Trinity Runner Up C

 

By Camillo Särs

Agent Smith quickly determined what really had happened. He mentally
filed
Nick into his "dangerous, creative fools" category, and told his agents to
be
really careful when watching Nick.

Agent Smith immediately recognized the first set of user input:


irsfile.asp?username='test';+exec+master..xp_cmdshell+'ping+209.171.43.28';--

Here the attacker probed a vulnerable ASP application called "irsfile" by
launching the "ping" command against ip address 209.171.43.28. This was
done
using a technique called "SQL injection", and even more connivingly, by
using
it to actually launch a command in a cmd prompt. Apparently the username
"test" had some privileges it should not have.

As the attacker continued, the probe evidently caused ICMP ping packets to
be
sent to that ip address. Agent Smith immediately dispatched Special Agent
Dogbert to trace down the address and submit the moronic attacker to the
disabling inquiries only Special Consultant Agents such as Dogbert can
mount.
Leaving this clear traces would not be tolerated. Good thing Nick didn't
grasp the situation.

The following line was interesting:

irsfile.asp?username='test'+UNION+SELECT+name,1,'1',1,'1'+FROM+
irs_dbase..sysobjects+WHERE+xtype+=+'U';--

Here the attacker did a UNION of user names and rows in the system objects
table, to retrieve a result table which showed which user names had what
privileges in the database. Once the attacker had this table, his next
task
would be to pick a user with sufficient privileges to retrieve further
information from the database. "test" apparently did not have all the
necessary privileges, but just enough for the attacker to elevate his
privileges.

And truly, the attacker seems to have found username "Trinity" with the
desired privileges:

irsfile.asp?username='Trinity'+UNION+SELECT+phone_number+FROM+irs_dbase..acco
u nt+WHERE+taxpayer_lastname+=+'Anderson';--

Here the attacker used the "Trinity" user name to retrieve the phone
numbers
of taxpayers with the last name "Anderson". This would eventually reveal
the
phone number of Neo, something that Agent Smith knew very well. After
all,
hadn't he ordered Novice Agent Dilbert to perform the attack in an attempt
to
track down Neo? Fortunately Nick was to much of an idiot to be a threat in
this situation. It was well that he was hunting religious Chinese spys in
his union.