1BO4r2U
1BO4r2U
1BO4r2U
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
153 154<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
Microsoft OLE DB Provider for ODBC Drivers error ‘80004005’<br />
[Microsoft][ODBC Access 97 ODBC driver Driver]General error<br />
Unable to open registry key ‘DriverId’<br />
nect string, we can invoke more detailed errors.<br />
In this example, we can see a generic error in the same situation<br />
which reveals the type and version of the associated database system<br />
and a dependence on Windows operating system registry key<br />
values.<br />
Now we will look at a practical example with a security test against<br />
a web application that loses its link to its database server and does<br />
not handle the exception in a controlled manner. This could be caused<br />
by a database name resolution issue, processing of unexpected variable<br />
values, or other network problems.<br />
Consider the scenario where we have a database administration<br />
web portal, which can be used as a front end GUI to issue database<br />
queries, create tables, and modify database fields. During the POST<br />
of the logon credentials, the following error message is presented<br />
to the penetration tester. The message indicates the presence of a<br />
MySQL database server:<br />
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)<br />
[MySQL][ODBC 3.51 Driver]Unknown MySQL server host<br />
If we see in the HTML code of the logon page the presence of a hidden<br />
field with a database IP, we can try to change this value in the<br />
URL with the address of database server under the penetration tester’s<br />
control in an attempt to fool the application into thinking that<br />
the logon was successful.<br />
Another example: knowing the database server that services a web<br />
application, we can take advantage of this information to carry out a<br />
SQL Injection for that kind of database or a persistent XSS test.<br />
How to Test<br />
Below are some examples of testing for detailed error messages returned<br />
to the user. Each of the below examples has specific information<br />
about the operating system, application version, etc.<br />
Test: 404 Not Found<br />
Test:<br />
Result:<br />
Test:<br />
Content-Type: text/html; charset=iso-8859-1<br />
...<br />
404 Not Found<br />
...<br />
Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7g<br />
at Port 80<br />
...<br />
Network problems leading to the application being unable to<br />
access the database server<br />
Microsoft OLE DB Provider for ODBC Drivers (0x80004005) ‘<br />
[MySQL][ODBC 3.51 Driver]Unknown MySQL server host<br />
Authentication failure due to missing credentials<br />
Result:<br />
Firewall version used for authentication:<br />
Error 407<br />
FW-1 at : Unauthorized to access the document.<br />
• Authorization is needed for FW-1.<br />
• The authentication required by FW-1 is: unknown.<br />
• Reason for failure of last attempt: no user<br />
Test: 400 Bad Request<br />
telnet 80<br />
GET / HTTP/1.1<br />
<br />
400 Bad Request<br />
...<br />
Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9<br />
with Suhosin-Patch at 127.0.1.1 Port 80<br />
...<br />
Test: 405 Method Not Allowed<br />
telnet 80<br />
PUT /index.html HTTP/1.1<br />
Host: <br />
<br />
Result:<br />
HTTP/1.1 405 Method Not Allowed<br />
Date: Fri, 07 Dec 2013 00:48:57 GMT<br />
Server: Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9 with<br />
Suhosin-Patch<br />
Allow: GET, HEAD, POST, OPTIONS<br />
Vary: Accept-Encoding<br />
Content-Length: 315<br />
Connection: close<br />
Content-Type: text/html; charset=iso-8859-1<br />
...<br />
405 Method Not Allowed<br />
...<br />
Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9<br />
with Suhosin-Patch at Port 80<br />
...<br />
Test: 408 Request Time-out<br />
telnet 80<br />
GET / HTTP/1.1<br />
- Wait X seconds – (Depending on the target server,<br />
21 seconds for Apache by default)<br />
Test: 501 Method Not Implemented<br />
Result:<br />
Test:<br />
Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9<br />
with Suhosin-Patch at Port 80<br />
...<br />
telnet 80<br />
RENAME /index.html HTTP/1.1<br />
Host: <br />
<br />
HTTP/1.1 501 Method Not Implemented<br />
Date: Fri, 08 Dec 2013 09:59:32 GMT<br />
Server: Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9 with<br />
Suhosin-Patch<br />
Allow: GET, HEAD, POST, OPTIONS<br />
Vary: Accept-Encoding<br />
Content-Length: 299<br />
Connection: close<br />
Content-Type: text/html; charset=iso-8859-1<br />
...<br />
501 Method Not Implemented<br />
...<br />
Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9<br />
with Suhosin-Patch at Port 80<br />
...<br />
Enumeration of directories by using access denied error messages:<br />
http://<br />
Result:<br />
telnet 80<br />
GET / HTTP/1.1<br />
host: <br />
<br />
Result:<br />
HTTP/1.1 404 Not Found<br />
Date: Sat, 04 Nov 2006 15:26:48 GMT<br />
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7g<br />
Content-Length: 310<br />
Connection: close<br />
Result:<br />
HTTP/1.1 400 Bad Request<br />
Date: Fri, 06 Dec 2013 23:57:53 GMT<br />
Server: Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9 with<br />
Suhosin-Patch<br />
Vary: Accept-Encoding<br />
Content-Length: 301<br />
Connection: close<br />
Content-Type: text/html; charset=iso-8859-1<br />
...<br />
Result:<br />
HTTP/1.1 408 Request Time-out<br />
Date: Fri, 07 Dec 2013 00:58:33 GMT<br />
Server: Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.9<br />
with Suhosin-Patch<br />
Vary: Accept-Encoding<br />
Content-Length: 298<br />
Connection: close<br />
Content-Type: text/html; charset=iso-8859-1<br />
...<br />
408 Request Time-out<br />
...<br />
Directory Listing Denied<br />
This Virtual Directory does not allow contents to be listed.<br />
Forbidden<br />
You don’t have permission to access / on this server.<br />
Tools<br />
• ErrorMint - http://sourceforge.net/projects/errormint/<br />
• ZAP Proxy - https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project