.
And now we should have managed to successfully tamper the website's logo.
Go to the targeted website, it is confirmed that the website has been hacked.
The above demo was to show the entire process of a cyber-attack. Next, we will show how SANGFOR NGFW can help to prevent the intrusion.
To start over, we restore the website to original status.
To facilitate demo, we don't remove the Trojan, but change the tampered header.jpg back to the hacker.jpg, so that the original header file can work well again, and the website becomes normal.
Go to SANGFOR NGFW, enable WAF protection to this server and portal application, including the OWASP TOP10 threats prevention, and all those server protection techniques of application hiding, password protection, privilege, http, website scan prevention, etc.
Start the hacking process again from the website scanning.
Obviously the scanning has been blocked by the SANGFOR NGFW, with communication problem showing on the IBM rational scanner.
Go to SANGFOR NGFW dashboard to check the detailed scanning attack information.
The attack times, type, threatened server, source IP of attacker, and the action SANGFOR NGFW took has been already logged.
The scanning is failed.
However, we can still do the injection since we already know the server has got SQL vulnerability.
But since the NGFW prevention has been enabled, it won't succeed but will show pausing here.
Go to SANGFOR NGFW, confirm that the injection has been detected and blocked, and the log shows the details about this attack.
The SQL injection is failed.
However, since the Trojan file is still left on the webserver, hacker can still try to tamper webpage using this existing Trojan file.
To prevent the tampering, enable the website anti-defacement function of SANGFOR NGFW.
Now go to the Trojan file, conduct the same action of tampering website as we did previously,
we can see although the file has been tampered, the website remains unchanged, in other words, the hacker failed to tamper the website.
This is because the SANGFOR NGFW has detected the tampering intrusion, and has intelligently forward the original website that it has cached, avoiding damages even when the hackers succeed to intrude the website.
The NGFW log has also directly positioned the tampered file for IT admin's further action and prevention.
The above has shown the SANGFOR NGFW's prevention to threats of website scanning, SQL injection and website tampering.
However, one key step of the hacking is uploading Trojan to website, and that will also be one crucial part of SANGFOR NGFW's preventions.
Next, we will demo how SANGFOR NGFW can block Trojan file uploading.
Same with previous process, we log into the website using a legal user identity, and upload the same Trojan file we have used previously.
However, since the SANGFOR NGFW protection has been enabled, it won't succeed.
Go to the SANGFOR NGFW dashboard, the webshell threats have been detected and logged, including the weak password threats we have just used: "zhangshan, password"