Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases

Vulnerabilities in Web – difficulties (masterclass)

Questions to discuss ,[object Object],[object Object],[object Object],[object Object]

HTTP Verb Tampering ,[object Object],[object Object],[object Object]

HTTP Verb Tampering ,[object Object]

HTTP Verb Tampering ,[object Object],[object Object]

HTTP Verb Tampering ,[object Object],[object Object],[object Object],Result of HACK request

Fragmented SQL Injections ,[object Object],[object Object]

Fragmented SQL Injections ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Fragmented SQL Injections ,[object Object],If there is no filtering for back slash ( “ ) , an attacker can screen the next symbol by a single or double quote in database request , that do not allow to interpret it as a line termination symbol . The following is required for vulnerability exploitation : the request should include more than one string variable . Remember: it’s necessary to filter not only user data, but also data received from databases .

Fragmented SQL Injections ,[object Object],[object Object],[object Object],[object Object],[object Object]

Fragmented SQL Injections ,[object Object],[object Object],[object Object],« Bug tracking system for source code ».

Fragmented SQL Injections ,[object Object],[object Object],[object Object],Vulnerable code ( add.php file ) : if (isset($_POST['code']) && isset($_POST['fix'])) { $code=htmlspecialchars($_POST['code']); $fix=htmlspecialchars($_POST['fix']); … . mysql_query("INSERT INTO track (bug,fix) VALUES ('".$code."','".$fix."')"); } Database request looks as follows : INSERT INTO track (bug,fix) VALUES (‘ value1 ’,’ value2 ’);

Fragmented SQL Injections ,[object Object],[object Object],[object Object],Vulnerable code ( add.php file ) : if (isset($_POST['code']) && isset($_POST['fix'])) { $code=htmlspecialchars($_POST['code']); $fix=htmlspecialchars($_POST['fix']); … . mysql_query("INSERT INTO track (bug,fix) VALUES ('".$code."','".$fix."')"); } Database request looks as follows : INSERT INTO track (bug,fix) VALUES (‘ value1 ’, ’, user() ) – 1’);

Fragmented SQL Injections ,[object Object],[object Object],[object Object],Vulnerable code ( add.php file ) : if (isset($_POST['code']) && isset($_POST['fix'])) { $code=htmlspecialchars($_POST['code']); $fix=htmlspecialchars($_POST['fix']); … . mysql_query("INSERT INTO track (bug,fix) VALUES ('".$code."','".$fix."')"); } As a result, fix column in track table contents a value that is user() function result.

HTTP Parameter Pollution ,[object Object]

HTTP Parameter Pollution Technology/Environment Interpretation of parameters Example ASP.NET/IIS Binding via comma par1=val1,val2 ASP/IIS Binding via comma par1=val1,val2 PHP/APACHE Последний параметр результирующий par1=val2 PHP/Zeus Last parameter includes result par1=val2 JSP, Servlet/Apache Tomcat First parameter includes result par1=val1 JSP,Servlet/Oracle Application Server 10g First parameter includes result par1=val1 JSP,Servlet/Jetty First parameter includes result par1=val1 IBM Lotus Domino Первый параметр результирующий par1=val1 IBM HTTP Server Last parameter includes result par1=val2 mod_perl,libapeq2/Apache First parameter includes result par1=val1 Perl CGI/Apache First parameter includes result par1=val1 mod_perl/Apache First parameter includes result par1=val1 mod_wsgi (Python)/Apache Returns an array ARRAY(0x8b9058c) Pythin/Zope First parameter includes result par1=val1 IceWarp Returns an array ['val1','val2'] AXIS 2400 Last parameter includes result par1=val2 Linksys Wireless-G PTZ Internet Camera Binding via comma par1=val1,val2 Ricoh Aficio 1022 Printer Last parameter includes result par1=val2 webcamXP Pro First parameter includes result par1=val1 DBMan Binding via 2 tildes par1=val1~~val2

HTTP Parameter Pollution ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

HTTP Parameter Pollution ,[object Object],[object Object],[object Object],[object Object],[object Object]

HTTP Parameter Pollution ,[object Object],[object Object],[object Object]

HTTP Parameter Pollution ,[object Object],[object Object],[object Object],gpc_order (php.ini) – “GPC”

Reversible Encryption ,[object Object],[object Object],[object Object],[object Object],[object Object]

Reversible Encryption ,[object Object],[object Object],[object Object]

Reversible Encryption ,[object Object],[object Object],[object Object],[object Object]

Reversible Encryption ,[object Object],[object Object],[object Object],FAILED.

Reversible Encryption ,[object Object],[object Object],[object Object],[object Object],2. test : UFBQR1FQRk9cQ0QIFgcRBx0=

Instead of conclusions ,[object Object],[object Object],[object Object]

Thank you for your attention ! Questions? [email_address]

Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases

Similar a Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases (20)

Más de Positive Hack Days

Más de Positive Hack Days (20)

Último

Último (20)

Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases

Notas del editor