Finding Hidden Vhosts

A web server with no hidden vhosts

During a recent test we observed a number of web servers that had a number vhosts configured, only some of which were discoverable from public DNS records. Internal DNS servers were configured to resolve the remaining ‘hidden’ vhosts served by the web server.

Unfortunately, the hosts were not configured to disallow access to non-internal addresses, meaning the only thing restricting access to the ‘hidden’ vhosts was the lack of DNS resolution. To quickly enumerate configured vhosts, I wrote a small Perl script that takes two arguments - a file containing a list of IP addresses (targets), and a file containing a list of hostnames. Optionally, you can also pass an option specifying a domain name to append, allowing you to have your hosts file contain just common entries that can be used against any target.

./vhostchecker.pl -i ips.txt -h hosts.txt --append .cyberis.co.uk
[INFO] Read 1 IP's from file "ips.txt"
[INFO] Read 18 vhosts from file "hosts.txt"

Checking IP: 95.142.175.1 [C:301 L:233 R:http://www.cyberis.co.uk/]
Checking VHOST against 95.142.175.1: staging.cyberis.co.uk [C:301 L:233 R:http://www.cyberis.co.uk/]
Checking VHOST against 95.142.175.1: prelive.cyberis.co.uk [C:301 L:233 R:http://www.cyberis.co.uk/]
Checking VHOST against 95.142.175.1: pre-live.cyberis.co.uk [C:301 L:233 R:http://www.cyberis.co.uk/]
Checking VHOST against 95.142.175.1: test.cyberis.co.uk [C:301 L:233 R:http://www.cyberis.co.uk/]
Checking VHOST against 95.142.175.1: www.cyberis.co.uk [C:200 L:14496]

The script will show the differing responses between requests, and the length of each, allowing you to quickly identify vhosts of interest, regardless of whether there is an associated DNS entry. If you find something, just be sure to create a static host entry before viewing in a browser!

Any feedback, improvements or comments, please use the comments field below.

Source code available here: http://www.cyberis.co.uk/downloads/vhostchecker.pl

Common vhosts file available here: http://www.cyberis.co.uk/downloads/commonvhosts.txt

SQL Injection with UNION SELECT

Cyberis exhibited at the CEE Cyber and Information Security Showcase, Vienna, Austria on 13th February and 14th February 2013.

At the event we featured a 10-minute web application hacking demonstration, illustrating the retrieval of sensitive data from a vulnerable e-commerce application.

The technique used was a ‘UNION SELECT’ attack, whereby the attacker first identifies the injection point, then forms a syntactically correct UNION statement to retrieve arbitrary information from the database - in this case valid user credentials for the application from the 'customers' table.

A 'UNION SELECT' attack is the favoured exploitation method in this particular case, as error messages are limited (no opportunity to retrieve information from the messages themselves), and a time-based injection is restrictively slow. This method facilitates multiple row/column retrieval in one query, with use of the ‘group_concat’ function.

Some of the highest profile attacks of 2012 were attributed to SQL Injection attacks. The demonstration clearly shows how poor input validation can lead to wholesale abuse of an application.

Cyberis will be releasing a set of ‘patches’ for OSCommerce over the coming weeks, allowing you to reconstruct the vulnerable HackMe Store application in your own test lab. Other common OWASP vulnerabilities will also be included, such as cross-site scripting, inadequate access controls and several session management issues.