Hacking Borhan Kazimi pour. Agenda How to hack How to hack using How to prevent hack using.
Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases
-
Upload
positive-hack-days -
Category
Technology
-
view
4.844 -
download
2
description
Transcript of Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases
Vulnerabilities in Web – difficulties
(masterclass)
Greetings
Questions to discuss
•HTTP Verb Tampering
• Fragmented SQL Injections
•HTTP Parameter Pollution
•Reversed encryption
HTTP Verb Tampering
HTTP Verb Tampering is an error in access control for HTTP methods.
•Administration error
•Particular case – vendor’s error
HTTP Verb Tampering
What’s the method?
HTTP Verb Tampering
Why?
HTTP Verb Tampering
Exploitation
• Real-live example (Jboss Auth Bypass)
HTTP Verb Tampering
Exploitation
• Practical task http://stat.local/
.htaccess file Result of GET request
Result of HACK request
Fragmented SQL Injections
SQL injection is an vulnerability caused by incorrect input data application
processing. User data transferred via web applications are changed to modify
SQL request used for exploitation.
•Insufficient data filtering
Fragmented SQL Injections
What’s the method?
Do not forget correct filtering!
Structure of a valid request (MySQL database)
INSERT INTO table1 (c1,c2) VALUES (‘value1’,’value2’);
Here is a valid request with injected SQL commands
INSERT INTO table1 (c1,c2) VALUES (‘a\’ , ’, user()); -- 1’);
Fragmented SQL Injections
Why?
If there is no filtering for back slash (“\”), an attacker can screen the next symbol by a single or double quote in database request, that do not allow to interpret it as a line termination symbol.
The following is required for vulnerability exploitation:the request should include more than one string variable.
Remember: it’s necessary to filter not only user data, but also data received from databases.
Fragmented SQL Injections
Exploitation
• Real-life example (Coppermine Photo Gallery <= 1.4.19)
GET,POST,REQUEST – “\” symbol is not filtered.
You can specify “\” in email parameter.
Exploitation is possible via a child request to database when you try to access
system features after authorization.
Fragmented SQL Injections
Exploitation
• Practical task
http://tracker.local/index.php
«Bug tracking system for source code».
Fragmented SQL Injections
Exploitation
• Practical task
http://tracker.local/add.php
Vulnerable code (add.php file):
if (isset($_POST['code']) && isset($_POST['fix'])) { $code=htmlspecialchars($_POST['code']); $fix=htmlspecialchars($_POST['fix']); …. mysql_query("INSERT INTO track (bug,fix) VALUES ('".$code."','".$fix."')");}
Database request looks as follows:INSERT INTO track (bug,fix) VALUES (‘value1’,’value2’);
Fragmented SQL Injections
Exploitation
• Practical task
http://tracker.local/add.php
Vulnerable code (add.php file):
if (isset($_POST['code']) && isset($_POST['fix'])) { $code=htmlspecialchars($_POST['code']); $fix=htmlspecialchars($_POST['fix']); …. mysql_query("INSERT INTO track (bug,fix) VALUES ('".$code."','".$fix."')");}
Database request looks as follows:INSERT INTO track (bug,fix) VALUES (‘value1\’, ’, user()) – 1’);
Fragmented SQL Injections
Exploitation
• Practical task
http://tracker.local/view.php
Vulnerable code (add.php file):
if (isset($_POST['code']) && isset($_POST['fix'])) { $code=htmlspecialchars($_POST['code']); $fix=htmlspecialchars($_POST['fix']); …. mysql_query("INSERT INTO track (bug,fix) VALUES ('".$code."','".$fix."')");}
As a result, fix column in track table contents a value that is user() function result.
HTTP Parameter Pollution
HTTP Parameter Pollution is a vulnerability caused by a situation that
different platforms (web server and web application language) process
sequence of HTTP request parameters with the same names differently.
HTTP Parameter Pollution
Technology/Environment Interpretation of parameters Example
ASP.NET/IIS Binding via comma par1=val1,val2
ASP/IIS Binding via comma par1=val1,val2
PHP/APACHE Последний параметр результирующий par1=val2
PHP/Zeus Last parameter includes result par1=val2
JSP, Servlet/Apache Tomcat First parameter includes result par1=val1
JSP,Servlet/Oracle Application Server 10g First parameter includes result par1=val1
JSP,Servlet/Jetty First parameter includes result par1=val1
IBM Lotus Domino Первый параметр результирующий par1=val1
IBM HTTP Server Last parameter includes result par1=val2
mod_perl,libapeq2/Apache First parameter includes result par1=val1
Perl CGI/Apache First parameter includes result par1=val1
mod_perl/Apache First parameter includes result par1=val1
mod_wsgi (Python)/Apache Returns an array ARRAY(0x8b9058c)
Pythin/Zope First parameter includes result par1=val1
IceWarp Returns an array ['val1','val2']
AXIS 2400 Last parameter includes result par1=val2
Linksys Wireless-G PTZ Internet Camera Binding via comma par1=val1,val2
Ricoh Aficio 1022 Printer Last parameter includes result par1=val2
webcamXP Pro First parameter includes result par1=val1
DBMan Binding via 2 tildes par1=val1~~val2
HTTP Parameter Pollution
According to PHP web application language.
An interesting variable variables_order in php.ini configuration file (establishes variable processing).
Why is it interesting?
GET /?id=1Cookie: id=2
В итоге:
$_GET[‘id’]=1$_REQUEST[‘id’]=2
The frequent error in request processing:$_GET is checked, but the value is assigned to from $_REQUEST.
HTTP Parameter Pollution
Exploitation
• Real-life example (www.blogger.com blog service)
Vulnerability as a part of «Rewarding web application security
research» program
Error in input setting processing – the first suitable value is checked but
result includes the last one.
Supposedly, vulnerability is in QUERY_STRING check and then in variable
declaration made via array data received in the request.
HTTP Parameter Pollution
Exploitation
• Practical task
http://blogger.local/index.php
HTTP Parameter Pollution
Exploitation
• Practical task
http://blogger.local/register.php
HTTP Parameter Pollution
Exploitation
• Practical task
http://blogger.local/invite.php
HTTP Parameter Pollution
Exploitation
• Practical task
http://blogger.local/invite.php
HTTP Parameter Pollution
Exploitation
• Practical task
http://blogger.local/invite.phpgpc_order (php.ini) – “GPC”
HTTP Parameter Pollution
Exploitation
• Practical task
http://blogger.local/add.php
Reversible Encryption
Reversible encryption in web applications is possibly insecure as it can be
used by attackers in:
•Exploitation of SQL Injection vulnerability;
•Information disclosure (database dump);
•Arbitrary file reading;
•and so on.
Reversible Encryption
Exploitation
• Practical task
http://portal.local
Reversible Encryption
Exploitation
• Practical task
http://portal.local
Reversible Encryption
Exploitation
• Practical task
http://portal.local
Reversible Encryption
Exploitation
• Practical task
http://portal.local/news.php
Reversible Encryption
Exploitation
• Practical task
http://portal.local/news.php
Reversible Encryption
Exploitation
• Practical task
http://portal.local/news.php
Reversible Encryption
Exploitation
• Practical task
http://portal.local/
Reversible Encryption
Exploitation
• Practical task
http://portal.local/
http://portal.local/xor_tool/
Reversible Encryption
Exploitation
• Practical task
http://portal.local/
FAILED.
Reversible Encryption
Exploitation
• Practical task
http://portal.local/
1. “test” user with “12345678910qwerty” password
2. test : UFBQR1FQRk9cQ0QIFgcRBx0=
Reversible Encryption
Exploitation
• Practical task
http://portal.local/
http://portal.local/xor_tool/
Instead of conclusions
What’s next?
Try to do practical tasks
Take part in competitions