Trinity Second Place Winner

 

By Joe Klein, CISSP NSA-IAM

Years before, Trinity was browsing government sites and ran into the IRS
site. She went to
http://news.netcraft.com/ and entered in www.irs.gov
to find what type of web server was used. She found that it was
Microsoft IIS 5 server and last change date was 2000, before the
"Trusted Microsoft" ad campaign was launched.

With a twinkle in her eyes, and a computer on her lap, she started
looking for the one asp that would give her access to IRS records.
Quickly jumping in to the advanced search features of goggle, typing in
asp, entering the domain of "irs.gov", she found a list of the asp's on
that server. Searching the list she found pay dirt, irsfile.asp.

Using the proxy features in AltaVista babble fish, she decides to see if
the systems at the IRS were vulnerable to SQL injection. She looked at
the source code of the webpage. After a short time, she realized that
the HTML field name "username" field was required to do a search.

Knowing that an un-secured SQL server would allow execution of
xp_cmdshell, she decided that, the best way to test for the
vulnerability was to ping a system she know was up. That server, would
be the server of the agency, where agent Smith worked.

Entered the command
"irsfile.asp?username='test';+exec+master..xp_cmdshell+'ping+209.171.43.
28';--"
She receives a result. Yes, she thought, this could be very good.

Further review of the irsfile.asp, she found the name of the database
irs_dbase and name of the table she was looking for. No, she thought, it
could not be true; the web developers included this information in the
html. She shook her head, laughed and went on.

Now it was time to find out the names of the fields, in the table, she
quickly typed
irsfile.asp?username='test'+UNION+SELECT+name,1,'1',1,'1'+FROM+irs_dbase
..sysobjects+WHERE+xtype+=+'U';-- Yes, again this was just too easy.

The fields revealed themselves easily. Time for the payoff, she thought.
Its time to find Neo! Knowing his last name was Anderson, she formed the
SQL injection statement:

irsfile.asp?username='Trinity'+UNION+SELECT+phone_number+FROM+irs_dbase.
.account+WHERE+taxpayer_lastname+=+'Anderson';--

There it was, the phone number she was looking for, 555.555.6366

Her job was done, but she had to tell someone. So she went on to #hack
IRC and logged on with the handle Trinity. This name, she thought, would
make people think it was a guy that perpetrated this hack.

With 100's of people listening in, she boldly stated, "I hacked the IRS
D-Base". Suddenly she was disconnected. It was just a twist of fait,
that a hacker called Neo was on-line and had read this strange posting.