Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases
-
Upload
positive-hack-days -
Category
Technology
-
view
4.846 -
download
2
description
Transcript of Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases
![Page 1: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/1.jpg)
Vulnerabilities in Web – difficulties
(masterclass)
![Page 2: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/2.jpg)
Greetings
![Page 3: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/3.jpg)
Questions to discuss
•HTTP Verb Tampering
• Fragmented SQL Injections
•HTTP Parameter Pollution
•Reversed encryption
![Page 4: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/4.jpg)
HTTP Verb Tampering
HTTP Verb Tampering is an error in access control for HTTP methods.
•Administration error
•Particular case – vendor’s error
![Page 5: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/5.jpg)
HTTP Verb Tampering
What’s the method?
![Page 6: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/6.jpg)
HTTP Verb Tampering
Why?
![Page 7: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/7.jpg)
HTTP Verb Tampering
Exploitation
• Real-live example (Jboss Auth Bypass)
![Page 8: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/8.jpg)
HTTP Verb Tampering
Exploitation
• Practical task http://stat.local/
.htaccess file Result of GET request
Result of HACK request
![Page 9: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/9.jpg)
Fragmented SQL Injections
SQL injection is an vulnerability caused by incorrect input data application
processing. User data transferred via web applications are changed to modify
SQL request used for exploitation.
•Insufficient data filtering
![Page 10: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/10.jpg)
Fragmented SQL Injections
What’s the method?
Do not forget correct filtering!
Structure of a valid request (MySQL database)
INSERT INTO table1 (c1,c2) VALUES (‘value1’,’value2’);
Here is a valid request with injected SQL commands
INSERT INTO table1 (c1,c2) VALUES (‘a\’ , ’, user()); -- 1’);
![Page 11: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/11.jpg)
Fragmented SQL Injections
Why?
If there is no filtering for back slash (“\”), an attacker can screen the next symbol by a single or double quote in database request, that do not allow to interpret it as a line termination symbol.
The following is required for vulnerability exploitation:the request should include more than one string variable.
Remember: it’s necessary to filter not only user data, but also data received from databases.
![Page 12: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/12.jpg)
Fragmented SQL Injections
Exploitation
• Real-life example (Coppermine Photo Gallery <= 1.4.19)
GET,POST,REQUEST – “\” symbol is not filtered.
You can specify “\” in email parameter.
Exploitation is possible via a child request to database when you try to access
system features after authorization.
![Page 13: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/13.jpg)
Fragmented SQL Injections
Exploitation
• Practical task
http://tracker.local/index.php
«Bug tracking system for source code».
![Page 14: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/14.jpg)
Fragmented SQL Injections
Exploitation
• Practical task
http://tracker.local/add.php
Vulnerable code (add.php file):
if (isset($_POST['code']) && isset($_POST['fix'])) { $code=htmlspecialchars($_POST['code']); $fix=htmlspecialchars($_POST['fix']); …. mysql_query("INSERT INTO track (bug,fix) VALUES ('".$code."','".$fix."')");}
Database request looks as follows:INSERT INTO track (bug,fix) VALUES (‘value1’,’value2’);
![Page 15: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/15.jpg)
Fragmented SQL Injections
Exploitation
• Practical task
http://tracker.local/add.php
Vulnerable code (add.php file):
if (isset($_POST['code']) && isset($_POST['fix'])) { $code=htmlspecialchars($_POST['code']); $fix=htmlspecialchars($_POST['fix']); …. mysql_query("INSERT INTO track (bug,fix) VALUES ('".$code."','".$fix."')");}
Database request looks as follows:INSERT INTO track (bug,fix) VALUES (‘value1\’, ’, user()) – 1’);
![Page 16: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/16.jpg)
Fragmented SQL Injections
Exploitation
• Practical task
http://tracker.local/view.php
Vulnerable code (add.php file):
if (isset($_POST['code']) && isset($_POST['fix'])) { $code=htmlspecialchars($_POST['code']); $fix=htmlspecialchars($_POST['fix']); …. mysql_query("INSERT INTO track (bug,fix) VALUES ('".$code."','".$fix."')");}
As a result, fix column in track table contents a value that is user() function result.
![Page 17: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/17.jpg)
HTTP Parameter Pollution
HTTP Parameter Pollution is a vulnerability caused by a situation that
different platforms (web server and web application language) process
sequence of HTTP request parameters with the same names differently.
![Page 18: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/18.jpg)
HTTP Parameter Pollution
Technology/Environment Interpretation of parameters Example
ASP.NET/IIS Binding via comma par1=val1,val2
ASP/IIS Binding via comma par1=val1,val2
PHP/APACHE Последний параметр результирующий par1=val2
PHP/Zeus Last parameter includes result par1=val2
JSP, Servlet/Apache Tomcat First parameter includes result par1=val1
JSP,Servlet/Oracle Application Server 10g First parameter includes result par1=val1
JSP,Servlet/Jetty First parameter includes result par1=val1
IBM Lotus Domino Первый параметр результирующий par1=val1
IBM HTTP Server Last parameter includes result par1=val2
mod_perl,libapeq2/Apache First parameter includes result par1=val1
Perl CGI/Apache First parameter includes result par1=val1
mod_perl/Apache First parameter includes result par1=val1
mod_wsgi (Python)/Apache Returns an array ARRAY(0x8b9058c)
Pythin/Zope First parameter includes result par1=val1
IceWarp Returns an array ['val1','val2']
AXIS 2400 Last parameter includes result par1=val2
Linksys Wireless-G PTZ Internet Camera Binding via comma par1=val1,val2
Ricoh Aficio 1022 Printer Last parameter includes result par1=val2
webcamXP Pro First parameter includes result par1=val1
DBMan Binding via 2 tildes par1=val1~~val2
![Page 19: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/19.jpg)
HTTP Parameter Pollution
According to PHP web application language.
An interesting variable variables_order in php.ini configuration file (establishes variable processing).
Why is it interesting?
GET /?id=1Cookie: id=2
В итоге:
$_GET[‘id’]=1$_REQUEST[‘id’]=2
The frequent error in request processing:$_GET is checked, but the value is assigned to from $_REQUEST.
![Page 20: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/20.jpg)
HTTP Parameter Pollution
Exploitation
• Real-life example (www.blogger.com blog service)
Vulnerability as a part of «Rewarding web application security
research» program
Error in input setting processing – the first suitable value is checked but
result includes the last one.
Supposedly, vulnerability is in QUERY_STRING check and then in variable
declaration made via array data received in the request.
![Page 21: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/21.jpg)
HTTP Parameter Pollution
Exploitation
• Practical task
http://blogger.local/index.php
![Page 22: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/22.jpg)
HTTP Parameter Pollution
Exploitation
• Practical task
http://blogger.local/register.php
![Page 23: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/23.jpg)
HTTP Parameter Pollution
Exploitation
• Practical task
http://blogger.local/invite.php
![Page 24: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/24.jpg)
HTTP Parameter Pollution
Exploitation
• Practical task
http://blogger.local/invite.php
![Page 25: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/25.jpg)
HTTP Parameter Pollution
Exploitation
• Practical task
http://blogger.local/invite.phpgpc_order (php.ini) – “GPC”
![Page 26: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/26.jpg)
HTTP Parameter Pollution
Exploitation
• Practical task
http://blogger.local/add.php
![Page 27: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/27.jpg)
Reversible Encryption
Reversible encryption in web applications is possibly insecure as it can be
used by attackers in:
•Exploitation of SQL Injection vulnerability;
•Information disclosure (database dump);
•Arbitrary file reading;
•and so on.
![Page 28: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/28.jpg)
Reversible Encryption
Exploitation
• Practical task
http://portal.local
![Page 29: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/29.jpg)
Reversible Encryption
Exploitation
• Practical task
http://portal.local
![Page 30: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/30.jpg)
Reversible Encryption
Exploitation
• Practical task
http://portal.local
![Page 31: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/31.jpg)
Reversible Encryption
Exploitation
• Practical task
http://portal.local/news.php
![Page 32: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/32.jpg)
Reversible Encryption
Exploitation
• Practical task
http://portal.local/news.php
![Page 33: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/33.jpg)
Reversible Encryption
Exploitation
• Practical task
http://portal.local/news.php
![Page 34: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/34.jpg)
Reversible Encryption
Exploitation
• Practical task
http://portal.local/
![Page 35: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/35.jpg)
Reversible Encryption
Exploitation
• Practical task
http://portal.local/
http://portal.local/xor_tool/
![Page 36: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/36.jpg)
Reversible Encryption
Exploitation
• Practical task
http://portal.local/
FAILED.
![Page 37: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/37.jpg)
Reversible Encryption
Exploitation
• Practical task
http://portal.local/
1. “test” user with “12345678910qwerty” password
2. test : UFBQR1FQRk9cQ0QIFgcRBx0=
![Page 38: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/38.jpg)
Reversible Encryption
Exploitation
• Practical task
http://portal.local/
http://portal.local/xor_tool/
![Page 39: Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases](https://reader033.fdocuments.net/reader033/viewer/2022061300/54d1e4244a79596d078b456a/html5/thumbnails/39.jpg)
Instead of conclusions
What’s next?
Try to do practical tasks
Take part in competitions