• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Web注入+http漏洞等描述
 

Web注入+http漏洞等描述

on

  • 1,628 views

 

Statistics

Views

Total Views
1,628
Views on SlideShare
1,623
Embed Views
5

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 5

http://www.ittouch.cn 5

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Web注入+http漏洞等描述 Web注入+http漏洞等描述 Presentation Transcript

    • Vulnerabilities in Web – difficulties (masterclass)
    • Greetings
    • Questions to discuss • HTTP Verb Tampering • Fragmented SQL Injections • HTTP Parameter Pollution • Reversed encryption
    • HTTP Verb Tampering HTTP Verb Tampering is an error in access control for HTTP methods. • Administration error • Particular case – vendor’s error vendor’
    • HTTP Verb Tampering What’s the method? What’ method?
    • HTTP Verb Tampering Why? Why?
    • HTTP Verb Tampering Exploitation • Real-live example (Jboss Auth Bypass) Bypass)
    • HTTP Verb Tampering Exploitation • Practical task http://stat.local/ .htaccess file Result of GET request Result of HACK request
    • Fragmented SQL Injections SQL injection is an vulnerability caused by incorrect input data application processing. User data transferred via web applications are changed to modify processing. SQL request used for exploitation. exploitation. • Insufficient data filtering
    • Fragmented SQL Injections What’s the method? What’ method? Do not forget correct filtering ! filtering! Structure of a valid request (MySQL database) database) INSERT INTO table1 (c1,c2) VALUES (‘value1’,’value2’); value1’ value2’ Here is a valid request with injected SQL commands INSERT INTO table1 (c1,c2) VALUES (‘a’ , ’, user()); -- 1’); a’ user()); 1’
    • Fragmented SQL Injections Why? Why?If there is no filtering for back slash ( “ ” ), an attacker can screen the nextsymbol by a single or double quote in database request , that do not allow to request,interpret it as a line termination symbol. symbol.The following is required for vulnerability exploitation : exploitation:the request should include more than one string variable . variable. Remember: it’s necessary to filter not only user data, it’ but also data received from databases . databases.
    • Fragmented SQL Injections Exploitation • Real-life example (Coppermine Photo Gallery <= 1.4.19 ) 1.4.19) GET,POST,REQUEST – “” symbol is not filtered. filtered. You can specify “” in email parameter. Exploitation is possible via a child request to database when you try to access system features after authorization. authorization.
    • Fragmented SQL Injections Exploitation • Practical task http://tracker.local/index.php http://tracker.local/index.php «Bug tracking system for source code». code»
    • Fragmented SQL Injections Exploitation • Practical task http://tracker.local/add.php http:// ://tracker.local/add.php Vulnerable code (add.php file): (add.php file) if (isset($_POST[code]) && isset($_POST[fix])) { $code=htmlspecialchars($_POST[code]); $fix=htmlspecialchars($_POST[fix]); …. mysql_query("INSERT INTO track (bug,fix) VALUES (".$code.",".$fix.")"); } Database request looks as follows : follows: INSERT INTO track (bug,fix) VALUES ( ‘value1’,’value2’); (‘value1’ value2’
    • Fragmented SQL Injections Exploitation • Practical task http://tracker.local/add.php http:// ://tracker.local/add.php Vulnerable code (add.php file): file) if (isset($_POST[code]) && isset($_POST[fix])) { $code=htmlspecialchars($_POST[code]); $fix=htmlspecialchars($_POST[fix]); …. mysql_query("INSERT INTO track (bug,fix) VALUES (".$code.",".$fix.")"); } Database request looks as follows : follows: INSERT INTO track (bug,fix) VALUES ( ‘value1’, ’, user()) – 1’); (‘value1 user()) 1’
    • Fragmented SQL Injections Exploitation • Practical task http://tracker.local/view.php Vulnerable code (add.php file): file) if (isset($_POST[code]) && isset($_POST[fix])) { $code=htmlspecialchars($_POST[code]); $fix=htmlspecialchars($_POST[fix]); …. mysql_query("INSERT INTO track (bug,fix) VALUES (".$code.",".$fix.")"); } As a result, fix column in track table contents a value that is user() function result.
    • HTTP Parameter Pollution HTTP Parameter Pollution is a vulnerability caused by a situation that different platforms (web server and web application language ) process sequence of language) HTTP request parameters with the same names differently. differently.
    • HTTP Parameter Pollution Technology/Environment Interpretation of parameters Example ASP.NET/IIS Binding via comma par1=val1,val2 ASP/IIS Binding via comma par1=val1,val2 PHP/APACHE Последний параметр результирующий par1=val2 PHP/Zeus Last parameter includes result par1=val2 JSP, Servlet/Apache Tomcat First parameter includes result par1=val1 JSP,Servlet/Oracle Application Server 10g First parameter includes result par1=val1 JSP,Servlet/Jetty First parameter includes result par1=val1 IBM Lotus Domino Первый параметр результирующий par1=val1 IBM HTTP Server Last parameter includes result par1=val2 mod_perl,libapeq2/Apache First parameter includes result par1=val1 Perl CGI/Apache First parameter includes result par1=val1 mod_perl/Apache First parameter includes result par1=val1 mod_wsgi (Python)/Apache Returns an array ARRAY(0x8b9058c) Pythin/Zope First parameter includes result par1=val1 IceWarp Returns an array [val1,val2] AXIS 2400 Last parameter includes result par1=val2 Linksys Wireless-G PTZ Internet Camera Binding via comma par1=val1,val2 Ricoh Aficio 1022 Printer Last parameter includes result par1=val2 webcamXP Pro First parameter includes result par1=val1 DBMan Binding via 2 tildes par1=val1~~val2
    • HTTP Parameter Pollution According to PHP web application language . language. An interesting variable variables_order in php.ini configuration file (establishes variable processing ). (establishes processing) Why is it interesting? interesting? GET /?id=1 /?id=1 Cookie: id=2 В итоге: итоге: $_GET[‘id’]=1 $_GET[‘id’ ]=1 $_REQUEST[‘id’]=2 $_REQUEST[‘id’ ]=2 The frequent error in request processing: $_GET is checked, but the value is assigned to from $_REQUEST. checked,
    • HTTP Parameter Pollution Exploitation • Real-life example (www.blogger.com blog service) service) Vulnerability as a part of «Rewarding web application security research» program research» Error in input setting processing – the first suitable value is checked but result includes the last one. one. Supposedly, vulnerability is in QUERY_STRING check and then in variable declaration made via array data received in the request . request.
    • HTTP Parameter Pollution Exploitation • Practical task http://blogger.local/index.php
    • HTTP Parameter Pollution Exploitation • Practical task http://blogger.local/register.php
    • HTTP Parameter Pollution Exploitation • Practical task http://blogger.local/invite.php
    • HTTP Parameter Pollution Exploitation • Practical task http://blogger.local/invite.php
    • HTTP Parameter Pollution Exploitation • Practical task http://blogger.local/invite.php gpc_order (php.ini) – “GPC” GPC”
    • HTTP Parameter Pollution Exploitation • Practical task http://blogger.local/add.php
    • Reversible Encryption Reversible encryption in web applications is possibly insecure as it can be used by attackers in: in: • Exploitation of SQL Injection vulnerability ; vulnerability; • Information disclosure (database dump); dump); • Arbitrary file reading; reading; • and so on. on.
    • Reversible Encryption Exploitation • Practical task http://portal.local http://portal.local
    • Reversible Encryption Exploitation • Practical task http://portal.local http://portal.local
    • Reversible Encryption Exploitation • Practical task http://portal.local http://portal.local
    • Reversible Encryption Exploitation • Practical task http://portal.local/news.php http:// ://portal.local/news.php
    • Reversible Encryption Exploitation • Practical task http://portal.local/news.php http:// ://portal.local/news.php
    • Reversible Encryption Exploitation • Practical task http://portal.local/news.php http:// ://portal.local/news.php
    • Reversible Encryption Exploitation • Practical task http://portal.local/ http:// ://portal.local/
    • Reversible Encryption Exploitation • Practical task http://portal.local/ http:// ://portal.local/ http://portal.local/xor_tool/
    • Reversible Encryption Exploitation • Practical task http://portal.local/ http:// ://portal.local/ FAILED.
    • Reversible Encryption Exploitation • Practical task http://portal.local/ http:// ://portal.local/ 1. “test” user with “12345678910qwerty” password test” 1234567891 qwerty” 2. test : UFBQR1FQRk9cQ0QIFgcRBx0=
    • Reversible Encryption Exploitation • Practical task http://portal.local/ http:// ://portal.local/ http://portal.local/xor_tool/
    • Instead of conclusions What’s next? What’ � Try to do practical tasks � Take part in competitions
    • Thank you for yourattention!attention!Questions?ygoltsev@ptsecurity.ru