Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases
Download as PPT, PDF4 likes2,637 views
The document discusses various web vulnerabilities including HTTP verb tampering, fragmented SQL injections, and HTTP parameter pollution. It provides examples of exploitation methods, practical tasks, and emphasizes the necessity of proper input data filtering and security practices. Additionally, it touches on reversible encryption vulnerabilities in web applications and encourages hands-on practice and participation in competitions.
![Fragmented SQL Injections Exploitation Practical task http://tracker.local/add.php Vulnerable code ( add.php file ) : if (isset($_POST['code']) && isset($_POST['fix'])) { $code=htmlspecialchars($_POST['code']); $fix=htmlspecialchars($_POST['fix']); … . mysql_query("INSERT INTO track (bug,fix) VALUES ('".$code."','".$fix."')"); } Database request looks as follows : INSERT INTO track (bug,fix) VALUES (‘ value1 ’,’ value2 ’);](https://image.slidesharecdn.com/web-110823034235-phpapp02/85/Positive-Hack-Days-Goltsev-Web-Vulnerabilities-Difficult-Cases-14-320.jpg)
![Fragmented SQL Injections Exploitation Practical task http://tracker.local/add.php Vulnerable code ( add.php file ) : if (isset($_POST['code']) && isset($_POST['fix'])) { $code=htmlspecialchars($_POST['code']); $fix=htmlspecialchars($_POST['fix']); … . mysql_query("INSERT INTO track (bug,fix) VALUES ('".$code."','".$fix."')"); } Database request looks as follows : INSERT INTO track (bug,fix) VALUES (‘ value1 \ ’, ’, user() ) – 1’);](https://image.slidesharecdn.com/web-110823034235-phpapp02/85/Positive-Hack-Days-Goltsev-Web-Vulnerabilities-Difficult-Cases-15-320.jpg)
![Fragmented SQL Injections Exploitation Practical task http://tracker.local/view.php Vulnerable code ( add.php file ) : if (isset($_POST['code']) && isset($_POST['fix'])) { $code=htmlspecialchars($_POST['code']); $fix=htmlspecialchars($_POST['fix']); … . mysql_query("INSERT INTO track (bug,fix) VALUES ('".$code."','".$fix."')"); } As a result, fix column in track table contents a value that is user() function result.](https://image.slidesharecdn.com/web-110823034235-phpapp02/85/Positive-Hack-Days-Goltsev-Web-Vulnerabilities-Difficult-Cases-16-320.jpg)
![HTTP Parameter Pollution Technology/Environment Interpretation of parameters Example ASP.NET/IIS Binding via comma par1=val1,val2 ASP/IIS Binding via comma par1=val1,val2 PHP/APACHE Последний параметр результирующий par1=val2 PHP/Zeus Last parameter includes result par1=val2 JSP, Servlet/Apache Tomcat First parameter includes result par1=val1 JSP,Servlet/Oracle Application Server 10g First parameter includes result par1=val1 JSP,Servlet/Jetty First parameter includes result par1=val1 IBM Lotus Domino Первый параметр результирующий par1=val1 IBM HTTP Server Last parameter includes result par1=val2 mod_perl,libapeq2/Apache First parameter includes result par1=val1 Perl CGI/Apache First parameter includes result par1=val1 mod_perl/Apache First parameter includes result par1=val1 mod_wsgi (Python)/Apache Returns an array ARRAY(0x8b9058c) Pythin/Zope First parameter includes result par1=val1 IceWarp Returns an array ['val1','val2'] AXIS 2400 Last parameter includes result par1=val2 Linksys Wireless-G PTZ Internet Camera Binding via comma par1=val1,val2 Ricoh Aficio 1022 Printer Last parameter includes result par1=val2 webcamXP Pro First parameter includes result par1=val1 DBMan Binding via 2 tildes par1=val1~~val2](https://image.slidesharecdn.com/web-110823034235-phpapp02/85/Positive-Hack-Days-Goltsev-Web-Vulnerabilities-Difficult-Cases-18-320.jpg)
![HTTP Parameter Pollution According to PHP web application language . An interesting variable variables_order in php.ini configuration file ( establishes variable processing ) . Why is it interesting ? GET /? id=1 Cookie: id=2 В итоге: $_GET[‘id’]= 1 $_REQUEST[‘id’]= 2 The frequent error in request processing: $_GET is checked , but the value is assigned to from $_REQUEST.](https://image.slidesharecdn.com/web-110823034235-phpapp02/85/Positive-Hack-Days-Goltsev-Web-Vulnerabilities-Difficult-Cases-19-320.jpg)
![Thank you for your attention ! Questions? [email_address]](https://image.slidesharecdn.com/web-110823034235-phpapp02/85/Positive-Hack-Days-Goltsev-Web-Vulnerabilities-Difficult-Cases-40-320.jpg)
Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases
- 1. Vulnerabilities in Web – difficulties (masterclass)
- 2. Greetings
- 3. Questions to discuss HTTP Verb Tampering Fragmented SQL Injections HTTP Parameter Pollution Reversed encryption
- 4. HTTP Verb Tampering HTTP Verb Tampering is an error in access control for HTTP methods. Administration error Particular case – vendor’s error
- 5. HTTP Verb Tampering What’s the method ?
- 6. HTTP Verb Tampering Why ?
- 7. HTTP Verb Tampering Exploitation Real-live example ( Jboss Auth Bypass )
- 8. HTTP Verb Tampering Exploitation Practical task http://stat.local/ .htaccess file Result of GET request Result of HACK request
- 9. Fragmented SQL Injections SQL injection is an vulnerability caused by incorrect input data application processing . User data transferred via web applications are changed to modify SQL request used for exploitation . Insufficient data filtering
- 10. Fragmented SQL Injections What’s the method ? Do not forget correct filtering ! Structure of a valid request ( MySQL database ) INSERT INTO table1 (c1,c2) VALUES (‘value1’ , ’value2’ ); Here is a valid request with injected SQL commands INSERT INTO table1 (c1,c2) VALUES (‘a\’ , ’ , user() ); -- 1’);
- 11. Fragmented SQL Injections Why ? If there is no filtering for back slash ( “\” ) , an attacker can screen the next symbol by a single or double quote in database request , that do not allow to interpret it as a line termination symbol . The following is required for vulnerability exploitation : the request should include more than one string variable . Remember: it’s necessary to filter not only user data, but also data received from databases .
- 12. Fragmented SQL Injections Exploitation Real-life example ( Coppermine Photo Gallery <= 1.4.19 ) GET,POST,REQUEST – “\” symbol is not filtered . You can specify “\” in email parameter. Exploitation is possible via a child request to database when you try to access system features after authorization .
- 13. Fragmented SQL Injections Exploitation Practical task http://tracker.local/index.php « Bug tracking system for source code ».
- 14. Fragmented SQL Injections Exploitation Practical task http://tracker.local/add.php Vulnerable code ( add.php file ) : if (isset($_POST['code']) && isset($_POST['fix'])) { $code=htmlspecialchars($_POST['code']); $fix=htmlspecialchars($_POST['fix']); … . mysql_query("INSERT INTO track (bug,fix) VALUES ('".$code."','".$fix."')"); } Database request looks as follows : INSERT INTO track (bug,fix) VALUES (‘ value1 ’,’ value2 ’);
- 15. Fragmented SQL Injections Exploitation Practical task http://tracker.local/add.php Vulnerable code ( add.php file ) : if (isset($_POST['code']) && isset($_POST['fix'])) { $code=htmlspecialchars($_POST['code']); $fix=htmlspecialchars($_POST['fix']); … . mysql_query("INSERT INTO track (bug,fix) VALUES ('".$code."','".$fix."')"); } Database request looks as follows : INSERT INTO track (bug,fix) VALUES (‘ value1 \ ’, ’, user() ) – 1’);
- 16. Fragmented SQL Injections Exploitation Practical task http://tracker.local/view.php Vulnerable code ( add.php file ) : if (isset($_POST['code']) && isset($_POST['fix'])) { $code=htmlspecialchars($_POST['code']); $fix=htmlspecialchars($_POST['fix']); … . mysql_query("INSERT INTO track (bug,fix) VALUES ('".$code."','".$fix."')"); } As a result, fix column in track table contents a value that is user() function result.
- 17. HTTP Parameter Pollution HTTP Parameter Pollution is a vulnerability caused by a situation that different platforms ( web server and web application language ) process sequence of HTTP request parameters with the same names differently .
- 18. HTTP Parameter Pollution Technology/Environment Interpretation of parameters Example ASP.NET/IIS Binding via comma par1=val1,val2 ASP/IIS Binding via comma par1=val1,val2 PHP/APACHE Последний параметр результирующий par1=val2 PHP/Zeus Last parameter includes result par1=val2 JSP, Servlet/Apache Tomcat First parameter includes result par1=val1 JSP,Servlet/Oracle Application Server 10g First parameter includes result par1=val1 JSP,Servlet/Jetty First parameter includes result par1=val1 IBM Lotus Domino Первый параметр результирующий par1=val1 IBM HTTP Server Last parameter includes result par1=val2 mod_perl,libapeq2/Apache First parameter includes result par1=val1 Perl CGI/Apache First parameter includes result par1=val1 mod_perl/Apache First parameter includes result par1=val1 mod_wsgi (Python)/Apache Returns an array ARRAY(0x8b9058c) Pythin/Zope First parameter includes result par1=val1 IceWarp Returns an array ['val1','val2'] AXIS 2400 Last parameter includes result par1=val2 Linksys Wireless-G PTZ Internet Camera Binding via comma par1=val1,val2 Ricoh Aficio 1022 Printer Last parameter includes result par1=val2 webcamXP Pro First parameter includes result par1=val1 DBMan Binding via 2 tildes par1=val1~~val2
- 19. HTTP Parameter Pollution According to PHP web application language . An interesting variable variables_order in php.ini configuration file ( establishes variable processing ) . Why is it interesting ? GET /? id=1 Cookie: id=2 В итоге: $_GET[‘id’]= 1 $_REQUEST[‘id’]= 2 The frequent error in request processing: $_GET is checked , but the value is assigned to from $_REQUEST.
- 20. HTTP Parameter Pollution Exploitation Real-life example ( www.blogger.com blog service ) Vulnerability as a part of « Rewarding web application security research » program Error in input setting processing – the first suitable value is checked but result includes the last one . Supposedly, vulnerability is in QUERY_STRING check and then in variable declaration made via array data received in the request .
- 21. HTTP Parameter Pollution Exploitation Practical task http://blogger.local/index.php
- 22. HTTP Parameter Pollution Exploitation Practical task http://blogger.local/register.php
- 23. HTTP Parameter Pollution Exploitation Practical task http://blogger.local/invite.php
- 24. HTTP Parameter Pollution Exploitation Practical task http://blogger.local/invite.php
- 25. HTTP Parameter Pollution Exploitation Practical task http://blogger.local/invite.php gpc_order (php.ini) – “GPC”
- 26. HTTP Parameter Pollution Exploitation Practical task http://blogger.local/add.php
- 27. Reversible Encryption Reversible encryption in web applications is possibly insecure as it can be used by attackers in : Exploitation of SQL Injection vulnerability ; Information disclosure ( database dump ); Arbitrary file reading ; and so on .
- 28. Reversible Encryption Exploitation Practical task http://portal.local
- 29. Reversible Encryption Exploitation Practical task http://portal.local
- 30. Reversible Encryption Exploitation Practical task http://portal.local
- 31. Reversible Encryption Exploitation Practical task http://portal.local/news.php
- 32. Reversible Encryption Exploitation Practical task http://portal.local/news.php
- 33. Reversible Encryption Exploitation Practical task http://portal.local/news.php
- 34. Reversible Encryption Exploitation Practical task http://portal.local/
- 35. Reversible Encryption Exploitation Practical task http://portal.local/ http://portal.local/xor_tool/
- 36. Reversible Encryption Exploitation Practical task http://portal.local/ FAILED.
- 37. Reversible Encryption Exploitation Practical task http://portal.local/ “ test” user with “ 123456789 1 0 qwerty” password 2. test : UFBQR1FQRk9cQ0QIFgcRBx0=
- 38. Reversible Encryption Exploitation Practical task http://portal.local/ http://portal.local/xor_tool/
- 39. Instead of conclusions What’s next? Try to do practical tasks Take part in competitions
- 40. Thank you for your attention ! Questions? [email_address]